Help Need, keepalive pings not working

[bluestu]

I'm running a multi-client server using OpenVPN 2.0 on Debian. I have unique certificates (with unique common names) for each client. They connect fine, and I can ping each client.

The problem is, when I set keepalive on the client, it always fails to get a response. For instance, if I set:

keepalive 10 60

The server will restart every 60 seconds due to not getting a response. The client and server are connected via a high speed leased line with no detected packet loss (0.0%).

The client shows this error:

Code: Select all

[server] Inactivity timeout (--ping-restart), restarting

Please help, as I have had to roll back my config to single tunnels which is a nightmare!

Thanks

s

[Bebop]

The problem is, when I set keepalive on the client, it always fails to get a response

How strict is your server IPTABLES? Adding these can often solve the no ping problems:

Code: Select all

# Accept responses to our pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Respond to pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT

[bluestu]

I don't think this Can be the problem as the keep alive pings arn't actually ICMP anyway. They're UDP echoes??

I can ping the server from the client and vice versatile when the link is ip. It just constantly restarts from the client side saying pong-restart. The link is up and working when it thinks there is no pong.

Thanks

S

[Bebop]

Server + client .conf, or little/no useful help will be likely to find you.

[janjust]

Apart from Bebop's remark about config files, which is totally valid, here are some tips

* upgrade to openvpn 2.2 on Debian; 2.0 is really old
* add the

Code: Select all

keepalive 10 60

to the server config, not the client config

[bluestu]

Hi guys, thanks for you're help. Also sorry for the spell check on my iPhone, I can usually spell OK.

server.conf

local xxx.xxx.xxx.xxx 1194 udp
dev tun
tls-server

# Key info
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
reneg-sec 0

# IP Setup
server 10.1.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ifconfig-pool-linear
client-config-dir ccd
client-to-client
keepalive 2 10
comp-lzo
#persist-key
#persist-tun
verb 3

client.conf

remote xxx.xxx.xxx.xxx 1194 udp
persist-key
tls-client
pull
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
ping 2
ping-restart 10
persist-tun
comp-lzo yes
dev tun
nobind
verb 3

[janjust]

try commenting out

Code: Select all

ifconfig-pool-linear

as it's rather obsolete; use

Code: Select all

topology subnet

instead.

also make sure that both sides are doing LZO or not (I'd recommend to use 'comp-lzo yes' on both sides).

If you specify

Code: Select all

keepalive 2 10

on the server side then this is also pushed out to the client, overruling whatever you specify in the client config file for 'ping' and 'ping-restart'

[bluestu]

This has made no difference. The client still restarts saying ping-restart. The link is up and works fine, but it keeps dropping! I'm loosing the will to live with this!

s

[janjust]

please post the client and server config files as they are now (just to check).

Also, set the verbosity in the client log to 7 ('verb 7') and reconnect; now look in the client log file for messages of the type 'PING SENT' ; if you something similar on the server you should see 'RECEIVED PING PACKET'

[bluestu]

When I set verbosity to 7 all I see in the syslog is:

Jun 6 14:57:19 client1 ovpn-client[4064]: TUN READ [612]
Jun 6 14:57:19 client1 ovpn-client[4064]: TLS: tls_pre_encrypt: key_id=0
Jun 6 14:57:19 client1 ovpn-client[4064]: UDPv4 WRITE [653] to xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=652
Jun 6 14:57:19 client1 ovpn-client[4064]: UDPv4 READ [93] from xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=92
Jun 6 14:57:19 client1 ovpn-client[4064]: TLS: tls_pre_decrypt, key_id=0, IP=xxx.xxx.xxx.xxx:1194
Jun 6 14:57:19 client1 ovpn-client[4064]: TUN WRITE [52]
Jun 6 14:57:20 client1 ovpn-client[4064]: TUN READ [612]
Jun 6 14:57:20 client1 ovpn-client[4064]: TLS: tls_pre_encrypt: key_id=0
Jun 6 14:57:20 client1 ovpn-client[4064]: UDPv4 WRITE [653] to xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=652
Jun 6 14:57:20 client1 ovpn-client[4064]: UDPv4 READ [93] from xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=92
Jun 6 14:57:20 client1 ovpn-client[4064]: TLS: tls_pre_decrypt, key_id=0, IP=xxx.xxx.xxx.xxx:1194
Jun 6 14:57:20 client1 ovpn-client[4064]: TUN WRITE [52]
Jun 6 14:57:21 client1 ovpn-client[4064]: TUN READ [612]
Jun 6 14:57:21 client1 ovpn-client[4064]: TLS: tls_pre_encrypt: key_id=0
Jun 6 14:57:21 client1 ovpn-client[4064]: UDPv4 WRITE [653] to xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=652
Jun 6 14:57:21 client1 ovpn-client[4064]: UDPv4 READ [93] from xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=92
Jun 6 14:57:21 client1 ovpn-client[4064]: TLS: tls_pre_decrypt, key_id=0, IP=xxx.xxx.xxx.xxx:1194
Jun 6 14:57:21 client1 ovpn-client[4064]: TUN WRITE [52]
Jun 6 14:57:22 client1 ovpn-client[4064]: TUN READ [612]
Jun 6 14:57:22 client1 ovpn-client[4064]: TLS: tls_pre_encrypt: key_id=0
Jun 6 14:57:22 client1 ovpn-client[4064]: UDPv4 WRITE [653] to xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=652
Jun 6 14:57:22 client1 ovpn-client[4064]: UDPv4 READ [93] from xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=92
Jun 6 14:57:22 client1 ovpn-client[4064]: TLS: tls_pre_decrypt, key_id=0, IP=xxx.xxx.xxx.xxx:1194
Jun 6 14:57:22 client1 ovpn-client[4064]: TUN WRITE [52]
Jun 6 14:57:23 client1 ovpn-client[4064]: TUN READ [612]
Jun 6 14:57:23 client1 ovpn-client[4064]: TLS: tls_pre_encrypt: key_id=0
Jun 6 14:57:23 client1 ovpn-client[4064]: UDPv4 WRITE [653] to xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=652
Jun 6 14:57:23 client1 ovpn-client[4064]: UDPv4 READ [93] from xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=92
Jun 6 14:57:23 client1 ovpn-client[4064]: TLS: tls_pre_decrypt, key_id=0, IP=xxx.xxx.xxx.xxx:1194
Jun 6 14:57:23 client1 ovpn-client[4064]: TUN WRITE [52]

[janjust]

you're not seeing any PING messages being sent ?!?!?!? is this with openvpn 2.1 or still the old 2.0 ? I just verified for myself that this works on 2.1.4 and higher.

[Bebop]

sorry for the spell check on my iPhone, I can usually spell OK

The word 'pong' came up a few times.. I was thinking what the

Sorry I couldn't help out much on this problem. I thought Keep-alive were just regular ICMP pings. Now I researched some more and found out you were correct, they are not. Thank you for the pointer. And thank you to Janjust for stepping in. Best of luck to getting this solved.