Hi Jan, In one of our device, the inactivity timeout occurs almost 10+ times everyday.
Logs: Line 152186: Oct 15 03:34:01 proj1 daemon.notice openvpn[15740]: [*.serverurl.com] Inactivity timeout (--ping-restart), restarting Line 152187: Oct 15 03:34:01 proj1 daemon.notice openvpn[15740]: /sbin/ip route del 10.48.0.0/14 Line 152188: Oct 15 03:34:01 proj1 daemon.notice openvpn[15740]: /sbin/ip route del 10.128.0.0/20 Line 152189: Oct 15 03:34:01 proj1 daemon.notice openvpn[15740]: Closing TUN/TAP interface Line 152190: Oct 15 03:34:01 proj1 daemon.notice openvpn[15740]: /sbin/ip addr del dev tun0 10.8.0.6/22 Line 152192: Oct 15 03:34:01 proj1 daemon.notice openvpn[15740]: /etc/openvpn/update-resolv-conf tun0 1500 1562 10.8.0.6 255.255.252.0 init Line 152219: Oct 15 03:34:01 proj1 daemon.notice openvpn[15740]: SIGUSR1[soft,ping-restart] received, process restarting Line 152220: Oct 15 03:34:01 proj1 daemon.notice openvpn[15740]: Restart pause, 5 second(s) Line 152396: Oct 15 03:34:06 proj1 daemon.warn openvpn[15740]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Line 152397: Oct 15 03:34:06 proj1 daemon.warn openvpn[15740]: WARNING: file '/device/vpn/client.key' is group or others accessible Line 152398: Oct 15 03:34:06 proj1 daemon.warn openvpn[15740]: WARNING: file '/device/vpn/ta.key' is group or others accessible Line 152399: Oct 15 03:34:06 proj1 daemon.notice openvpn[15740]: Control Channel Authentication: using '/device/vpn/ta.key' as a OpenVPN static key file Line 152400: Oct 15 03:34:06 proj1 daemon.notice openvpn[15740]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Line 152401: Oct 15 03:34:06 proj1 daemon.notice openvpn[15740]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Line 152402: Oct 15 03:34:06 proj1 daemon.notice openvpn[15740]: Socket Buffers: R=[87380->131072] S=[16384->131072] Line 152403: Oct 15 03:34:06 proj1 daemon.notice openvpn[15740]: Attempting to establish TCP connection with [AF_INET]45.170.15.188:443 [nonblock] Line 152438: Oct 15 03:34:07 proj1 daemon.notice openvpn[15740]: TCP connection established with [AF_INET]45.170.15.188:443 Line 152439: Oct 15 03:34:07 proj1 daemon.notice openvpn[15740]: TCPv4_CLIENT link local: [undef] Line 152440: Oct 15 03:34:07 proj1 daemon.notice openvpn[15740]: TCPv4_CLIENT link remote: [AF_INET]45.170.15.188:443 Line 152449: Oct 15 03:34:08 proj1 daemon.notice openvpn[15740]: TLS: Initial packet from [AF_INET]45.170.15.188:443, sid=da9c382c c7288d46 Line 152465: Oct 15 03:34:08 proj1 daemon.notice openvpn[15740]: VERIFY OK: depth=2, C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2 Line 152466: Oct 15 03:34:08 proj1 daemon.notice openvpn[15740]: VERIFY OK: depth=1, C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K Line 152467: Oct 15 03:34:08 proj1 daemon.notice openvpn[15740]: Validating certificate key usage Line 152468: Oct 15 03:34:08 proj1 daemon.notice openvpn[15740]: ++ Certificate has key usage 00a0, expects 00a0 Line 152469: Oct 15 03:34:08 proj1 daemon.notice openvpn[15740]: VERIFY KU OK Line 152470: Oct 15 03:34:08 proj1 daemon.notice openvpn[15740]: Validating certificate extended key usage Line 152471: Oct 15 03:34:08 proj1 daemon.notice openvpn[15740]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Line 152472: Oct 15 03:34:08 proj1 daemon.notice openvpn[15740]: VERIFY EKU OK Line 152473: Oct 15 03:34:08 proj1 daemon.notice openvpn[15740]: VERIFY OK: depth=0, C=US, ST=California, L=Alameda, O=Company Inc., CN=*.serverurl.com Line 152609: Oct 15 03:34:12 proj1 daemon.notice openvpn[15740]: Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Line 152610: Oct 15 03:34:12 proj1 daemon.notice openvpn[15740]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Line 152611: Oct 15 03:34:12 proj1 daemon.notice openvpn[15740]: Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Line 152612: Oct 15 03:34:12 proj1 daemon.notice openvpn[15740]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Line 152613: Oct 15 03:34:12 proj1 daemon.notice openvpn[15740]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Line 152614: Oct 15 03:34:12 proj1 daemon.notice openvpn[15740]: [*.serverurl.com] Peer Connection Initiated with [AF_INET]45.170.15.188:443 Line 152724: Oct 15 03:34:14 proj1 daemon.notice openvpn[15740]: SENT CONTROL [*.serverurl.com]: 'PUSH_REQUEST' (status=1) Line 152736: Oct 15 03:34:15 proj1 daemon.notice openvpn[15740]: PUSH: Received control message: 'PUSH_REPLY,route 10.128.0.0 255.255.240.0,route 10.48.0.0 255.252.0.0,dhcp-option DNS 10.128.0.13,dhcp-option DOMAIN prism,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 20,ifconfig 10.8.0.4 255.255.252.0,peer-id 0' Line 152737: Oct 15 03:34:15 proj1 daemon.notice openvpn[15740]: OPTIONS IMPORT: timers and/or timeouts modified Line 152738: Oct 15 03:34:15 proj1 daemon.notice openvpn[15740]: OPTIONS IMPORT: --ifconfig/up options modified Line 152739: Oct 15 03:34:15 proj1 daemon.notice openvpn[15740]: OPTIONS IMPORT: route options modified Line 152740: Oct 15 03:34:15 proj1 daemon.notice openvpn[15740]: OPTIONS IMPORT: route-related options modified Line 152741: Oct 15 03:34:15 proj1 daemon.notice openvpn[15740]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Line 152742: Oct 15 03:34:15 proj1 daemon.notice openvpn[15740]: OPTIONS IMPORT: peer-id set Line 152743: Oct 15 03:34:15 proj1 daemon.notice openvpn[15740]: OPTIONS IMPORT: adjusting link_mtu to 1562 Line 152744: Oct 15 03:34:15 proj1 daemon.notice openvpn[15740]: ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=3e:a3:08:ad:e1:22 Line 152745: Oct 15 03:34:15 proj1 daemon.notice openvpn[15740]: TUN/TAP device tun0 opened Line 152746: Oct 15 03:34:15 proj1 daemon.notice openvpn[15740]: TUN/TAP TX queue length set to 100 Line 152747: Oct 15 03:34:15 proj1 daemon.notice openvpn[15740]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Line 152748: Oct 15 03:34:15 proj1 daemon.notice openvpn[15740]: /sbin/ip link set dev tun0 up mtu 1500 Line 152750: Oct 15 03:34:15 proj1 daemon.notice openvpn[15740]: /sbin/ip addr add dev tun0 10.8.0.4/22 broadcast 10.8.3.255 Line 152751: Oct 15 03:34:15 proj1 daemon.notice openvpn[15740]: /etc/openvpn/update-resolv-conf tun0 1500 1562 10.8.0.4 255.255.252.0 init Line 152775: Oct 15 03:34:15 proj1 daemon.notice openvpn[15740]: /sbin/ip route add 10.128.0.0/20 via 10.8.0.1 Line 152782: Oct 15 03:34:15 proj1 daemon.notice openvpn[15740]: /sbin/ip route add 10.48.0.0/14 via 10.8.0.1 Line 152783: Oct 15 03:34:15 proj1 daemon.notice openvpn[15740]: Initialization Sequence Completed Regards, Johncy. On Thu, 11 Oct 2018 at 23:59, Jan Just Keijser <janj...@nikhef.nl> wrote: > > Hi John, > > > On 11/10/18 03:26, Johncy Bennette wrote: > > Thanks Jan. But if it's about network issue or firewall I have a system > running the same software and connected to the same network and it's working > properly. The problem system has the issue for about 3 hours and recovered on > it's own. > > > I am running the openvpn version > > root@x:~# openvpn --version > > OpenVPN 2.3.7 arm-mel-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] > > library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09 > > > > looks like an embedded device.... > is the problem still there? next time the connection drops, try logging in > on the box to check for netstat statistics - are packets being dropped (e.g. > by the interface). > also, post the relevant openvpn log snippet during the > misbehaviour/reconnects. > As another poster suggest, adding > reneg-sec 86400 > might "solve" the issue but all it does is make the key renegotiaton happen > less often. This can potentially mask the problem but it also makes your > connection (slightly) less secure, depending on which cipher you are using. > > HTH, > > JJK > > > > On Wed, Oct 10, 2018, 2:25 PM Jan Just Keijser <janj...@nikhef.nl> wrote: >> >> Hi, >> >> On 09/10/18 20:07, Johncy Bennette wrote: >> > Hi, >> > In my Linux system, I am seeing my openvpn restarts many time due to >> > one of the following reasons >> > The server configuration has ping 10, ping-restart 10 and same is >> > pushed to client. >> > >> > 1. [*.xxx.com] Inactivity timeout (--ping-restart), restarting >> > >> > 2. [UNDEF] Inactivity timeout (--ping-restart), restarting >> > >> > 3. Connection reset, restarting [-1] >> > >> > One other system is connected to the same network and its working fine >> > with no issues. >> >> In almost all such cases, the underlying network is the issue. Check for >> any network errors on the non-VPN traffic , comparing the "working" box >> to the "non working" box. Check for network cables, IP + routing >> addresses, firewalling rules, both on the box itself and in the core >> network. >> >> HTH, >> >> JJK >> > _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
