----- Original Message -----
From: "bopolissimus X platypus Jr" <[EMAIL PROTECTED]>
To: "PLUG" <[email protected]>
Sent: Friday, March 10, 2006 9:58 AM
Subject: [plug] openvpn regular restarts
Hi all,
Has anyone seen openvpn regularly restarting its connection?
I have two connections. On one, I'm the server and a remote connects to
me (from QSR), on the other I'm the server and I connect to a remote (at
work).
Generally, I have "ping 1;ping-restart 10". That works for me since the
links are pretty good and if do a real ping (I know that openvpn does a
UDP "ping" to port 1194, so it's not a *real* ping), I never get 91%
error except when my internet really is down.
On the one where I'm the client connecting to openvpn at work, I see
this":
Yes, we're multi-homed, 3 different remote IPs work
Fri Mar 10 08:35:27 2006 us=205621 Initialization Sequence Completed
Fri Mar 10 08:45:06 2006 us=555648 TLS Error: local/remote TLS keys are
out of sync: 203.x.x.x:1194 [0]
<snip>
Fri Mar 10 08:45:26 2006 us=507563 Initialization Sequence Completed
Fri Mar 10 08:55:06 2006 us=46132 TLS Error: local/remote TLS keys are
out of sync: 202.x.x.x:1194 [0]
<snip>
Fri Mar 10 08:55:26 2006 us=542646 Initialization Sequence Completed
Fri Mar 10 09:05:15 2006 us=782523 [server] Inactivity timeout
(--ping-restart), restarting
Fri Mar 10 09:05:15 2006 us=783062 TCP/UDP: Closing socket
Fri Mar 10 09:05:15 2006 us=783122 SIGUSR1[soft,ping-restart] received,
process restarting
<snip>
Fri Mar 10 09:05:44 2006 us=912327 Initialization Sequence Completed
Fri Mar 10 09:15:05 2006 us=813502 TLS Error: local/remote TLS keys are
out of sync: 202.x.x.x:1194 [0]
<snip>
Fri Mar 10 09:15:26 2006 us=661194 Initialization Sequence Completed
<<<<<<<<<<<<<
If you notice, the link is going down every 10 minutes or so. the
regularity is *freaky*. I sometimes see it going down every 20 minutes
instead, or 10, then 20, then 10, then 10, then 20, etc. but it's still
freaky.
Now, those remote IPs are not connected to my ISP, I think they're
Meridian, PLDT, Digitel. The remote server is Linux (debian, I think).
Now, for the other connection, where the remote (at QSR) connects to me:
Fri Mar 10 08:37:44 2006 Initialization Sequence Completed
Fri Mar 10 08:39:46 2006 [server] Inactivity timeout (--ping-restart),
restartin
Fri Mar 10 08:39:46 2006 TCP/UDP: Closing socket
Fri Mar 10 08:39:46 2006 SIGUSR1[soft,ping-restart] received, process
restarting
Fri Mar 10 08:39:46 2006 Restart pause, 2 second(s)
Fri Mar 10 08:40:13 2006 Initialization Sequence Completed
Fri Mar 10 08:44:48 2006 [server] Inactivity timeout (--ping-restart),
restartin
Fri Mar 10 08:44:49 2006 TCP/UDP: Closing socket
<snip>
Fri Mar 10 08:45:07 2006 Initialization Sequence Completed
Fri Mar 10 09:19:47 2006 [server] Inactivity timeout (--ping-restart),
restartin
Fri Mar 10 09:19:48 2006 TCP/UDP: Closing socket
<snip>
Fri Mar 10 09:20:03 2006 Initialization Sequence Completed
Fri Mar 10 09:24:46 2006 [server] Inactivity timeout (--ping-restart),
restartin
Fri Mar 10 09:24:46 2006 TCP/UDP: Closing socket
<snip>
Fri Mar 10 09:24:52 2006 Initialization Sequence Completed
<<<<<<<<<<<<<
So I've still got the restarts. this other openvpn connection is on the
same ISP as I am, so it's surprising that the restarts are less stable
and often closer together than the 10-20 minute restarts with different
ISPs.
Since my computer is an endpoint for both, it *could* be something
running on my computer. I don't see anything that might be doing that
in crontab though. Nor do I see anything at the remotes.
Has anyone seen this? The connection restarts sometimes with just
Inactivity timeout (I use "ping 1;ping-restart 10"). but sometimes I
get TLS key out of sync errors and from what I've read online, that
happens when either the server or the client kills the connection.
Since i'm monitoring the TLS key out of sync on the client, I think that
means the server is killing the connection (perhaps because of keepalive
1 60 noticing that the link went down). but generally, when i do a real
ping, I just don't see that kind of timeout happening (where not a
single ping gets through and comes back after 60 seconds or so, or even
after 20 seconds).
hi tiger,
eventhough i have no experience with openvpn... james yonan explained it
very well here
http://openvpn.net/archive/openvpn-users/2004-12/msg00022.html .... just let
me know if you want me further to expand or explain what james was talking
about :->
to add further with his explaination.. try to check the line quality of
your link... since you are using udp instead of tcp... udp is very sensitive
(packet drops) to crc errors, checksum errors, congestions and others which
leads to out of sync with your tls keys due to packet lost which leads again
to renogotiation of client-server keys...
fooler.
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
[email protected] (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph
