KEEPALIVE_TIMEOUT while ping/ping-restart not reached

[gertvdijk]

Here's an issue I have with OpenVPN Connect on Android that looks like a bug to me.

server.conf:

Code: Select all

port 1194
proto udp
dev tun
ca      /etc/openvpn/keys/ca.crt    # generated keys
cert    /etc/openvpn/keys/myserver.crt
key     /etc/openvpn/keys/myserver.key  # keep secret
dh      /etc/openvpn/keys/dh4096.pem
crl-verify /etc/openvpn/keys/crl.pem
server 192.168.12.0 255.255.255.0  # internal tun0 connection IP
ifconfig-pool-persist ipp.txt
keepalive 600 1800
comp-lzo         # Compression - must be turned on at both end
persist-key
persist-tun
status /var/log/openvpn/status.log
verb 3
link-mtu 1602
cipher AES-256-CBC
auth SHA512
keysize 256
push "dhcp-option DNS 192.168.12.1"
push "redirect-gateway"

client.ovpn:

Code: Select all

client
remote 1.2.3.4
cipher AES-256-CBC
comp-lzo yes
dev tun
proto udp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nobody
link-mtu 1602
auth SHA512
keysize 256
keepalive 600 1800

The keepalive 600 1800 should mean that it pings every 10 minutes and restarts if no pings have been received in 30 minutes, right?

This setting is being honored on regular Linux OpenVPN clients, but not on OpenVPN connect on Android, although the log says so.

Here's a summary of events seen from the client (see pictures below for details - I don't know how to save the log as text file):

19:55:46 OpenVPN start / unused option keepalive (I've put this in the client config, but this is not used apparently.)
19:55:48 Connect
19:55:49-54 Verify/TLS stuff
19:55:55 Sending PUSH_REQUEST replied with ping=600, ping-restart=1800 (looks good!)
19:55:55 Connected!
19:59:21 "Session invalidated: KEEPALIVE_TIMEOUT" & Disconnected. <-- what? only 210 seconds have passed!

Server version: 2.1.3 x86_64-pc-linux-gnu (Debian version 2.1.3-2+squeeze1)
Client version: 1.1.12 build 45 (OpenVPN Connect from Google Play)
Android version: 4.2.2 (Paranoid Android 3.69)

How can I prevent OpenVPN from disconnecting on inactivity so while I configured it appropriately?

[gertvdijk]

(posted reply, unable to edit post?)

I wanted to add that if I prevent any traffic on the tunnel I get a persistent timeout at exactly 40s everytime.



Server logs don't say anything:

Code: Select all

Jul 28 21:25:14 xlsvps ovpn-server[19361]: galaxy-note/188.207.68.96:49432 PUSH: Received control message: 'PUSH_REQUEST'
Jul 28 21:25:14 xlsvps ovpn-server[19361]: galaxy-note/188.207.68.96:49432 SENT CONTROL [galaxy-note]: 'PUSH_REPLY,dhcp-option D
NS 192.168.12.1,redirect-gateway,route 192.168.12.1,topology net30,ifconfig 192.168.12.14 192.168.12.13' (status=1)
Jul 28 21:25:59 xlsvps ovpn-server[19361]: MULTI: multi_create_instance called
Jul 28 21:25:59 xlsvps ovpn-server[19361]: 188.207.68.96:49433 Re-using SSL/TLS context
Jul 28 21:25:59 xlsvps ovpn-server[19361]: 188.207.68.96:49433 LZO compression initialized

You see that between 21:25:14 (CONNECTED on client) and 21:25:59 (RECONNECT on client) nothing appears in the logs on the server.

[jamesyonan]

You are absolutely right -- server-pushed keepalive parameters (ping, ping-restart) are being ignored in 1.1.12 and earlier.

Will be fixed in next release.

Thanks,
James

[pservus]

I use the iOS-App "OpenVPN Connect"
from "OpenVPN Technologies"
with the newest Version "1.0.5 build 177 (iOS 32-bit)"

Normally the app sends and receives every 10s a packet to/from the connected server.
But every 15 or 30 minutes, the app sends but don't receives the pachets. In this case there is no connection to the network or the internet. Than after 2min the app reconnects to the server and all is fine, but only for the next 15 or 30min.

The log for the problem-case is:
...
2014-11-17 15:43:11 Connected via tun
2014-11-17 15:43:11 EVENT: CONNECTED @xxx.xxx.xxx.xxx:xxx (xxx.xxx.xxx.xxx) via /UDPv4 on tun/xxx.xxx.xxx.xxx/
2014-11-17 15:43:11 SetStatus Connected
2014-11-17 15:47:01 Session invalidated: KEEPALIVE_TIMEOUT
2014-11-17 15:47:01 Client terminated, restarting in 2...
2014-11-17 15:47:01 TUN reassert
2014-11-17 15:47:01 TUN reset routes
2014-11-17 15:47:03 EVENT: RECONNECTING
2014-11-17 15:47:03 LZO-ASYM init swap=0 asym=0
2014-11-17 15:47:03 Contacting xxx.xxx.xxx.xxx:xxx via UDP
2014-11-17 15:47:03 EVENT: WAIT
...


And the same on Android:
"OpenVPN Connect"
from "OpenVPN Technologies"
with the newest Version "1.1.14 (build 56) OpenVPN core 3.0 android armv7a thumb2 32-bit"

The log for the problem-case is:
...
2014-11-17 15:43:11 Connected via tun
2014-11-17 15:43:11 EVENT: CONNECTED info='@xxx.xxx.xxx.xxx:xxx (xxx.xxx.xxx.xxx) via /UDPv4 on tun/xxx.xxx.xxx.xxx/' trans=TO_CONNECTED
2014-11-17 15:47:01 Session invalidated: KEEPALIVE_TIMEOUT
2014-11-17 15:47:01 Client terminated, restarting in 2...
2014-11-17 15:47:03 EVENT: RECONNECTING trans=TO_DISCONNECTED
2014-11-17 15:47:03 LZO-ASYM init swap=0 asym=0
2014-11-17 15:47:03 Contacting xxx.xxx.xxx.xxx:xxx via UDP
2014-11-17 15:47:03 EVENT: WAIT
...


I think it's the same problem as in this thread

[Droidman]

Hi there, we are experiencing pretty much the same issue on Android and iOS. We are using:

OpenVPN Connect 1.1.14 (build 56) on Android (4.4.2) and
OpenVPN 1.0.5 build 177 (iOS 32-bit) on iOS (8.1.1)

Issue short description: once every 10 to 25 minutes the client stops receiving packets (resulting in a connection loss) and performs a restart after 2 minutes. The logs look quite identical on both devices:

Code: Select all

2014-12-08 13:35:47 VERIFY OK: depth=0
cert. version    : 3
serial number    : 01
issuer name      : C=DE, ST=BE, L=Berlin, O=SomeCompany, CN=someCN, emailAddress=someIssuer@someCompany.com
subject name      : C=DE, ST=BE, L=Berlin, O=SomeCompany, CN=some.cn.com, emailAddress=someIssuer@someCompany.com
issued  on        : 2006-03-23 11:18:32
expires on        : 2016-03-20 11:18:32
signed using      : RSA with MD5
RSA key size      : 1024 bits
basic constraints : CA=false
cert. type        : SSL Server

2014-12-08 13:35:47 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-AES-256-CBC-SHA
2014-12-08 13:35:47 Session is ACTIVE
2014-12-08 13:35:47 EVENT: GET_CONFIG
2014-12-08 13:35:47 Sending PUSH_REQUEST to server...
2014-12-08 13:35:47 OPTIONS:
0 [route] [172.xxx.xxx.xxx] [255.255.0.0]
1 [dhcp-option] [DNS] [172.xxx.xxx.xxx]
2 [dhcp-option] [WINS] [172.xxx.xxx.xxx]
3 [route] [192.168.xxx.xxx] [255.255.255.0]
4 [ping] [10]
5 [ping-restart] [120]
6 [ifconfig] [192.168.xxx.xxx] [192.168.xxx.xxx]

2014-12-08 13:35:47 LZO-ASYM init swap=0 asym=0
2014-12-08 13:35:47 EVENT: ASSIGN_IP
2014-12-08 13:35:47 Error parsing dhcp-option: [dhcp-option] [WINS] [172.xxx.xxx.xxx]  : tun_prop_dhcp_option_error: tun_builder_add_wins_server failed
2014-12-08 13:35:47 Connected via tun
2014-12-08 13:35:47 EVENT: CONNECTED @xxx.xxx.xxx.xxx:XXXX (xxx.xxx.xxx.xxx) via /UDPv4 on tun/192.168.xxx.xxx/
2014-12-08 13:35:47 SetStatus Connected
2014-12-08 13:38:30 TUN reset routes
2014-12-08 13:38:30 EVENT: DISCONNECTED
2014-12-08 13:38:30 Raw stats on disconnect:
  BYTES_IN : 2327362
  BYTES_OUT : 208373
  PACKETS_IN : 2194
  PACKETS_OUT : 1821
  TUN_BYTES_IN : 132656
  TUN_BYTES_OUT : 2236725
  TUN_PACKETS_IN : 1492
  TUN_PACKETS_OUT : 1934
  KEEPALIVE_TIMEOUT : 4
  N_PAUSE : 1
  N_RECONNECT : 5
2014-12-08 13:38:30 Performance stats on disconnect:
  CPU usage (microseconds): 1081516
  Tunnel compression ratio (uplink): 1.57078
  Tunnel compression ratio (downlink): 1.04052
  Network bytes per CPU second: 2344611
  Tunnel bytes per CPU second: 2190796
2014-12-08 13:38:30 ----- OpenVPN Stop -----
2014-12-08 13:38:31 ----- OpenVPN Start -----

Seems to be the same KEEPALIVE_TIMEOUT issue which should be fixed in previous version. Desktop clients are not affected, only mobiles.

[pservus]

I have the problem from this thread at the androis-version (1.1.14) and on the iOS-Version (1.0.5).
There is NO PROBLEM with "OpenVPN GUI" for Windows or "Tunnelblick" for Mac with the same serevr.
The problem is NOT the wifi, because there is the same problem on different wifis.

The problem:
Normaly the app sends and receives keep-alive-packets every 10s. But every 15min or 30min it only sends but receives nothing. In this case there is no connection to the network or to the internet.
Than after 2min the app reconnects to the server and all is fine .. but only for the next 15min or 30min.

I use the iOS-app "OpenVPN Connect" from "OpenVPN Technologies" on an iPad.
It is the newest version "OpenVPN 1.0.5 build 177 (iOS 32-bit)".

The iPad I use:

• iPad with Retina-Display
• Model: MD510FD/A
• iOS Version: 8.1.1 (12B435)

Here is the log from the problem-case:

Code: Select all

...
2014-11-17 15:43:11 EVENT: CONNECTED @xxx.xxx.xxx.xxx:xxx (xxx.xxx.xxx.xxx) via /UDPv4 on tun/xxx.xxx.xxx.xxx/
2014-11-17 15:43:11 SetStatus Connected
2014-11-17 15:47:01 Session invalidated: KEEPALIVE_TIMEOUT
2014-11-17 15:47:01 Client terminated, restarting in 2...
2014-11-17 15:47:01 TUN reassert
2014-11-17 15:47:01 TUN reset routes
2014-11-17 15:47:03 EVENT: RECONNECTING
2014-11-17 15:47:03 LZO-ASYM init swap=0 asym=0
2014-11-17 15:47:03 Contacting xxx.xxx.xxx.xxx:xxx via UDP
2014-11-17 15:47:03 EVENT: WAIT
2014-11-17 15:47:03 SetTunnelSocket returned 1
2014-11-17 15:47:03 Connecting to xxx.xxx.xxx.xxx:xxx (xxx.xxx.xxx.xxx) via UDPv4
2014-11-17 15:47:03 EVENT: CONNECTING
...

But I have the same problem with the Androis-app "OpenVPN Connect" from "OpenVPN Technologies" on a tablet.
It is the newest version "OpenVPN Connect 1.1.14 (build 56) OpenVPN core 3.0 android armv7a thumb2 32-bit".

The tablet I use:

• SAMSUNG
• Model number: SM-T530
• Android: 4.4.2

Here is the log from the Android-app:

Code: Select all

...
15:26:40.200 -- EVENT: CONNECTED info='@xxx.xxx.xxx.xxx:xxx (xxx.xxx.xxx.xxx) via /UDPv4 on tun/xxx.xxx.xxx.xxx/' trans=TO_CONNECTED
15:44:58.233 -- Session invalidated: KEEPALIVE_TIMEOUT
15:44:58.257 -- Client terminated, restarting in 2...
15:45:00.260 -- EVENT: RECONNECTING trans=TO_DISCONNECTED
15:45:00.312 -- LZO-ASYM init swap=0 asym=0
15:45:00.314 -- Contacting xxx.xxx.xxx.xxx:xxx via UDP
15:45:00.318 -- EVENT: WAIT
15:45:00.384 -- Connecting to xxx.xxx.xxx.xxx:xxx (xxx.xxx.xxx.xxx) via UDPv4
15:45:00.384 -- EVENT: CONNECTING
...

I thought that the problem was solved for the Android-app at version 1.1.13. Isn't it so or is the problem rebuild at 1.1.14?
But at most I need the problem solved for iOS!
Thanks for help.

[zokstar]

Sorry to bring an old thread back. I just updated my servers to Access Server 2.0.25 and now I'm experiencing this same issue

Work around for now on android devices is to use "OpenVPN For Android" from Play Store.

[rsenio]

I updated my appliance to 2.0.25 and found that no traffic passed through the tunnel or through to the internet (split tunnel setup here). I have opened a support case, but have only been told "perhaps you should stay with 2.0.24 at this time"

[breakingspell]

Reporting in, set up a new server with 2.0.25 this weekend, my old server ran 2.0.24. Exact same issues as everyone else here, VPN connections to the OVPN Connect app time out quickly, and I can't access any resources, reverting to 2.0.24 works fine.

[novaflash]

For those that are experiencing this problem, try adding FAVOR_LZO=1 to the file /usr/local/openvpn_as/etc/as.conf and restarting the Access Server service.