Page 1 of 1
Help Need, keepalive pings not working
Posted: Sat Jun 04, 2011 11:48 am
by bluestu
I'm running a multi-client server using OpenVPN 2.0 on Debian. I have unique certificates (with unique common names) for each client. They connect fine, and I can ping each client.
The problem is, when I set keepalive on the client, it always fails to get a response. For instance, if I set:
keepalive 10 60
The server will restart every 60 seconds due to not getting a response. The client and server are connected via a high speed leased line with no detected packet loss (0.0%).
The client shows this error:
Code: Select all
[server] Inactivity timeout (--ping-restart), restarting
Please help, as I have had to roll back my config to single tunnels which is a nightmare!
Thanks
s
Re: Help Need, keepalive pings not working
Posted: Sun Jun 05, 2011 9:42 am
by Bebop
bluestu wrote:The problem is, when I set keepalive on the client, it always fails to get a response
How strict is your server IPTABLES? Adding these can often solve the
no ping problems:
Code: Select all
# Accept responses to our pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
# Respond to pings
iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
Re: Help Need, keepalive pings not working
Posted: Sun Jun 05, 2011 12:53 pm
by bluestu
I don't think this Can be the problem as the keep alive pings arn't actually ICMP anyway. They're UDP echoes??
I can ping the server from the client and vice versatile when the link is ip. It just constantly restarts from the client side saying pong-restart. The link is up and working when it thinks there is no pong.
Thanks
S
Re: Help Need, keepalive pings not working
Posted: Mon Jun 06, 2011 2:52 am
by Bebop
Server + client .conf, or little/no useful help will be likely to find you.
Re: Help Need, keepalive pings not working
Posted: Mon Jun 06, 2011 7:59 am
by janjust
Apart from Bebop's remark about config files, which is totally valid, here are some tips
* upgrade to openvpn 2.2 on Debian; 2.0 is
really old
* add the
to the server config, not the client config
Re: Help Need, keepalive pings not working
Posted: Mon Jun 06, 2011 10:37 am
by bluestu
Hi guys, thanks for you're help. Also sorry for the spell check on my iPhone, I can usually spell OK.
server.conf
local xxx.xxx.xxx.xxx 1194 udp
dev tun
tls-server
# Key info
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
reneg-sec 0
# IP Setup
server 10.1.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ifconfig-pool-linear
client-config-dir ccd
client-to-client
keepalive 2 10
comp-lzo
#persist-key
#persist-tun
verb 3
client.conf
remote xxx.xxx.xxx.xxx 1194 udp
persist-key
tls-client
pull
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
ping 2
ping-restart 10
persist-tun
comp-lzo yes
dev tun
nobind
verb 3
Re: Help Need, keepalive pings not working
Posted: Mon Jun 06, 2011 12:51 pm
by janjust
try commenting out
as it's rather obsolete; use
instead.
also make sure that both sides are doing LZO or not (I'd recommend to use 'comp-lzo yes' on both sides).
If you specify
on the server side then this is also pushed out to the client, overruling whatever you specify in the client config file for 'ping' and 'ping-restart'
Re: Help Need, keepalive pings not working
Posted: Mon Jun 06, 2011 1:28 pm
by bluestu
This has made no difference. The client still restarts saying ping-restart. The link is up and works fine, but it keeps dropping! I'm loosing the will to live with this!
s
Re: Help Need, keepalive pings not working
Posted: Mon Jun 06, 2011 2:47 pm
by janjust
please post the client and server config files as they are now (just to check).
Also, set the verbosity in the client log to 7 ('verb 7') and reconnect; now look in the client log file for messages of the type 'PING SENT' ; if you something similar on the server you should see 'RECEIVED PING PACKET'
Re: Help Need, keepalive pings not working
Posted: Mon Jun 06, 2011 2:56 pm
by bluestu
When I set verbosity to 7 all I see in the syslog is:
Jun 6 14:57:19 client1 ovpn-client[4064]: TUN READ [612]
Jun 6 14:57:19 client1 ovpn-client[4064]: TLS: tls_pre_encrypt: key_id=0
Jun 6 14:57:19 client1 ovpn-client[4064]: UDPv4 WRITE [653] to xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=652
Jun 6 14:57:19 client1 ovpn-client[4064]: UDPv4 READ [93] from xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=92
Jun 6 14:57:19 client1 ovpn-client[4064]: TLS: tls_pre_decrypt, key_id=0, IP=xxx.xxx.xxx.xxx:1194
Jun 6 14:57:19 client1 ovpn-client[4064]: TUN WRITE [52]
Jun 6 14:57:20 client1 ovpn-client[4064]: TUN READ [612]
Jun 6 14:57:20 client1 ovpn-client[4064]: TLS: tls_pre_encrypt: key_id=0
Jun 6 14:57:20 client1 ovpn-client[4064]: UDPv4 WRITE [653] to xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=652
Jun 6 14:57:20 client1 ovpn-client[4064]: UDPv4 READ [93] from xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=92
Jun 6 14:57:20 client1 ovpn-client[4064]: TLS: tls_pre_decrypt, key_id=0, IP=xxx.xxx.xxx.xxx:1194
Jun 6 14:57:20 client1 ovpn-client[4064]: TUN WRITE [52]
Jun 6 14:57:21 client1 ovpn-client[4064]: TUN READ [612]
Jun 6 14:57:21 client1 ovpn-client[4064]: TLS: tls_pre_encrypt: key_id=0
Jun 6 14:57:21 client1 ovpn-client[4064]: UDPv4 WRITE [653] to xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=652
Jun 6 14:57:21 client1 ovpn-client[4064]: UDPv4 READ [93] from xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=92
Jun 6 14:57:21 client1 ovpn-client[4064]: TLS: tls_pre_decrypt, key_id=0, IP=xxx.xxx.xxx.xxx:1194
Jun 6 14:57:21 client1 ovpn-client[4064]: TUN WRITE [52]
Jun 6 14:57:22 client1 ovpn-client[4064]: TUN READ [612]
Jun 6 14:57:22 client1 ovpn-client[4064]: TLS: tls_pre_encrypt: key_id=0
Jun 6 14:57:22 client1 ovpn-client[4064]: UDPv4 WRITE [653] to xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=652
Jun 6 14:57:22 client1 ovpn-client[4064]: UDPv4 READ [93] from xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=92
Jun 6 14:57:22 client1 ovpn-client[4064]: TLS: tls_pre_decrypt, key_id=0, IP=xxx.xxx.xxx.xxx:1194
Jun 6 14:57:22 client1 ovpn-client[4064]: TUN WRITE [52]
Jun 6 14:57:23 client1 ovpn-client[4064]: TUN READ [612]
Jun 6 14:57:23 client1 ovpn-client[4064]: TLS: tls_pre_encrypt: key_id=0
Jun 6 14:57:23 client1 ovpn-client[4064]: UDPv4 WRITE [653] to xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=652
Jun 6 14:57:23 client1 ovpn-client[4064]: UDPv4 READ [93] from xxx.xxx.xxx.xxx:1194: P_DATA_V1 kid=0 DATA len=92
Jun 6 14:57:23 client1 ovpn-client[4064]: TLS: tls_pre_decrypt, key_id=0, IP=xxx.xxx.xxx.xxx:1194
Jun 6 14:57:23 client1 ovpn-client[4064]: TUN WRITE [52]
Re: Help Need, keepalive pings not working
Posted: Mon Jun 06, 2011 3:20 pm
by janjust
you're not seeing any PING messages being sent ?!?!?!? is this with openvpn 2.1 or still the old 2.0 ? I just verified for myself that this works on 2.1.4 and higher.
Re: Help Need, keepalive pings not working
Posted: Tue Jun 07, 2011 2:27 am
by Bebop
bluestu wrote:sorry for the spell check on my iPhone, I can usually spell OK
The word 'pong' came up a few times.. I was thinking what the
Sorry I couldn't help out much on this problem. I thought Keep-alive were just regular ICMP pings. Now I researched some more and found out you were correct, they are not. Thank you for the pointer. And thank you to Janjust for stepping in. Best of luck to getting this solved.