Connection errors when AD domain controller is off
-
Hello.
I've faced very strange issue and need help.
I have two Active Directory domain controllers DC1 and DC2 (Windows 2008R2) in the domain. I tuned Openvpn in pfSense to authenticate users against that DCs. Everything worked like a charm unless I turned one DC off. Users' openvpn sessions got disconnected and when they tried to get connections back, they got "TLS Error". Here is the log:
May 21 17:49:13 gw-2 openvpn[51123]: Re-using SSL/TLS context May 21 17:49:13 gw-2 openvpn[51123]: LZO compression initialized May 21 17:49:13 gw-2 openvpn[51123]: TCP connection established with [AF_INET]xx.xx.65.70:63857 May 21 17:49:13 gw-2 openvpn[51123]: TCPv4_SERVER link local: [undef] May 21 17:49:13 gw-2 openvpn[51123]: TCPv4_SERVER link remote: [AF_INET]xx.xx.65.70:63857 May 21 17:50:29 gw-2 openvpn: : ERROR! Could not bind to server DC1. May 21 17:50:29 gw-2 openvpn: : Now Searching for vlad in directory. May 21 17:50:29 gw-2 openvpn: : Now Searching in server DC2, container CN=Users,DC=myorg,DC=biz with filter (samaccountname=vlad). May 21 17:50:29 gw-2 openvpn: : Logged in successfully as vlad via LDAP server DC2 with DN = CN=Vlad,CN=Users,DC=myorg,DC=biz. May 21 17:50:29 gw-2 openvpn: user vlad authenticated May 21 17:50:29 gw-2 openvpn[51123]: xx.xx.65.70:63857 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) May 21 17:50:29 gw-2 openvpn[51123]: xx.xx.65.70:63857 TLS Error: TLS handshake failed May 21 17:50:29 gw-2 openvpn[51123]: xx.xx.70:63857 Fatal TLS error (check_tls_errors_co), restarting
Right after I turned DC1 back on, users were able to connect:
May 21 18:59:26 gw-2 openvpn[52032]: Re-using SSL/TLS context May 21 18:59:26 gw-2 openvpn[52032]: LZO compression initialized May 21 18:59:26 gw-2 openvpn[52032]: TCP connection established with [AF_INET]xx.xx.65.70:51513 May 21 18:59:26 gw-2 openvpn[52032]: TCPv4_SERVER link local: [undef] May 21 18:59:26 gw-2 openvpn[52032]: TCPv4_SERVER link remote: [AF_INET]xx.xx.65.70:51513 May 21 18:59:27 gw-2 openvpn: : Now Searching for vlad in directory. May 21 18:59:27 gw-2 openvpn: : Now Searching in server DC1, container CN=Users,DC=myorg,DC=biz with filter (samaccountname=vlad). May 21 18:59:27 gw-2 openvpn: : Logged in successfully as vlad via LDAP server DC1 with DN = CN=Vlad,CN=Users,DC=myorg,DC=biz. May 21 18:59:27 gw-2 openvpn: user vlad authenticated May 21 18:59:27 gw-2 openvpn[52032]: xx.xx.65.70:51513 [vlad] Peer Connection Initiated with [AF_INET]xx.xx.65.70:51513 May 21 18:59:27 gw-2 openvpn[52032]: vlad/xx.xx.65.70:51513 MULTI_sva: pool returned IPv4=192.168.210.10, IPv6=54da:bfbf:cc:4ddd:78d7:bfbf:391:608 May 21 18:59:29 gw-2 openvpn[52032]: vlad/xx.xx.65.70:51513 send_push_reply(): safe_cap=960
Openvpn server config:
# cat /var/etc/openvpn/server1.conf dev ovpns1 dev-type tun dev-node /dev/tun1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto tcp-server cipher BF-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local yy.yy.225.172 tls-server server 192.168.210.0 255.255.255.192 client-config-dir /var/etc/openvpn-csc username-as-common-name auth-user-pass-verify /var/etc/openvpn/server1.php via-env tls-verify /var/etc/openvpn/server1.tls-verify.php lport 1194 management /var/etc/openvpn/server1.sock unix push "route 172.26.0.0 255.255.0.0" push "dhcp-option DOMAIN myorg.biz" push "dhcp-option DNS 172.26.1.2" push "dhcp-option DNS 172.26.1.20" push "dhcp-option NTP 172.26.1.1" client-to-client ca /var/etc/openvpn/server1.ca cert /var/etc/openvpn/server1.cert key /var/etc/openvpn/server1.key dh /etc/dh-parameters.1024 crl-verify /var/etc/openvpn/server1.crl-verify tls-auth /var/etc/openvpn/server1.tls-auth 0 comp-lzo passtos persist-remote-ip float push "route 172.27.0.0 255.255.0.0"
Any help is appreciated!