pfSense: Constant Reconnects for some Users
Posted: Mon Jul 17, 2017 2:18 pm
We implemented a pfSense appliance running OpenVPN recently. Testing went very well with little to no issues. Now that it's been deployed to a wider user base I am seeing some consistent issues when there are some.
I am having a small handful of users who are experiencing constant reconnect prompts. It's a pretty big inconvenience for them since we also have DUO tied in, and them having to re-approve a notification on their phone every time it happens as well.
Other users experience this initially but after a 3rd or 4th time it "sticks" and then they don't have a problem for hours.
This (http://i.imgur.com/gB08ROB.png) seems to be a common issue. Connecting then getting an inactivity timeout within a few minutes after and prompting a reconnect.
I've seen some talk about modifying the keepalive time, but it's set to 10 60 by default. If there is no traffic going over the VPN for that period of time we have bigger problems obviously. I've been beating my head against Google and can't seem to find much. So basically any leads or tips would be super helpful, thanks!
Another thing the same user as the picture is experiencing is this:
Fri Jun 30 05:22:48 2017 MANAGEMENT: >STATE:1498814568,CONNECTED,SUCCESS,172.31.2.5,67.107.32.249,443,192.168.0.13,55475
Fri Jun 30 05:23:11 2017 read TCP_CLIENT: Connection timed out (WSAETIMEDOUT) (code=10060)
Fri Jun 30 05:23:11 2017 Connection reset, restarting [-1]
Fri Jun 30 05:23:11 2017 SIGUSR1[soft,connection-reset] received, process restarting
Fri Jun 30 05:23:11 2017 MANAGEMENT: >STATE:1498814591,RECONNECTING,connection-reset,,,,,
Being disconnected for a timeout after a minute of being connected.
Side note: Should we consider switching from TCP to UDP?
I am having a small handful of users who are experiencing constant reconnect prompts. It's a pretty big inconvenience for them since we also have DUO tied in, and them having to re-approve a notification on their phone every time it happens as well.
Other users experience this initially but after a 3rd or 4th time it "sticks" and then they don't have a problem for hours.
This (http://i.imgur.com/gB08ROB.png) seems to be a common issue. Connecting then getting an inactivity timeout within a few minutes after and prompting a reconnect.
I've seen some talk about modifying the keepalive time, but it's set to 10 60 by default. If there is no traffic going over the VPN for that period of time we have bigger problems obviously. I've been beating my head against Google and can't seem to find much. So basically any leads or tips would be super helpful, thanks!
Another thing the same user as the picture is experiencing is this:
Fri Jun 30 05:22:48 2017 MANAGEMENT: >STATE:1498814568,CONNECTED,SUCCESS,172.31.2.5,67.107.32.249,443,192.168.0.13,55475
Fri Jun 30 05:23:11 2017 read TCP_CLIENT: Connection timed out (WSAETIMEDOUT) (code=10060)
Fri Jun 30 05:23:11 2017 Connection reset, restarting [-1]
Fri Jun 30 05:23:11 2017 SIGUSR1[soft,connection-reset] received, process restarting
Fri Jun 30 05:23:11 2017 MANAGEMENT: >STATE:1498814591,RECONNECTING,connection-reset,,,,,
Being disconnected for a timeout after a minute of being connected.
Side note: Should we consider switching from TCP to UDP?