Client reply only after clean ARP cache

[lapalis]

Hi to all, I have a strange problem with OpenVPN and client connected via GPRS.
The configuration is:
- 1 Windows Server connected via ADSL
- 4 Linux client always connected via GPRS
- 1 Linux client always connected via ADSL
- 1 Windows client, my PC, connected sometime for test via ADSL
One of the GPRS client (VPN adress 10.0.0.2 ) have a strange think, if I continuosly ping them from my pc via VPN, 10.0.0.2 reply for many time but sometime (random time between 0 and 30 minutes) they can't reply anymore... until I do "arp -d" or "arp -d 10.0.0.2" in my PC. After clean ARP cache, and so force broadcast request, the client reply correctly.
Anyone have any idea on how I can resolve this problem?
Many thanks in advance

Configuration of the server
------------------------------------------------------------------------------------------------------
# Edit this file, and save to a .ovpn extension
# so that OpenVPN will activate it when run
# as a service.

# Change 'myremote' to be your remote host,
# or comment out to enter a listening
# server mode.
# &
# TLS mode works by establishing control and data channels
# which are multiplexed over a single TCP/UDP port.
# Enable TLS and assume server role during TLS handshake.
mode server
tls-server
client-to-client

# Uncomment this line to use a different
# port number than the default of 1194.
; port 1194

# Choose one of three protocols supported by
# OpenVPN. If left commented out, defaults
# to udp.
; proto [tcp-server | tcp-client | udp]

# You must specify one of two possible network
# protocols, 'dev tap' or 'dev tun' to be used
# on both sides of the connection. 'tap' creates
# a VPN using the ethernet protocol while 'tun'
# uses the IP protocol. You must use 'tap'
# if you are ethernet bridging or want to route
# broadcasts. 'tun' is somewhat more efficient
# but requires configuration of client software
# to not depend on broadcasts. Some platforms
# such as Solaris, OpenBSD, and Mac OS X only
# support 'tun' interfaces, so if you are
# connecting to such a platform, you must also
# use a 'tun' interface on the Windows side.

# Enable 'dev tap' or 'dev tun' but not both!
dev tap

# This is a 'dev tap' ifconfig that creates
# a virtual ethernet subnet.
# 10.3.0.1 is the local VPN IP address
# and 255.255.255.0 is the VPN subnet.
# Only define this option for 'dev tap'.
ifconfig 10.0.0.1 255.255.255.0

# This is a 'dev tun' ifconfig that creates
# a point-to-point IP link.
# 10.3.0.1 is the local VPN IP address and
# 10.3.0.2 is the remote VPN IP address.
# Only define this option for 'dev tun'.
# Make sure to include the "tun-mtu" option
# on the remote machine, but swap the order
# of the ifconfig addresses.
;tun-mtu 1500
;ifconfig 10.3.0.1 10.3.0.2

# If you have fragmentation issues or misconfigured
# routers in the path which block Path MTU discovery,
# lower the TCP MSS and internally fragment non-TCP
# protocols.
;fragment 1300
;mssfix

# If you have set up more than one TAP-Win32 adapter
# on your system, you must refer to it by name.
;dev-node my-tap

# You can generate a static OpenVPN key
# by selecting the Generate Key option
# in the start menu.
#
# You can also generate key.txt manually
# with the following command:
# openvpn --genkey --secret key.txt
#
# key must match on both ends of the connection,
# so you should generate it on one machine and
# copy it to the other over a secure medium.
# Place key.txt in the same directory as this
# config file.
dh keys/dh1024.pem
ca keys/ca.crt
cert keys/VPN-Server000.crt
key keys/VPN-Server000.key

duplicate-cn

# Uncomment this section for a more reliable
# detection when a system loses its connection.
# For example, dial-ups or laptops that travel
# to other locations.
#
# If this section is enabled and "myremote"
# above is a dynamic DNS name (i.e. dyndns.org),
# OpenVPN will dynamically "follow" the IP
# address of "myremote" if it changes.
persist-key
persist-tun
; ping-restart 60
; ping-timer-rem
; resolv-retry 86400

# keep-alive ping
keepalive 60 240

# enable LZO compression
comp-lzo

# moderate verbosity
verb 7
mute 10

----------------------------------------------------------
Client configuration (client 10.0.0.2, other client have trhe same configuration, only VPN IP adress change)
----------------------------------------------------------
# Edit this file, and save to a .ovpn extension
# so that OpenVPN will activate it when run
# as a service.

# Change 'myremote' to be your remote host,
# or comment out to enter a listening
# server mode.
# &
# TLS mode works by establishing control and data channels
# which are multiplexed over a single TCP/UDP port.
# Enable TLS and assume server role during TLS handshake.
remote x.x.x.x
tls-client

# Uncomment this line to use a different
# port number than the default of 1194.
port 1194

# Choose one of three protocols supported by
# OpenVPN. If left commented out, defaults
# to udp.
; proto [tcp-server | tcp-client | udp]

# You must specify one of two possible network
# protocols, 'dev tap' or 'dev tun' to be used
# on both sides of the connection. 'tap' creates
# a VPN using the ethernet protocol while 'tun'
# uses the IP protocol. You must use 'tap'
# if you are ethernet bridging or want to route
# broadcasts. 'tun' is somewhat more efficient
# but requires configuration of client software
# to not depend on broadcasts. Some platforms
# such as Solaris, OpenBSD, and Mac OS X only
# support 'tun' interfaces, so if you are
# connecting to such a platform, you must also
# use a 'tun' interface on the Windows side.

# Enable 'dev tap' or 'dev tun' but not both!
dev tap

# This is a 'dev tap' ifconfig that creates
# a virtual ethernet subnet.
# 10.3.0.1 is the local VPN IP address
# and 255.255.255.0 is the VPN subnet.
# Only define this option for 'dev tap'.
ifconfig 10.0.0.2 255.255.255.0

# This is a 'dev tun' ifconfig that creates
# a point-to-point IP link.
# 10.3.0.1 is the local VPN IP address and
# 10.3.0.2 is the remote VPN IP address.
# Only define this option for 'dev tun'.
# Make sure to include the "tun-mtu" option
# on the remote machine, but swap the order
# of the ifconfig addresses.
;tun-mtu 1500
;ifconfig 10.3.0.1 10.3.0.2

# If you have fragmentation issues or misconfigured
# routers in the path which block Path MTU discovery,
# lower the TCP MSS and internally fragment non-TCP
# protocols.
;fragment 1300
;mssfix

# If you have set up more than one TAP-Win32 adapter
# on your system, you must refer to it by name.
;dev-node my-tap

# You can generate a static OpenVPN key
# by selecting the Generate Key option
# in the start menu.
#
# You can also generate key.txt manually
# with the following command:
# openvpn --genkey --secret key.txt
#
# key must match on both ends of the connection,
# so you should generate it on one machine and
# copy it to the other over a secure medium.
# Place key.txt in the same directory as this
# config file.
ca keys/ca.crt
cert keys/VPN-Client000_000.crt
key keys/VPN-Client000_000.key

# Uncomment this section for a more reliable
# detection when a system loses its connection.
# For example, dial-ups or laptops that travel
# to other locations.
#
# If this section is enabled and "myremote"
# above is a dynamic DNS name (i.e. dyndns.org),
# OpenVPN will dynamically "follow" the IP
# address of "myremote" if it changes.
persist-key
persist-tun
; ping-restart 60
; ping-timer-rem
; resolv-retry 86400

# keep-alive ping
keepalive 60 240

# enable LZO compression
comp-lzo

# moderate verbosity
verb 4
mute 10

[gladiatr72]

Post your server configuration (Please remove all comments)

-S

[lapalis]

As in head, but without comment
PS: after other test, I see that, after no ping reply from my PC (ip vpn 10.0.0.20) to client 10.0.0.2, if I:
- connect to client 10.0.0.2 via GPRS, but not thru vpn
- I ping from this client the server with ip 10.0.0.1
then the ping from my PC to 10.0.0.2 reply correctly.


Server Configuration:
------------------------------------------------------------------------------------------------------
mode server
tls-server
client-to-client

dev tap

ifconfig 10.0.0.1 255.255.255.0
dh keys/dh1024.pem
ca keys/ca.crt
cert keys/VPN-Server000.crt
key keys/VPN-Server000.key

duplicate-cn

persist-key
persist-tun

keepalive 60 240

comp-lzo

verb 7
mute 10



----------------------------------------------------------
Client configuration (client 10.0.0.2, other client have trhe same configuration, only VPN IP adress change)
----------------------------------------------------------
remote x.x.x.x
tls-client

port 1194

dev tap

ifconfig 10.0.0.2 255.255.255.0

ca keys/ca.crt
cert keys/VPN-Client000_000.crt
key keys/VPN-Client000_000.key

persist-key
persist-tun

keepalive 60 240

comp-lzo

verb 4
mute 10

[lapalis]

I've found the problem and, wow!!, the solution.
I report them if someone else have similar problem:
in the 5 clients (linux arm system, openvpn 2.1.1 compiled) more clients (random after each reboot or remount of tap) have the same MAC address for tap interface; solution is to force different static MAC address for each client. Same problem seem to afflict openvpn 2.1.4 compiled for linux arm system , in this case with 25 client, two of them have same MAC adress for tap interface.
I start new topic to understand how openvpn generate random MAC address.