Disconnect script not executed after ping timeout

[claudi]

Hello.

I want to monitor which user was connected for how long and how much traffic has been used in this time. For this I created a connect script which creates an entry in a database that the user connected and a disconnect script which updates the entry with the disconnect time and traffic volume. The scripts are working totally fine but sadly the disconnect script is sometimes not executed. I have been debugging this for quite some time and I think I found the problem for the disconnect script not beeing executed.

Here is a scenario:
The user connected, the connect script has been called and an entry in the database was created. But then the user seems to get a ping timeout. This is the log from the serverside:

Code: Select all

Thu Jun  9 01:09:42 2016 us=4118 username/*.*.*.*:12946 [username] Inactivity timeout (--ping-restart), restarting
Thu Jun  9 01:09:42 2016 us=4217 username/*.*.*.*:12946 SIGUSR1[soft,ping-restart] received, client-instance restarting

I would expect the disconnect script beeing called after this timeout, as the user is not directly reconnecting and the traffic volume should be stored. 45 minutes later the user finally reconnects and the connect script is called again and creates a new entry. Sadly the old database entry is still empty and shows that the user is still connected. Also the traffic used in the old session is lost and was not stored in the old entry.

Does anybody have an idea how to solve this problem? Or is there a "better" way to monitor which user was connected for how long and to see how much traffic has been used by him?

Thanks for your help.

[TinCanTech]

I would expect the disconnect script beeing called after this timeout

This works for me ..

Please post your server config file.

[claudi]

Here we go:

Code: Select all

port 80
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dhparam.pem
topology subnet
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
comp-lzo no
user openvpn
group openvpn
persist-key
persist-tun
persist-local-ip
remote-cert-tls client

client-connect connectscript.sh
client-disconnect disconnectscript.sh
script-security 3
username-as-common-name

[TinCanTech]

Here are a couple of things you can try:

See the manual for:

• --explicit-exit-notify 3
  --up-restart (Not sure if this will make any difference)

You may also try adjusting your --keepalive 10 120 .. remember: that 120 means the server will wait 240 seconds before it registers a session which has timed out. Also, you can push custom --ping/--ping-restart to clients with a CCD file, if you have any clients which are on particularly troublesome networks.

Like I said, --client-disconnect works for me even on --ping-restart.

[claudi]

You are right. I have further debugged this and tried to timeout myself and it worked. Sadly I still can't figure out why the disconnect script isn't executed sometimes. Is there some kind of verbosity level which shows me when a client disconnects? Right now I am using verb 4. The documentation sadly doesn't say anything about the verbosity levels.

PS: Which keepalive value would you suggest?

[TinCanTech]

For testing purposes try --keepalive 5 15

[claudi]

Tested it with keepalive 5 15 but still the same problem. Seems like it doesn't have to do anything with the keepalive value. Anyway does somebody have some information about the verbosity levels? There are plenty of them and no details about which is best for debugging a problem like this. Anway I will start to find out which debugging level is best for me now but I would be happy if there would be some documentation where I can read something about the debug levels.

[TinCanTech]

does somebody have some information about the verbosity levels

See source file errlevel.h

[claudi]

Yep already had a look in it, thought verb 7 is perfect as it is logging also the variables passed to scripts. Sadly verb 7 doesn't show any variables or scripts executed but the bigger problem is that the log files become HUGE after short time. I will not be able to protocol all stuff until the "problem" appears. I think I have to live with that OpenVPN somewhere has a bug where the it doesn't execute the disconnect script. This bug doesn't appear always and I personally can't reproduce it but following my debugging some users somewhen disconnect and the script is not executed at all. I will have to find another solution for my problem. Thanks for the help.