User disconnected every 2/3 hours on Windows

[kp2]

Hello,

it's my first message on this forum, nice to meet you A user (using Windows 10) of our VPN reports that he is disconnected every 2/3 hours. On the server, I see messages like this at the times he seems to be disconnected:

Code: Select all

Mar 12 09:40:54 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
***
Mar 12 10:39:56 Hostname ovpn-server[503]: user1/180.62.113.83:55114 Fatal TLS error (check_tls_errors_co), restarting

This is a extract of syslog:

Code: Select all

Mar 12 09:40:54 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:54 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:54 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:54 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:54 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:54 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:54 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:54 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:54 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:54 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 09:40:55 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS Error: local/remote TLS keys are out of sync: [AF_INET]180.62.113.83:55114 [1]
Mar 12 10:17:01 Hostname CRON[21731]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Mar 12 10:39:56 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS: soft reset sec=0 bytes=1092558254/-1 pkts=1303575/0
Mar 12 10:39:56 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS ERROR: local/remote key IDs out of sync (4/5) ID:  [key#0 state=S_START id=4 sid=bc2935ab 6d2789d0] [key#1 state=S_NORMAL_OP id=3 sid=bc2935ab 6d2789d0] [key#2 state=S_UNDEF id=0 sid=00000000 00000000]
Mar 12 10:39:56 Hostname ovpn-server[503]: user1/180.62.113.83:55114 Fatal TLS error (check_tls_errors_co), restarting
Mar 12 10:39:56 Hostname ovpn-server[503]: user1/180.62.113.83:55114 SIGUSR1[soft,tls-error] received, client-instance restarting
Mar 12 10:40:20 Hostname ovpn-server[503]: TCP connection established with [AF_INET]180.62.113.83:54911
Mar 12 10:40:20 Hostname ovpn-server[503]: 180.62.113.83:54911 TLS: Initial packet from [AF_INET]180.62.113.83:54911, sid=a936613f d0f6bfe4
Mar 12 10:40:20 Hostname ovpn-server[503]: 180.62.113.83:54911 VERIFY OK: depth=1, CN=cn_MTZowkgoxjCf6zgq
Mar 12 10:40:20 Hostname ovpn-server[503]: 180.62.113.83:54911 VERIFY OK: depth=0, CN=user1
Mar 12 10:40:20 Hostname ovpn-server[503]: 180.62.113.83:54911 peer info: IV_VER=3.git::662eae9a
Mar 12 10:40:20 Hostname ovpn-server[503]: 180.62.113.83:54911 peer info: IV_PLAT=win
Mar 12 10:40:20 Hostname ovpn-server[503]: 180.62.113.83:54911 peer info: IV_NCP=2
Mar 12 10:40:20 Hostname ovpn-server[503]: 180.62.113.83:54911 peer info: IV_TCPNL=1
Mar 12 10:40:20 Hostname ovpn-server[503]: 180.62.113.83:54911 peer info: IV_PROTO=2
Mar 12 10:40:20 Hostname ovpn-server[503]: 180.62.113.83:54911 peer info: IV_AUTO_SESS=1
Mar 12 10:40:20 Hostname ovpn-server[503]: 180.62.113.83:54911 peer info: IV_GUI_VER=OCWindows_3.2.2-1455
Mar 12 10:40:20 Hostname ovpn-server[503]: 180.62.113.83:54911 peer info: IV_SSO=openurl
Mar 12 10:40:20 Hostname ovpn-server[503]: 180.62.113.83:54911 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1551', remote='link-mtu 1523'
Mar 12 10:40:20 Hostname ovpn-server[503]: 180.62.113.83:54911 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit EC, curve: prime256v1
Mar 12 10:40:20 Hostname ovpn-server[503]: 180.62.113.83:54911 [user1] Peer Connection Initiated with [AF_INET]180.62.113.83:54911
Mar 12 10:40:20 Hostname ovpn-server[503]: user1/180.62.113.83:54911 MULTI_sva: pool returned IPv4=10.8.0.4, IPv6=(Not enabled)
Mar 12 10:40:20 Hostname ovpn-server[503]: user1/180.62.113.83:54911 MULTI: Learn: 10.8.0.4 -> user1/180.62.113.83:54911
Mar 12 10:40:20 Hostname ovpn-server[503]: user1/180.62.113.83:54911 MULTI: primary virtual IP for user1/180.62.113.83:54911: 10.8.0.4
Mar 12 10:40:20 Hostname ovpn-server[503]: user1/180.62.113.83:54911 PUSH: Received control message: 'PUSH_REQUEST'

Could you help me please ?

Thanks a lot and have a nice day

[imjebran]

Hi,

Please post your client and server config file with hiding of your keys and public IPs.

[kp2]

Hello,

thank you for your answer, this is a client file

View OriginalOpenVPN

client
proto tcp-client
remote 1x.x.x.x 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_lOdtEHWVmAMF9eXp name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
ignore-unknown-option block-outside-dns
setenv opt block-outside-dns
verb 3
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-crypt>

And this is my server conf

View OriginalopenVPN

port 1194
proto tcp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server x.x.x.x 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS x.x.x.x"
push "dhcp-option DNS x.x.x.x"
push "dhcp-option DNS x.x.x.x"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key
crl-verify crl.pem
ca ca.crt
cert server_lOdtEHWVmAMF9eXp.crt
key server_lOdtEHWVmAMF9eXp.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3

have a nice day

[imjebran]

Hi,

Please use the following settings.

Code: Select all

"reneg-sec 0" in server
"reneg-ser 36000" in client

[TinCanTech]

I would advise against disabling --reneg-sec on the server.

Also, watch out for typos, especially when related to important security settings.

Also, the advice (once corrected) will make the client reconnect every hour
but the problem is disconnecting at irregular times .. how are they related ?

[kp2]

Hello,

thank you both for your answers, sometimes the disconnections are spontaneous but I would say that overall they are very regular, even if I look in the logs every 2 or 3 hours at the same minute.

Have a nice day

[TinCanTech]

Mar 12 10:39:56 Hostname ovpn-server[503]: user1/180.62.113.83:55114 TLS: soft reset sec=0 bytes=1092558254/-1 pkts=1303575/0

It happens at exactly one hour +/- 5%. It is a security feature.

[kp2]

Hello,

No it's every 2/3 hours and it's problematic because we use it to access sensitive applications like databases and if the user loses the connection the data can be corrupted. I don't have this problem (on Linux) but on Windows, some people have this problem.

Thanks

[TinCanTech]

No, it is every hour but your user simply does not notice it sometimes.

If you disable it then sensitive applications will be exposed to security weaknesses ..

Unless your user has connection problems, in which case the log you posted is irrelevant.

viewtopic.php?f=30&t=22603

[kp2]

Hello,

ok thanks, I will follow the How to, change the verbosity of the logs, ... I will come back to you within a week. Thanks for everything