openvpn MBUF: mbuf packet dropped

yasmine.chtourou · Post by **yasmine.chtourou** » Thu Jun 15, 2017 1:11 pm

I have an issue with my vpn server and still digging for a solution. In the vpn log I'm getting :

openvpn[25902]: user.name/x.x.x.x:yyyy MBUF: mbuf packet dropped

This is causing timeouts when accessing other servers through the VPN and also reconnection in some use-cases.

This is the server configuration file:

server

# Certs
ca /etc/openvpn/easyrsa/pki/ca.crt
cert /etc/openvpn/easyrsa/pki/issued/vpn-us-east.crt
key /etc/openvpn/easyrsa/pki/private/vpn-us-east.key
dh /etc/openvpn/easyrsa/pki/dh.pem
crl-verify /etc/openvpn/easyrsa/pki/crl.pem

# Network configuration
## "dev tun" will create a routed IP tunnel
dev tun
port 1194
proto tcp
server 10.0.2.0 255.255.255.0
## Maintain a record of client <-> virtual IP address
## associations in this file. If OpenVPN goes down or
## is restarted, reconnecting clients can be assigned
## the same virtual IP address from the pool that was
## previously assigned.
ifconfig-pool-persist ipp.txt

# Connection configuration

# # The keepalive directive causes ping-like
# # messages to be sent back and forth over
# # the link so that each side knows when
# # the other side has gone down.
# # Ping every 10 seconds, assume that remote
# # peer is down if no ping received during
# # a 120 second time period.
keepalive 10 120
comp-lzo
persist-key
persist-tun

# Logging
status openvpn-status.log
verb 4
mute 5

#Security Config
###Use AES-256-CBC (Cipher Block Chaining) for data encryption
cipher AES-256-CBC
##Use SHA512 to authenticate encrypted data
auth SHA512
###Use at least the version 1.2 of TLS (which is the only truly secure version atm)
#Maximum number of output packets queued before TCP (default=64)
tcp-queue-limit 256

#Ldap auth
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf
client-cert-not-required
username-as-common-name

# Push configuration
push "dhcp-option DOMAIN domain.com";
push "dhcp-option DNS 8.8.8.8";
push other routes

I tried to google the issue but didn't find any useful information. Can some one please help ?

TinCanTech · Post by **TinCanTech** » Thu Jun 15, 2017 5:22 pm

Please post client config and decent logs.

This may help you get an idea ..
HOWTO: Request Help ! {2}

yasmine.chtourou · Post by **yasmine.chtourou** » Fri Jun 16, 2017 9:49 am

Thank you for your reply.
More details about the issue :

- This is the client configuration file :

client configuration file

client
remote server..com
ca /home/user.user/escesc/ca.crt
auth-user-pass
cipher AES-256-CBC
comp-lzo yes
dev tun
proto tcp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nogroup

- This is the Log from the client ( server and client IPs are removed )

Code: Select all

[oconf=Log from the client ]Jun 13 8:48:51 AM: State changed to Connecting
Jun 13 8:48:51 AM: Viscosity Windows 1.6.8 (1477)
Jun 13 8:48:51 AM: Running on Microsoft Windows 7 Professional 
Jun 13 8:48:51 AM: Bringing up interface...
Jun 13 8:48:52 AM: Checking reachability status of connection...
Jun 13 8:48:52 AM: Connection is reachable. Starting connection attempt.
Jun 13 8:48:52 AM: OpenVPN 2.3.14 Windows-MSVC [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jan 16 2017
Jun 13 8:48:52 AM: library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Jun 13 8:49:06 AM: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jun 13 8:49:07 AM: TCP connection established with [AF_INET]X.X.X.X:1194
Jun 13 8:49:07 AM: TCPv4_CLIENT link local: [undef]
Jun 13 8:49:07 AM: TCPv4_CLIENT link remote: [AF_INET]X.X.X.X:1194
Jun 13 8:49:07 AM: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jun 13 8:49:07 AM: [vpn-us-east] Peer Connection Initiated with [AF_INET]X.X.X.X:1194
Jun 13 8:49:10 AM: AUTH: Received control message: AUTH_FAILED
Jun 13 8:49:13 AM: SIGUSR1[soft,auth-failure] received, process restarting
Jun 13 8:49:13 AM: State changed to Connecting
Jun 13 8:49:30 AM: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jun 13 8:49:30 AM: Attempting to establish TCP connection with [AF_INET]X.X.X.X:1194 [nonblock]
Jun 13 8:49:31 AM: TCP connection established with [AF_INET]X.X.X.X:1194
Jun 13 8:49:31 AM: TCPv4_CLIENT link local: [undef]
Jun 13 8:49:31 AM: TCPv4_CLIENT link remote: [AF_INET]X.X.X.X:1194
Jun 13 8:49:32 AM: [vpn-us-east] Peer Connection Initiated with [AF_INET]X.X.X.X:1194
Jun 13 8:49:34 AM: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jun 13 8:49:34 AM: open_tun, tt->ipv6=0
Jun 13 8:49:34 AM: TAP-WIN32 device [FFFFF] opened: \\.\Global\{0E8D2151-3C91-4344-BB5A-2EBC326C8720}.tap
Jun 13 8:49:34 AM: Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.2.238/255.255.255.252 on interface {0E8D2151-3C91-4344-BB5A-2EBC326C8720} [DHCP-serv: 10.0.2.237, lease-time: 31536000]
Jun 13 8:49:34 AM: Successful ARP Flush on interface [28] {0E8D2151-3C91-4344-BB5A-2EBC326C8720}
Jun 13 8:49:39 AM: Initialization Sequence Completed
Jun 13 8:49:39 AM: DNS set to Split, report follows:
Server - 8.8.8.8:53; Lookup Type - Split; Domains - domain.com.
Server - 192.168.1.1:53; Lookup Type - Any; Domains - None

Jun 13 8:49:39 AM: State changed to Connected
Jun 13 8:54:44 AM: Connection reset, restarting [0]
Jun 13 8:54:44 AM: SIGUSR1[soft,connection-reset] received, process restarting
Jun 13 8:54:44 AM: State changed to Connecting
Jun 13 8:54:44 AM: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jun 13 8:54:44 AM: Attempting to establish TCP connection with [AF_INET]X.X.X.X:1194 [nonblock]
Jun 13 8:54:54 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:55:09 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:55:24 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:55:39 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:55:54 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:56:09 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:56:24 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:56:39 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:56:54 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:57:09 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:57:24 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:57:39 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:57:54 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:58:09 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:58:24 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:58:39 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:58:54 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:59:09 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:59:24 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:59:39 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 8:59:54 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 9:00:09 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 9:00:24 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 9:00:39 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 9:00:54 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 9:01:09 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 9:01:24 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 9:01:39 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 9:01:54 AM: TCP: connect to [AF_INET]X.X.X.X:1194 failed, will try again in 5 seconds: Connection timed out (WSAETIMEDOUT)
Jun 13 9:02:03 AM: State changed to Disconnecting
Jun 13 9:02:11 AM: State changed to Disconnected
Jun 13 9:02:39 AM: State changed to Connecting
Jun 13 9:02:39 AM: Viscosity Windows 1.6.8 (1477)
Jun 13 9:02:39 AM: Running on Microsoft Windows 7 Professional 
Jun 13 9:02:39 AM: Bringing up interface...
Jun 13 9:02:40 AM: Checking reachability status of connection...
Jun 13 9:02:40 AM: Connection is reachable. Starting connection attempt.
Jun 13 9:02:40 AM: OpenVPN 2.3.14 Windows-MSVC [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jan 16 2017
Jun 13 9:02:40 AM: library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Jun 13 9:03:19 AM: State changed to Disconnecting
Jun 13 9:03:25 AM: State changed to Disconnected
Jun 13 9:06:15 AM: State changed to Connecting
Jun 13 9:06:15 AM: Viscosity Windows 1.6.8 (1477)
Jun 13 9:06:15 AM: Running on Microsoft Windows 7 Professional 
Jun 13 9:06:15 AM: Bringing up interface...
Jun 13 9:06:15 AM: Checking reachability status of connection...
Jun 13 9:06:15 AM: Connection is reachable. Starting connection attempt.
Jun 13 9:06:15 AM: OpenVPN 2.3.14 Windows-MSVC [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jan 16 2017
Jun 13 9:06:15 AM: library versions: OpenSSL 1.0.2j  26 Sep 2016, LZO 2.09
Jun 13 9:06:24 AM: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jun 13 9:06:24 AM: Attempting to establish TCP connection with [AF_INET]X.X.X.X:1194 [nonblock]
Jun 13 9:06:25 AM: TCP connection established with [AF_INET]X.X.X.X:1194
Jun 13 9:06:25 AM: TCPv4_CLIENT link local: [undef]
Jun 13 9:06:25 AM: TCPv4_CLIENT link remote: [AF_INET]X.X.X.X:1194
Jun 13 9:06:25 AM: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jun 13 9:06:26 AM: [vpn-us-east] Peer Connection Initiated with [AF_INET]X.X.X.X:1194
Jun 13 9:06:28 AM: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jun 13 9:06:28 AM: open_tun, tt->ipv6=0
Jun 13 9:06:28 AM: TAP-WIN32 device [Iggg] opened: \\.\Global\{0E8D2151-3C91-4344-BB5A-2EBC326C8720}.tap
Jun 13 9:06:28 AM: Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.2.238/255.255.255.252 on interface {0E8D2151-3C91-4344-BB5A-2EBC326C8720} [DHCP-serv: 10.0.2.237, lease-time: 31536000]
Jun 13 9:06:28 AM: Successful ARP Flush on interface [28] {0E8D2151-3C91-4344-BB5A-2EBC326C8720}
Jun 13 9:06:33 AM: Initialization Sequence Completed
Jun 13 9:06:34 AM: DNS set to Split, report follows:
Server - 8.8.8.8:53; Lookup Type - Split; Domains - domain.com.

Jun 13 9:06:34 AM: State changed to Connected[/oconf]

- This is the log from server :

Code: Select all

[oconf=Server Log]Jun 14 12:31:09 vpn-us-east-1 openvpn[25902]: user1.user1/XX.XX.194.82:51190 14 variation(s) on previous 5 message(s) suppressed by --mute
Jun 14 12:31:09 vpn-us-east-1 openvpn[25902]: user1.user1/XX.XX.194.82:51190 PUSH: Received control message: 'PUSH_REQUEST'
Jun 14 12:31:09 vpn-us-east-1 openvpn[25902]: user1.user1/XX.XX.194.82:51190 send_push_reply(): safe_cap=940
Jun 14 12:31:09 vpn-us-east-1 openvpn[25902]: user1.user1/XX.XX.194.82:51190 SENT CONTROL [user1.user1]: 'PUSH_REPLY,dhcp-option DOMAIN domain.com,dhcp-option DNS 8.8.8.8,route 1xxxx,push-continuation 1' (status=1)
Jun 14 12:31:10 vpn-us-east-1 openvpn[25902]: user2.user2/XX.XX.194.82:49763 MULTI: bad source address from client [XX.XX.13.169], packet dropped
Jun 14 12:31:10 vpn-us-east-1 openvpn[25902]: user2.user2/XX.XX.194.82:49763 MULTI: bad source address from client [XX.XX.13.169], packet dropped
Jun 14 12:31:12 vpn-us-east-1 openvpn[25902]: user1.user1/XX.XX.194.82:51190 MULTI: bad source address from client [XX.XX.9.234], packet dropped
Jun 14 12:31:12 vpn-us-east-1 openvpn[25902]: user1.user1/XX.XX.194.82:51190 MULTI: bad source address from client [XX.XX.9.234], packet dropped
Jun 14 12:31:12 vpn-us-east-1 openvpn[25902]: user1.user1/XX.XX.194.82:51190 MULTI: bad source address from client [XX.XX.9.234], packet dropped
Jun 14 12:31:12 vpn-us-east-1 openvpn[25902]: user2.user2/XX.XX.194.82:49763 NOTE: --mute triggered...
Jun 14 12:33:04 vpn-us-east-1 openvpn[25902]: user3.user3/208.92.248.6:59102 153 variation(s) on previous 5 message(s) suppressed by --mute
Jun 14 12:33:04 vpn-us-east-1 openvpn[25902]: user3.user3/208.92.248.6:59102 TLS: soft reset sec=0 bytes=118774185/0 pkts=244736/0
Jun 14 12:33:04 vpn-us-east-1 openvpn[25902]: user3.user3/208.92.248.6:59102 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Jun 14 12:33:04 vpn-us-east-1 openvpn[25902]: user3.user3/208.92.248.6:59102 TLS: Username/Password authentication succeeded for username 'user3.user3' [CN SET]
Jun 14 12:33:04 vpn-us-east-1 openvpn[25902]: user3.user3/208.92.248.6:59102 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jun 14 12:33:04 vpn-us-east-1 openvpn[25902]: user3.user3/208.92.248.6:59102 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Jun 14 12:33:04 vpn-us-east-1 openvpn[25902]: user3.user3/208.92.248.6:59102 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jun 14 12:33:04 vpn-us-east-1 openvpn[25902]: user3.user3/208.92.248.6:59102 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Jun 14 12:33:04 vpn-us-east-1 openvpn[25902]: user3.user3/208.92.248.6:59102 NOTE: --mute triggered...
Jun 14 12:33:06 vpn-us-east-1 openvpn[25902]: user1.user1/XX.XX.194.82:51190 1 variation(s) on previous 5 message(s) suppressed by --mute
Jun 14 12:33:06 vpn-us-east-1 openvpn[25902]: user1.user1/XX.XX.194.82:51190 MULTI: bad source address from client [XX.XX.9.234], packet dropped
Jun 14 12:33:14 vpn-us-east-1 openvpn[25902]: user2.user2/XX.XX.194.82:49763 MULTI: bad source address from client [XX.XX.13.169], packet dropped
Jun 14 12:33:15 vpn-us-east-1 openvpn[25902]: user1.user1/XX.XX.194.82:51190 MULTI: bad source address from client [XX.XX.9.234], packet dropped
Jun 14 12:33:21 vpn-us-east-1 openvpn[25902]: user2.user2/XX.XX.194.82:49763 MULTI: bad source address from client [XX.XX.13.169], packet dropped
Jun 14 12:33:28 vpn-us-east-1 openvpn[25902]: user2.user2/XX.XX.194.82:49763 MULTI: bad source address from client [XX.XX.13.169], packet dropped
Jun 14 12:33:36 vpn-us-east-1 openvpn[25902]: user2.user2/XX.XX.194.82:49763 NOTE: --mute triggered...
Jun 14 12:37:37 vpn-us-east-1 openvpn[25902]: user4.user4/197.0.143.170:53702 230 variation(s) on previous 5 message(s) suppressed by --mute
Jun 14 12:37:37 vpn-us-east-1 openvpn[25902]: user4.user4/197.0.143.170:53702 Connection reset, restarting [0]
Jun 14 12:37:37 vpn-us-east-1 openvpn[25902]: user4.user4/197.0.143.170:53702 SIGUSR1[soft,connection-reset] received, client-instance restarting
Jun 14 12:37:37 vpn-us-east-1 openvpn[25902]: PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_CLIENT_DISCONNECT status=0
Jun 14 12:37:37 vpn-us-east-1 openvpn[25902]: TCP/UDP: Closing socket
Jun 14 12:37:38 vpn-us-east-1 openvpn[25902]: user2.user2/XX.XX.194.82:49763 MBUF: mbuf packet dropped
Jun 14 12:37:40 vpn-us-east-1 openvpn[25902]: user2.user2/XX.XX.194.82:49763 MBUF: mbuf packet dropped
Jun 14 12:37:41 vpn-us-east-1 openvpn[25902]: user2.user2/XX.XX.194.82:49763 MBUF: mbuf packet dropped
Jun 14 12:37:46 vpn-us-east-1 openvpn[25902]: user2.user2/XX.XX.194.82:49763 MBUF: mbuf packet dropped
Jun 14 12:37:48 vpn-us-east-1 openvpn[25902]: user2.user2/XX.XX.194.82:49763 MBUF: mbuf packet dropped
Jun 14 12:37:51 vpn-us-east-1 openvpn[25902]: user2.user2/XX.XX.194.82:49763 NOTE: --mute triggered...
Jun 14 12:40:08 vpn-us-east-1 openvpn[25902]: user2.user2/XX.XX.194.82:49763 83 variation(s) on previous 5 message(s) suppressed by --mute
Jun 14 12:40:08 vpn-us-east-1 openvpn[25902]: user2.user2/XX.XX.194.82:49763 [user2.user2] Inactivity timeout (--ping-restart), restarting
Jun 14 12:40:08 vpn-us-east-1 openvpn[25902]: user2.user2/XX.XX.194.82:49763 SIGUSR1[soft,ping-restart] received, client-instance restarting
Jun 14 12:40:08 vpn-us-east-1 openvpn[25902]: PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_CLIENT_DISCONNECT status=0
Jun 14 12:40:08 vpn-us-east-1 openvpn[25902]: TCP/UDP: Closing socket
Jun 14 12:44:14 vpn-us-east-1 openvpn[25902]: MULTI: multi_create_instance called
Jun 14 12:44:14 vpn-us-east-1 openvpn[25902]: Re-using SSL/TLS context
Jun 14 12:44:14 vpn-us-east-1 openvpn[25902]: LZO compression initialized
Jun 14 12:44:14 vpn-us-east-1 openvpn[25902]: Control Channel MTU parms [ L:1604 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Jun 14 12:44:14 vpn-us-east-1 openvpn[25902]: Data Channel MTU parms [ L:1604 D:1450 EF:104 EB:143 ET:0 EL:3 AF:3/1 ]
Jun 14 12:44:14 vpn-us-east-1 openvpn[25902]: Local Options String: 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Jun 14 12:44:14 vpn-us-east-1 openvpn[25902]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'[/oconf]

- Server OS

Code: Select all

[oconf=Server OS]# uname -a
Linux vpn 4.4.51-40.58.amzn1.x86_64 #1 SMP Tue Feb 28 21:57:17 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux[/oconf]

TinCanTech · Post by **TinCanTech** » Fri Jun 16, 2017 10:20 am

You should take care with --comp-lzo .. not sure how 'yes' and 'adaptive' would work over all ..

How many clients do your serve ?

Can you try with --proto udp ?

yasmine.chtourou · Post by **yasmine.chtourou** » Fri Jun 16, 2017 11:19 am

The vpn servers arround 200 clients. That's why I can't change from tcp to udp since this will require changing all client configuration. When I test connectivity with an other test vpn server with the same configuration for both client and server, I don't find any issue in the log.
I suspected the issue to be related to both tcp-queue-limit and bcast-buffers options. I'm not sure what exact values should be setting and what's the exact value to set.

I tried adding a line in the sever.conf

Code: Select all

[oconf= Added line]bcast-buffers 4096[/oconf]

After adding this line the error in the log changed to the following :

Code: Select all

[oconf=New client log]Jun 15 07:13:42 vpn-us-east-1 openvpn[6324]: XXXX.XXX.49:39933 TLS: Initial packet from [AF_INET]XXXX.XXX.49:39933, sid=4ea08386 b92cbe2b
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: XXXX.XXX.49:39933 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: XXXX.XXX.49:39933 TLS: Username/Password authentication succeeded for username 'user1.user1' [CN SET]
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: XXXX.XXX.49:39933 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: XXXX.XXX.49:39933 Data Channel Encrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: XXXX.XXX.49:39933 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: XXXX.XXX.49:39933 Data Channel Decrypt: Using 512 bit message hash 'SHA512' for HMAC authentication
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: XXXX.XXX.49:39933 NOTE: --mute triggered...
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: XXXX.XXX.49:39933 1 variation(s) on previous 5 message(s) suppressed by --mute
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: XXXX.XXX.49:39933 [user1.user1] Peer Connection Initiated with [AF_INET]XXXX.XXX.49:39933
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: user1.user1/XXXX.XXX.49:39933 MULTI_sva: pool returned IPv4=10.0.2.82, IPv6=(Not enabled)
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: user1.user1/XXXX.XXX.49:39933 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_CLIENT_CONNECT status=0
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: user1.user1/XXXX.XXX.49:39933 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_06af414951a661f727b950968bb4f446.tmp
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: user1.user1/XXXX.XXX.49:39933 MULTI: Learn: 10.0.2.82 -> user1.user1/XXXX.XXX.49:39933
Jun 15 07:13:43 vpn-us-east-1 openvpn[6324]: user1.user1/XXXX.XXX.49:39933 MULTI: primary virtual IP for user1.user1/XXXX.XXX.49:39933: 10.0.2.82
Jun 15 07:13:45 vpn-us-east-1 openvpn[6324]: user1.user1/XXXX.XXX.49:39933 PUSH: Received control message: 'PUSH_REQUEST'
Jun 15 07:13:45 vpn-us-east-1 openvpn[6324]: user1.user1/XXXX.XXX.49:39933 send_push_reply(): safe_cap=940
Jun 15 07:13:45 vpn-us-east-1 openvpn[6324]: user1.user1/XXXX.XXX.49:39933 SENT CONTROL [user1.user1]: 'PUSH_REPLY,dhcp-option DOMAIN *** (status=1)
Jun 15 07:14:35 vpn-us-east-1 openvpn[6324]: user1.user2/xxxxx..xx.82:28229 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Jun 15 07:14:35 vpn-us-east-1 openvpn[6324]: user1.user2/xxxxx..xx.82:28229 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Jun 15 07:23:56 vpn-us-east-1 openvpn[6324]: user1.user2/xxxxx..xx.82:28229 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Jun 15 07:23:56 vpn-us-east-1 openvpn[6324]: user1.user2/xxxxx..xx.82:28229 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Jun 15 07:23:56 vpn-us-east-1 openvpn[6324]: user1.user2/xxxxx..xx.82:28229 MULTI: packet dropped due to output saturation (multi_process_incoming_tun)
Jun 15 07:23:56 vpn-us-east-1 openvpn[6324]: user1.user2/xxxxx..xx.82:28229 NOTE: --mute triggered...
Jun 15 07:24:20 vpn-us-east-1 dhclient[1336]: DHCPREQUEST on eth0 to 10.100.46.1 port 67 (xid=0x4c96258c)
Jun 15 07:24:20 vpn-us-east-1 dhclient[1336]: DHCPACK from 10.100.46.1 (xid=0x4c96258c)
Jun 15 07:24:22 vpn-us-east-1 dhclient[1336]: bound to 10.100.46.51 -- renewal in 1680 seconds.
Jun 15 07:24:22 vpn-us-east-1 ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/0a:df:4d:3a:e1:1c/local-ipv4s
Jun 15 07:24:22 vpn-us-east-1 ec2net: [rewrite_aliases] Rewriting aliases of eth0[/oconf]

Still didn't figure out what's the issue :/ .

OpenVPN Support Forum

openvpn MBUF: mbuf packet dropped

openvpn MBUF: mbuf packet dropped

Re: openvpn MBUF: mbuf packet dropped

Re: openvpn MBUF: mbuf packet dropped

Re: openvpn MBUF: mbuf packet dropped

Re: openvpn MBUF: mbuf packet dropped