Client keeps disconnect due to inactivity timeout

[Leonida Golfrè]

Hi everybody,
in my office I have a VPN network where a single client keep disconnects and reconnect due to inactivity timeout.
There are many clients that are connected to the server without problems, I struggled by 2 days and I'm not able to identify the issue.

Here my server configuration:

mode server
tls-server
port 1194
proto udp
dev tap
ca ca.crt
cert openvpn-server.crt
key openvpn-server.key # This file should be kept secret
dh dh1024.pem
ifconfig x.x.x.1 255.255.255.0
ifconfig-pool x.x.x.100 x.x.x.254 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route x.x.x.0 255.255.255.0
client-to-client
keepalive 10 120
cipher DES-EDE3-CBC # Triple-DES
persist-key
persist-tun
status openvpn-status.log
verb 4

client configuration

client
dev tap
proto udp
remote x.x.x.x port
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert cert.crt
key cert.key
cipher DES-EDE3-CBC # Triple-DES
verb 4

Client log

Thu Sep 14 16:47:09 2017 us=119602 MANAGEMENT: >STATE:1505400429,CONNECTED,SUCCESS,[client VPN IP],[server IP]
Thu Sep 14 16:47:09 2017 us=148668 PUSH: Received control message: 'PUSH_REPLY,ping 10,ping-restart 120,ifconfig [client VPN IP] 255.255.255.0'
Thu Sep 14 16:56:37 2017 us=419635 [ server] Inactivity timeout (--ping-restart), restarting
Thu Sep 14 16:56:37 2017 us=419635 TCP/UDP: Closing socket
Thu Sep 14 16:56:37 2017 us=419635 SIGUSR1[soft,ping-restart] received, process restarting
Thu Sep 14 16:56:37 2017 us=419635 MANAGEMENT: >STATE:1505400997,RECONNECTING,ping-restart,,
Thu Sep 14 16:56:37 2017 us=419635 Restart pause, 2 second(s)
Thu Sep 14 16:56:39 2017 us=420606 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Sep 14 16:56:39 2017 us=420606 Re-using SSL/TLS context
Thu Sep 14 16:56:39 2017 us=420606 Control Channel MTU parms [ L:1573 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Thu Sep 14 16:56:39 2017 us=420606 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Sep 14 16:56:39 2017 us=421603 Data Channel MTU parms [ L:1573 D:1450 EF:41 EB:12 ET:32 EL:3 ]
Thu Sep 14 16:56:39 2017 us=421603 Local Options String: 'V4,dev-type tap,link-mtu 1573,tun-mtu 1532,proto UDPv4,cipher DES-EDE3-CBC,auth SHA1,keysize 192,key-method 2,tls-client'
Thu Sep 14 16:56:39 2017 us=421603 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1573,tun-mtu 1532,proto UDPv4,cipher DES-EDE3-CBC,auth SHA1,keysize 192,key-method 2,tls-server'
Thu Sep 14 16:56:39 2017 us=421603 Local Options hash (VER=V4): 'b82ed10d'
Thu Sep 14 16:56:39 2017 us=421603 Expected Remote Options hash (VER=V4): '4f5b63fd'
Thu Sep 14 16:56:39 2017 us=421603 UDPv4 link local: [undef]
Thu Sep 14 16:56:39 2017 us=421603 UDPv4 link remote: [AF_INET][server IP]:[port]
Thu Sep 14 16:56:39 2017 us=421603 MANAGEMENT: >STATE:1505400999,WAIT,,,
Thu Sep 14 16:56:39 2017 us=423610 MANAGEMENT: >STATE:1505400999,AUTH,,,
Thu Sep 14 16:56:39 2017 us=423610 TLS: Initial packet from [AF_INET][server IP]:1194, sid=7ea4ffa8 2d717756
Thu Sep 14 16:56:39 2017 us=437603 VERIFY OK: depth=1, C=XX, ST=XX, L=XXXXX, O=xxxxxxxxxxxxx, OU=developers, CN=ca, name=ca, emailAddress=xxxxxxxxxxxxxx
Thu Sep 14 16:56:39 2017 us=437603 VERIFY OK: depth=0, C=XX, ST=XX, L=XXXXX, O=xxxxxxxxxxxxx, OU=developers, CN= server, name= server, emailAddress=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thu Sep 14 16:56:39 2017 us=452665 Data Channel Encrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Thu Sep 14 16:56:39 2017 us=452665 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Thu Sep 14 16:56:39 2017 us=452665 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 14 16:56:39 2017 us=452665 Data Channel Decrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Thu Sep 14 16:56:39 2017 us=452665 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Thu Sep 14 16:56:39 2017 us=452665 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Sep 14 16:56:39 2017 us=452665 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Thu Sep 14 16:56:39 2017 us=452665 [ server] Peer Connection Initiated with [AF_INET][server IP]:1194
Thu Sep 14 16:56:40 2017 us=683622 MANAGEMENT: >STATE:1505401000,GET_CONFIG,,,
Thu Sep 14 16:56:41 2017 us=691102 SENT CONTROL [ server]: 'PUSH_REQUEST' (status=1)
Thu Sep 14 16:56:46 2017 us=613602 SENT CONTROL [ server]: 'PUSH_REQUEST' (status=1)
Thu Sep 14 16:56:51 2017 us=724599 SENT CONTROL [ server]: 'PUSH_REQUEST' (status=1)
Thu Sep 14 16:56:56 2017 us=314668 SENT CONTROL [ server]: 'PUSH_REQUEST' (status=1)
Thu Sep 14 16:57:01 2017 us=453620 SENT CONTROL [ server]: 'PUSH_REQUEST' (status=1)
Thu Sep 14 16:57:07 2017 us=132601 SENT CONTROL [ server]: 'PUSH_REQUEST' (status=1)
Thu Sep 14 16:57:12 2017 us=450669 SENT CONTROL [ server]: 'PUSH_REQUEST' (status=1)
Thu Sep 14 16:57:17 2017 us=716600 SENT CONTROL [ server]: 'PUSH_REQUEST' (status=1)
Thu Sep 14 16:57:22 2017 us=994664 SENT CONTROL [ server]: 'PUSH_REQUEST' (status=1)
Thu Sep 14 16:57:27 2017 us=141653 SENT CONTROL [ server]: 'PUSH_REQUEST' (status=1)
Thu Sep 14 16:57:32 2017 us=145611 SENT CONTROL [ server]: 'PUSH_REQUEST' (status=1)
Thu Sep 14 16:57:37 2017 us=117666 SENT CONTROL [ server]: 'PUSH_REQUEST' (status=1)
Thu Sep 14 16:57:37 2017 us=120602 PUSH: Received control message: 'PUSH_REPLY,ping 10,ping-restart 120,ifconfig [client VPN IP] 255.255.255.0'
Thu Sep 14 16:57:37 2017 us=120602 OPTIONS IMPORT: timers and/or timeouts modified
Thu Sep 14 16:57:37 2017 us=120602 OPTIONS IMPORT: --ifconfig/up options modified
Thu Sep 14 16:57:37 2017 us=120602 Preserving previous TUN/TAP instance: Ethernet 2
Thu Sep 14 16:57:37 2017 us=120602 Initialization Sequence Completed
Thu Sep 14 16:57:37 2017 us=120602 MANAGEMENT: >STATE:1505401057,CONNECTED,SUCCESS,[client VPN IP],[server IP]

What I'm losing?

[TinCanTech]

Please see:
HOWTO: Request Help ! {2}

[Leonida Golfrè]

Please see:
HOWTO: Request Help ! {2}

Sorry but I'm unable to modify my OP.
What should I do?

[TinCanTech]

Your server log

[Leonida Golfrè]

Thank's TinCanTech,
here my server log file, "client" is the host which disconnects randomly:

Code: Select all

Thu Sep 14 16:56:34 2017 us=623459 MULTI: multi_create_instance called
Thu Sep 14 16:56:34 2017 us=623459 10.0.0.243:59281 Re-using SSL/TLS context
Thu Sep 14 16:56:34 2017 us=623459 10.0.0.243:59281 Control Channel MTU parms [ L:1573 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Thu Sep 14 16:56:34 2017 us=623459 10.0.0.243:59281 Data Channel MTU parms [ L:1573 D:1450 EF:41 EB:12 ET:32 EL:3 ]
Thu Sep 14 16:56:34 2017 us=623459 10.0.0.243:59281 Local Options String: 'V4,dev-type tap,link-mtu 1573,tun-mtu 1532,proto UDPv4,cipher DES-EDE3-CBC,auth SHA1,keysize 192,key-method 2,tls-server'
Thu Sep 14 16:56:34 2017 us=623459 10.0.0.243:59281 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1573,tun-mtu 1532,proto UDPv4,cipher DES-EDE3-CBC,auth SHA1,keysize 192,key-method 2,tls-client'
Thu Sep 14 16:56:34 2017 us=623459 10.0.0.243:59281 Local Options hash (VER=V4): '4f5b63fd'
Thu Sep 14 16:56:34 2017 us=623459 10.0.0.243:59281 Expected Remote Options hash (VER=V4): 'b82ed10d'
Thu Sep 14 16:56:34 2017 us=623459 10.0.0.243:59281 TLS: Inxxial packet from [AF_INET]10.0.0.243:59281, sid=0e67c608 cd6533f5
Thu Sep 14 16:56:34 2017 us=654614 10.0.0.243:59281 VERIFY OK: depth=1, C=xx, ST=xx, L=xxxxxx, O=xxxxxxxxxxxxx, OU=developers, CN=ca, name=ca, emailAddress=xxxxxxxxxxxxx
Thu Sep 14 16:56:34 2017 us=654614 10.0.0.243:59281 VERIFY OK: depth=0, C=xx, ST=xx, L=xxxxxx, O=xxxxxxxxxxxxx, OU=developers, CN=client, name=client, emailAddress=xxxxxxxxxxxxx
Thu Sep 14 16:56:34 2017 us=654614 10.0.0.243:59281 Data Channel Encrypt: Cipher 'DES-EDE3-CBC' inxxialized wxxh 192 bxx key
Thu Sep 14 16:56:34 2017 us=654614 10.0.0.243:59281 WARNING: this cipher's block size is less than 128 bxx (64 bxx).  Consider using a --cipher wxxh a larger block size.
Thu Sep 14 16:56:34 2017 us=654614 10.0.0.243:59281 Data Channel Encrypt: Using 160 bxx message hash 'SHA1' for HMAC authentication
Thu Sep 14 16:56:34 2017 us=654614 10.0.0.243:59281 Data Channel Decrypt: Cipher 'DES-EDE3-CBC' inxxialized wxxh 192 bxx key
Thu Sep 14 16:56:34 2017 us=654614 10.0.0.243:59281 WARNING: this cipher's block size is less than 128 bxx (64 bxx).  Consider using a --cipher wxxh a larger block size.
Thu Sep 14 16:56:34 2017 us=654614 10.0.0.243:59281 Data Channel Decrypt: Using 160 bxx message hash 'SHA1' for HMAC authentication
Thu Sep 14 16:56:34 2017 us=654614 10.0.0.243:59281 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bxx RSA
Thu Sep 14 16:56:34 2017 us=654614 10.0.0.243:59281 [client] Peer Connection Inxxiated wxxh [AF_INET]10.0.0.243:59281
Thu Sep 14 16:56:34 2017 us=654614 MULTI: new connection by client 'client' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Thu Sep 14 16:56:34 2017 us=654614 OPTIONS IMPORT: reading client specific options from: ccd\client
Thu Sep 14 16:56:36 2017 us=888998 client/10.0.0.243:59281 PUSH: Received control message: 'PUSH_REQUEST'
Thu Sep 14 16:56:36 2017 us=888998 client/10.0.0.243:59281 send_push_reply(): safe_cap=940
Thu Sep 14 16:56:36 2017 us=888998 client/10.0.0.243:59281 SENT CONTROL [client]: 'PUSH_REPLY,ping 10,ping-restart 120,ifconfig 10.8.50.3 255.255.255.0' (status=1)
Thu Sep 14 16:56:37 2017 us=670252 client/10.0.0.243:59281 MULTI: Learn: 00:ff:3c:4a:8a:be -> client/10.0.0.243:59281
Thu Sep 14 16:56:38 2017 us=623402 MULTI: multi_create_instance called
Thu Sep 14 16:56:38 2017 us=623402 publicIP:port Re-using SSL/TLS context
Thu Sep 14 16:56:38 2017 us=623402 publicIP:port Control Channel MTU parms [ L:1573 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Thu Sep 14 16:56:38 2017 us=623402 publicIP:port Data Channel MTU parms [ L:1573 D:1450 EF:41 EB:12 ET:32 EL:3 ]
Thu Sep 14 16:56:38 2017 us=623402 publicIP:port Local Options String: 'V4,dev-type tap,link-mtu 1573,tun-mtu 1532,proto UDPv4,cipher DES-EDE3-CBC,auth SHA1,keysize 192,key-method 2,tls-server'
Thu Sep 14 16:56:38 2017 us=623402 publicIP:port Expected Remote Options String: 'V4,dev-type tap,link-mtu 1573,tun-mtu 1532,proto UDPv4,cipher DES-EDE3-CBC,auth SHA1,keysize 192,key-method 2,tls-client'
Thu Sep 14 16:56:38 2017 us=623402 publicIP:port Local Options hash (VER=V4): '4f5b63fd'
Thu Sep 14 16:56:38 2017 us=623402 publicIP:port Expected Remote Options hash (VER=V4): 'b82ed10d'
Thu Sep 14 16:56:38 2017 us=623402 publicIP:port TLS: Inxxial packet from [AF_INET]publicIP:port, sid=7ffdc6c7 974af388
Thu Sep 14 16:56:38 2017 us=670191 publicIP:port VERIFY OK: depth=1, C=xx, ST=xx, L=xxxxxx, O=xxxxxxxxxxxxx, OU=developers, CN=ca, name=ca, emailAddress=xxxxxxxxxxxxx
Thu Sep 14 16:56:38 2017 us=670191 publicIP:port VERIFY OK: depth=0, C=xx, ST=xx, L=xxxxxx, O=xxxxxxxxxxxxx, OU=developers, CN=servicekey, name=servicekey, emailAddress=xxxxxxxxxxxxx
Thu Sep 14 16:56:38 2017 us=685880 publicIP:port Data Channel Encrypt: Cipher 'DES-EDE3-CBC' inxxialized wxxh 192 bxx key
Thu Sep 14 16:56:38 2017 us=685880 publicIP:port WARNING: this cipher's block size is less than 128 bxx (64 bxx).  Consider using a --cipher wxxh a larger block size.
Thu Sep 14 16:56:38 2017 us=685880 publicIP:port Data Channel Encrypt: Using 160 bxx message hash 'SHA1' for HMAC authentication
Thu Sep 14 16:56:38 2017 us=685880 publicIP:port Data Channel Decrypt: Cipher 'DES-EDE3-CBC' inxxialized wxxh 192 bxx key
Thu Sep 14 16:56:38 2017 us=685880 publicIP:port WARNING: this cipher's block size is less than 128 bxx (64 bxx).  Consider using a --cipher wxxh a larger block size.
Thu Sep 14 16:56:38 2017 us=685880 publicIP:port Data Channel Decrypt: Using 160 bxx message hash 'SHA1' for HMAC authentication
Thu Sep 14 16:56:38 2017 us=701460 publicIP:port Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bxx RSA
Thu Sep 14 16:56:38 2017 us=701460 publicIP:port [servicekey] Peer Connection Inxxiated wxxh [AF_INET]publicIP:port
Thu Sep 14 16:56:38 2017 us=701460 MULTI: new connection by client 'servicekey' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Thu Sep 14 16:56:38 2017 us=701460 MULTI_sva: pool returned IPv4=10.8.50.134, IPv6=(Not enabled)
Thu Sep 14 16:56:39 2017 us=670248 servicekey/publicIP:port PUSH: Received control message: 'PUSH_REQUEST'
Thu Sep 14 16:56:39 2017 us=670248 servicekey/publicIP:port send_push_reply(): safe_cap=940
Thu Sep 14 16:56:39 2017 us=670248 servicekey/publicIP:port SENT CONTROL [servicekey]: 'PUSH_REPLY,ping 10,ping-restart 120,ifconfig 10.8.50.134 255.255.255.0' (status=1)
Thu Sep 14 16:56:41 2017 us=810825 client/10.0.0.243:59281 PUSH: Received control message: 'PUSH_REQUEST'
Thu Sep 14 16:56:46 2017 us=920261 client/10.0.0.243:59281 PUSH: Received control message: 'PUSH_REQUEST'
Thu Sep 14 16:56:51 2017 us=513972 client/10.0.0.243:59281 PUSH: Received control message: 'PUSH_REQUEST'
Thu Sep 14 16:57:21 2017 us=967136 servicekey/publicIP:port MULTI: Learn: 00:ff:9f:a0:32:34 -> servicekey/publicIP:port
Thu Sep 14 16:57:32 2017 us=326492 client/10.0.0.243:59281 PUSH: Received control message: 'PUSH_REQUEST'
Thu Sep 14 16:57:32 2017 us=326492 client/10.0.0.243:59281 send_push_reply(): safe_cap=940
Thu Sep 14 16:57:32 2017 us=326492 client/10.0.0.243:59281 SENT CONTROL [client]: 'PUSH_REPLY,ping 10,ping-restart 120,ifconfig 10.8.50.3 255.255.255.0' (status=1)
Thu Sep 14 16:57:32 2017 us=326492 client/10.0.0.243:59281 PUSH: Received control message: 'PUSH_REQUEST'
Thu Sep 14 16:57:32 2017 us=326492 client/10.0.0.243:59281 PUSH: Received control message: 'PUSH_REQUEST'
Thu Sep 14 16:57:32 2017 us=326492 client/10.0.0.243:59281 PUSH: Received control message: 'PUSH_REQUEST'
Thu Sep 14 16:57:32 2017 us=326492 client/10.0.0.243:59281 PUSH: Received control message: 'PUSH_REQUEST'
Thu Sep 14 16:57:32 2017 us=326492 client/10.0.0.243:59281 PUSH: Received control message: 'PUSH_REQUEST'
Thu Sep 14 16:57:32 2017 us=326492 client/10.0.0.243:59281 PUSH: Received control message: 'PUSH_REQUEST'
Thu Sep 14 16:57:32 2017 us=342078 client/10.0.0.243:59281 PUSH: Received control message: 'PUSH_REQUEST'

Thanks in advance.

[TinCanTech]

See --inactive in The Manual v24x

[Leonida Golfrè]

Hi,
I read the manual and if I'm not wrong the default value of this directive is 0 (disable).
Since the directive is not included in my configuration I would expect that the client maintain the connection to the server, am I wrong? (sorry for my bad english).
What I'm losing?

[TinCanTech]

You are pushing the wrong ifconfig parameters to your client.

[Leonida Golfrè]

If that is an error in server configuration I cannot understand why the others 20 clients connected to the server are working without this issue. Please can you help me to understand?

For more clarity here the log of another client connected to the same server:

Code: Select all

Fri Sep 15 15:51:46 2017 VERIFY OK: depth=1, C=xx, ST=xx, L=xxxxxxxx, O=xxxxxxxx, OU=developers, CN=ca, name=ca, emailAddress=xxxxxxxxxxxxxxxxxx
Fri Sep 15 15:51:46 2017 VERIFY OK: depth=0, C=xx, ST=xx, L=xxxxxxxx, O=xxxxxxxx, OU=developers, CN=openvpn-server, name=openvpn-server, emailAddress=xxxxxxxxxxxxxxxxxx
Fri Sep 15 15:51:46 2017 Data Channel Encrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Fri Sep 15 15:51:46 2017 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
Fri Sep 15 15:51:46 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 15 15:51:46 2017 Data Channel Decrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Fri Sep 15 15:51:46 2017 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
Fri Sep 15 15:51:46 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 15 15:51:46 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA
Fri Sep 15 16:51:46 2017 TLS: soft reset sec=0 bytes=1625054/0 pkts=11886/0
Fri Sep 15 16:51:46 2017 VERIFY OK: depth=1, C=xx, ST=xx, L=xxxxxxxx, O=xxxxxxxx, OU=developers, CN=ca, name=ca, emailAddress=xxxxxxxxxxxxxxxxxx
Fri Sep 15 16:51:46 2017 VERIFY OK: depth=0, C=xx, ST=xx, L=xxxxxxxx, O=xxxxxxxx, OU=developers, CN=openvpn-server, name=openvpn-server, emailAddress=xxxxxxxxxxxxxxxxxx
Fri Sep 15 16:51:46 2017 Data Channel Encrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Fri Sep 15 16:51:46 2017 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
Fri Sep 15 16:51:46 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 15 16:51:46 2017 Data Channel Decrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Fri Sep 15 16:51:46 2017 WARNING: this cipher's block size is less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
Fri Sep 15 16:51:46 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 15 16:51:46 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 1024 bit RSA