Primary and Secondary Nodes in HA Cluster Operating in Different Mode

Post Reply
stanley.chiu
OpenVpn Newbie
Posts: 2
Joined: Mon Jun 08, 2020 4:54 pm

Primary and Secondary Nodes in HA Cluster Operating in Different Mode

Post by stanley.chiu » Mon Jun 08, 2020 5:04 pm

Hi, I'm wondering if anyone has come across this particular issue before.

I followed the instructions from here: https://openvpn.net/vpn-server-resource ... over-mode/

As far as I can determine, I was able to successfully complete all the steps.

The configuration seems to be getting rsync'ed between the nodes, but yet they seem to be running in different modes.

The most obvious proof of this is when the client configuration file is generated with the primary node as master, it has the following:
# OVPN_ACCESS_SERVER_PROFILE=<FQDN>/NoClientCert

But when it is generated with the secondary node as master, it has:
# OVPN_ACCESS_SERVER_PROFILE=<FQDN>/Dynamic
# OVPN_ACCESS_SERVER_DYNAMIC=1

Ultimately, the same client profile that has always worked with the primary node, doesn't work with the secondary node.

The logs from the secondary node show:

2020-06-05 16:02:11+0000 [-] OVPN 0 OUT: 'Fri Jun 5 16:02:11 2020 TCP connection established with [AF_INET]<CLIENT IP>:54588'
2020-06-05 16:02:12+0000 [-] OVPN 0 OUT: 'Fri Jun 5 16:02:12 2020 <CLIENT IP>:54588 TLS: Initial packet from [AF_INET]<CLIENT IP>:54588, sid=07685eb0 a30215b3'
2020-06-05 16:02:13+0000 [-] OVPN 0 OUT: 'Fri Jun 5 16:02:13 2020 <CLIENT IP>:54588 OpenSSL: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate'
2020-06-05 16:02:13+0000 [-] OVPN 0 OUT: 'Fri Jun 5 16:02:13 2020 <CLIENT IP>:54588 TLS_ERROR: BIO read tls_read_plaintext error'
2020-06-05 16:02:13+0000 [-] OVPN 0 OUT: 'Fri Jun 5 16:02:13 2020 <CLIENT IP>:54588 TLS Error: TLS object -> incoming plaintext read error'
2020-06-05 16:02:13+0000 [-] OVPN 0 OUT: 'Fri Jun 5 16:02:13 2020 <CLIENT IP>:54588 TLS Error: TLS handshake failed'
2020-06-05 16:02:13+0000 [-] OVPN 0 OUT: 'Fri Jun 5 16:02:13 2020 <CLIENT IP>:54588 Fatal TLS error (check_tls_errors_co), restarting'
2020-06-05 16:02:13+0000 [-] OVPN 0 OUT: 'Fri Jun 5 16:02:13 2020 <CLIENT IP>:54588 SIGUSR1[soft,tls-error] received, client-instance restarting'

Any help would be appreciated.

stanley.chiu
OpenVpn Newbie
Posts: 2
Joined: Mon Jun 08, 2020 4:54 pm

Re: Primary and Secondary Nodes in HA Cluster Operating in Different Mode

Post by stanley.chiu » Wed Jun 10, 2020 7:36 pm

This has been resolved.

Apparently any custom settings added to /usr/local/openvpn_as/etc/as.conf do not get replicated over to the secondary node.

Post Reply