pfSense: Constant Reconnects for some Users

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Seppic
OpenVpn Newbie
Posts: 9
Joined: Wed Mar 15, 2017 9:08 pm

pfSense: Constant Reconnects for some Users

Post by Seppic » Mon Jul 17, 2017 2:18 pm

We implemented a pfSense appliance running OpenVPN recently. Testing went very well with little to no issues. Now that it's been deployed to a wider user base I am seeing some consistent issues when there are some.

I am having a small handful of users who are experiencing constant reconnect prompts. It's a pretty big inconvenience for them since we also have DUO tied in, and them having to re-approve a notification on their phone every time it happens as well.

Other users experience this initially but after a 3rd or 4th time it "sticks" and then they don't have a problem for hours.

This (http://i.imgur.com/gB08ROB.png) seems to be a common issue. Connecting then getting an inactivity timeout within a few minutes after and prompting a reconnect.

I've seen some talk about modifying the keepalive time, but it's set to 10 60 by default. If there is no traffic going over the VPN for that period of time we have bigger problems obviously. I've been beating my head against Google and can't seem to find much. So basically any leads or tips would be super helpful, thanks!

Another thing the same user as the picture is experiencing is this:

Fri Jun 30 05:22:48 2017 MANAGEMENT: >STATE:1498814568,CONNECTED,SUCCESS,172.31.2.5,67.107.32.249,443,192.168.0.13,55475
Fri Jun 30 05:23:11 2017 read TCP_CLIENT: Connection timed out (WSAETIMEDOUT) (code=10060)
Fri Jun 30 05:23:11 2017 Connection reset, restarting [-1]
Fri Jun 30 05:23:11 2017 SIGUSR1[soft,connection-reset] received, process restarting
Fri Jun 30 05:23:11 2017 MANAGEMENT: >STATE:1498814591,RECONNECTING,connection-reset,,,,,

Being disconnected for a timeout after a minute of being connected.

Side note: Should we consider switching from TCP to UDP?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Constant Reconnects for some Users

Post by TinCanTech » Mon Jul 17, 2017 3:26 pm

Which version of openvpn is that ?

Please see:
HOWTO: Request Help !

Seppic
OpenVpn Newbie
Posts: 9
Joined: Wed Mar 15, 2017 9:08 pm

Re: Constant Reconnects for some Users

Post by Seppic » Mon Jul 17, 2017 6:08 pm

TinCanTech wrote:Which version of openvpn is that ?

Please see:
HOWTO: Request Help !
It's the latest Windows Client and it's OpenVPN running on a latest updated pfSense physical device.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Constant Reconnects for some Users

Post by TinCanTech » Tue Jul 18, 2017 3:10 am

Seppic wrote: Connecting then getting an inactivity timeout within a few minutes
See --inactive in The Manual v24x

Seppic
OpenVpn Newbie
Posts: 9
Joined: Wed Mar 15, 2017 9:08 pm

Re: Constant Reconnects for some Users

Post by Seppic » Wed Jul 19, 2017 3:28 pm

Code: Select all

The default value is 0 seconds, which disables this feature.
We haven't changed the value so that wouldn't explain it unfortunately.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Constant Reconnects for some Users

Post by TinCanTech » Wed Jul 19, 2017 8:39 pm

No logs .. No configs .. No idea.

Seppic
OpenVpn Newbie
Posts: 9
Joined: Wed Mar 15, 2017 9:08 pm

Re: Constant Reconnects for some Users

Post by Seppic » Thu Jan 04, 2018 12:52 pm

So I'm hoping to resurrect this thread in an effort to finally get an answer. I apologize TinCanTech I provided the log in my OP and wasn't asked to give anything else. I can provide more information just would need to know exactly what. We're starting to entertain discussions of moving away from OpenVPN if we can't get this issue at least somewhat hammered down.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Constant Reconnects for some Users

Post by TinCanTech » Thu Jan 04, 2018 2:48 pm

Seppic wrote:
Thu Jan 04, 2018 12:52 pm
I apologize TinCanTech I provided the log in my OP and wasn't asked to give anything else
So you did not read this:
TinCanTech wrote:
Mon Jul 17, 2017 3:26 pm
Which version of openvpn is that ?

Please see:
HOWTO: Request Help !
I can't help if you don't read my replies.

If you prefer I can give you a reading from my crystal ball ..

Seppic
OpenVpn Newbie
Posts: 9
Joined: Wed Mar 15, 2017 9:08 pm

Re: Constant Reconnects for some Users

Post by Seppic » Thu Jan 04, 2018 7:41 pm

I replied to that question above. I guess I didn't respond with the exact version, but I thought latest would have covered it. So here is the exact answer relevant to our current setup.

The client is OpenVPN 2.4.3 and we are in the process of upgrading everyone to 2.4.4. We run almost fully Windows 10 now but still have a few peppered Windows 7 machines here and there that are being upgraded.

The server is running on a pFsense physical appliance and is version 2.3.2-RELEASE-p1. Is there a specific way to check the version of OpenVPN it's running?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Constant Reconnects for some Users

Post by TinCanTech » Thu Jan 04, 2018 8:27 pm

Seppic wrote:
Thu Jan 04, 2018 7:41 pm
Is there a specific way to check the version of OpenVPN it's running?
Your logs at verb 4 as prescribed here: HOWTO: Request Help ! {2}

See --log & --verb in The Manual v24x
Seppic wrote:
Thu Jan 04, 2018 7:41 pm
I replied to that question above. I guess I didn't respond with the exact version
Or the server and client config files ... Or the server and client log files @ verb 4

Technically, you have had three strikes .. you know what that means ..


Seppic wrote:
Thu Jan 04, 2018 7:41 pm
The server is running on a pFsense physical appliance and is version 2.3.2-RELEASE-p1
Then you will probably need pfSense support.

Seppic
OpenVpn Newbie
Posts: 9
Joined: Wed Mar 15, 2017 9:08 pm

Re: Constant Reconnects for some Users

Post by Seppic » Fri Jan 05, 2018 3:58 pm

Here are the configs for right this second. Working on logs.

Server Config
SERVER


### Paste Your Server Config File Below ###
dev ovpns2
verb 4
dev-type tun
tun-ipv6
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 68.107.32.224
tls-server
server 172.31.5.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server2
client-cert-not-required
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user 'RADIUS' false server2" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn00.bf0.arden.tech' 1"
lport 443
management /var/etc/openvpn/server2.sock unix
push "dhcp-option DOMAIN domain.com"
push "dhcp-option DNS 10.0.25.21"
push "dhcp-option DNS 172.17.5.103"
push "dhcp-option NTP 172.17.17.208"
push "dhcp-option NTP 172.17.17.205"
push "redirect-gateway def1"
ca /var/etc/openvpn/server2.ca
cert /var/etc/openvpn/server2.cert
key /var/etc/openvpn/server2.key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server2.tls-auth 0
comp-lzo adaptive
persist-remote-ip
float
topology subnet
reneg-sec 43200
push "redirect-gateway autolocal block-local"
keepalive 10 120



Client Config
CLIENT


### Paste Your Client Config Below ###
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote myserver 443 udp
lport 0
auth-user-pass
ca ca.crt
tls-auth tls.key 1
ns-cert-type server
comp-lzo adaptive
auth-nocache
reneg-sec 43200
verb 4


TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: pfSense: Constant Reconnects for some Users

Post by TinCanTech » Sat Jan 06, 2018 2:15 am

Do not use --lport .. instead use (server) --port and (client) --nobind

Seppic
OpenVpn Newbie
Posts: 9
Joined: Wed Mar 15, 2017 9:08 pm

Re: pfSense: Constant Reconnects for some Users

Post by Seppic » Mon Jan 08, 2018 6:07 pm

TinCanTech wrote:
Sat Jan 06, 2018 2:15 am
Do not use --lport .. instead use (server) --port and (client) --nobind
Thank you, I'll test this out.

So in practice would I remove the lport, replace it with port 443 and take out lport from the client config and add nobind?

Seppic
OpenVpn Newbie
Posts: 9
Joined: Wed Mar 15, 2017 9:08 pm

Re: pfSense: Constant Reconnects for some Users

Post by Seppic » Mon Jan 08, 2018 9:29 pm

Also just a small update, this is what I see in server log when they get prompted for the re-auth. It usually happens just a few minutes after the effected user has been logged in, whether or not they have been active on their machine. Not sure why an inactivity timeout would be happening to an active user.

Code: Select all

Jan  8 17:38:46 d0-nfw0633 openvpn[61774]: user/73.182.34.101:56118 [user] Inactivity timeout (--ping-restart), restarting
Jan  8 17:38:46 d0-nfw0633 openvpn[61774]: user/73.182.34.101:56118 SIGUSR1[soft,ping-restart] received, client-instance restarting

Post Reply