Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Connection errors when AD domain controller is off

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jazzl0ver
      last edited by

      Hello.

      I've faced very strange issue and need help.

      I have two Active Directory domain controllers DC1 and DC2 (Windows 2008R2) in the domain. I tuned Openvpn in pfSense to authenticate users against that DCs. Everything worked like a charm unless I turned one DC off. Users' openvpn sessions got disconnected and when they tried to get connections back, they got "TLS Error". Here is the log:

      May 21 17:49:13 gw-2 openvpn[51123]: Re-using SSL/TLS context
      May 21 17:49:13 gw-2 openvpn[51123]: LZO compression initialized
      May 21 17:49:13 gw-2 openvpn[51123]: TCP connection established with [AF_INET]xx.xx.65.70:63857
      May 21 17:49:13 gw-2 openvpn[51123]: TCPv4_SERVER link local: [undef]
      May 21 17:49:13 gw-2 openvpn[51123]: TCPv4_SERVER link remote: [AF_INET]xx.xx.65.70:63857
      May 21 17:50:29 gw-2 openvpn: : ERROR! Could not bind to server DC1.
      May 21 17:50:29 gw-2 openvpn: : Now Searching for vlad in directory.
      May 21 17:50:29 gw-2 openvpn: : Now Searching in server DC2, container CN=Users,DC=myorg,DC=biz with filter (samaccountname=vlad).
      May 21 17:50:29 gw-2 openvpn: : Logged in successfully as vlad via LDAP server DC2 with DN = CN=Vlad,CN=Users,DC=myorg,DC=biz.
      May 21 17:50:29 gw-2 openvpn: user vlad authenticated
      May 21 17:50:29 gw-2 openvpn[51123]: xx.xx.65.70:63857 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      May 21 17:50:29 gw-2 openvpn[51123]: xx.xx.65.70:63857 TLS Error: TLS handshake failed
      May 21 17:50:29 gw-2 openvpn[51123]: xx.xx.70:63857 Fatal TLS error (check_tls_errors_co), restarting
      
      

      Right after I turned DC1 back on, users were able to connect:

      May 21 18:59:26 gw-2 openvpn[52032]: Re-using SSL/TLS context
      May 21 18:59:26 gw-2 openvpn[52032]: LZO compression initialized
      May 21 18:59:26 gw-2 openvpn[52032]: TCP connection established with [AF_INET]xx.xx.65.70:51513
      May 21 18:59:26 gw-2 openvpn[52032]: TCPv4_SERVER link local: [undef]
      May 21 18:59:26 gw-2 openvpn[52032]: TCPv4_SERVER link remote: [AF_INET]xx.xx.65.70:51513
      May 21 18:59:27 gw-2 openvpn: : Now Searching for vlad in directory.
      May 21 18:59:27 gw-2 openvpn: : Now Searching in server DC1, container CN=Users,DC=myorg,DC=biz with filter (samaccountname=vlad).
      May 21 18:59:27 gw-2 openvpn: : Logged in successfully as vlad via LDAP server DC1 with DN = CN=Vlad,CN=Users,DC=myorg,DC=biz.
      May 21 18:59:27 gw-2 openvpn: user vlad authenticated
      May 21 18:59:27 gw-2 openvpn[52032]: xx.xx.65.70:51513 [vlad] Peer Connection Initiated with [AF_INET]xx.xx.65.70:51513
      May 21 18:59:27 gw-2 openvpn[52032]: vlad/xx.xx.65.70:51513 MULTI_sva: pool returned IPv4=192.168.210.10, IPv6=54da:bfbf:cc:4ddd:78d7:bfbf:391:608
      May 21 18:59:29 gw-2 openvpn[52032]: vlad/xx.xx.65.70:51513 send_push_reply(): safe_cap=960
      
      

      Openvpn server config:

      # cat /var/etc/openvpn/server1.conf
      dev ovpns1
      dev-type tun
      dev-node /dev/tun1
      writepid /var/run/openvpn_server1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto tcp-server
      cipher BF-CBC
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local yy.yy.225.172
      tls-server
      server 192.168.210.0 255.255.255.192
      client-config-dir /var/etc/openvpn-csc
      username-as-common-name
      auth-user-pass-verify /var/etc/openvpn/server1.php via-env
      tls-verify /var/etc/openvpn/server1.tls-verify.php
      lport 1194
      management /var/etc/openvpn/server1.sock unix
      push "route 172.26.0.0 255.255.0.0"
      push "dhcp-option DOMAIN myorg.biz"
      push "dhcp-option DNS 172.26.1.2"
      push "dhcp-option DNS 172.26.1.20"
      push "dhcp-option NTP 172.26.1.1"
      client-to-client
      ca /var/etc/openvpn/server1.ca
      cert /var/etc/openvpn/server1.cert
      key /var/etc/openvpn/server1.key
      dh /etc/dh-parameters.1024
      crl-verify /var/etc/openvpn/server1.crl-verify
      tls-auth /var/etc/openvpn/server1.tls-auth 0
      comp-lzo
      passtos
      persist-remote-ip
      float
      push "route 172.27.0.0 255.255.0.0"
      
      

      Any help is appreciated!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.