[Openvpn-users] Disconnects from the servers perspective.

["John Chatelle" <johnch@xxxxxxxxxx>]

  Our network has over  300 Clients connecting across a routed VPN network (Tun) to a single VPN server that in turn routes to our local network as well as to other service on the Internet.   This network run extremely well thanks to the efforts of the Openvpn developers and staff.  Openvpn is a phenomenal work.

   The problem I see occasionally is that a handful of the 300 clients are not connected relative to the perspective of the Openvpn server;  I can't route pings from our local Openvpn server network to the few of the 300 clients that appear to be down.

   Occasionally the clients connection to the Internet is down, but that's understandable that we can't reach them.   On most occasions, however, I'm able to modem in to the client and get the connection going by pinging through the tunnel to our Openvpn server.  That is, ping 10.230.0.1, leave it for a minute, and more often than not, the tunnel will come up within a minute even though it failed to do so by itself in the previous hours.

   These clients can't negotiate the tunnel unless a ping is issued and left running for a minute.  I often see the same clients on my "VPN down" list.

   What is the best way to bring these clients up when were getting "TLS Error TLS key negotiation failed" in the Openvpn client logs?
 listed is the Log file Fragment I'm occasionally receiving, along with the server configuration, and one example of the  client configuration that is typical to all 300 Client configurations.

   log File Fragment:

Jul  2 11:19:07 Europa openvpn[724]: TLS Error: TLS key negotiation failed to occur within 60 seconds (
check your network connectivity)
Jul  2 11:19:07 Europa openvpn[724]: TLS Error: TLS handshake failed
Jul  2 11:19:07 Europa openvpn[724]: TCP/UDP: Closing socket
Jul  2 11:19:07 Europa openvpn[724]: SIGUSR1[soft,tls-error] received, process restarting
Jul  2 11:19:07 Europa openvpn[724]: Restart pause, 2 second(s)

 server configuration :

port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/openvpn.crt
key /etc/openvpn/keys/openvpn.key  # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.230.0.0 255.255.0.0
push "route <this IP must be secret>  255.255.255.255"
client-config-dir ccd
route 10.230.0.0 255.255.0.0
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher DES-EDE3-CBC  # Triple-DES
comp-lzo
user nobody
group nobody
persist-key
status openvpn-status.log
verb 3
tun-mtu 1400
fragment 1100
mssfix

Typical client Configuration:

client
dev tun
proto udp
remote <this is the server IP> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/270343.crt
key /etc/openvpn/270343.key
ns-cert-type server
tls-auth ta.key 1
cipher DES-EDE3-CBC
comp-lzo
verb 3
tun-mtu 1400
fragment 1100
mssfix
ping 90

   What gives?  I hate to run a continuous ping script that runs on everbody all the time when we only so
occasionally seeing the "TLS Error" shown in the log file frag above.

  How can I address this problem?

   Regards,


johnch

--
This message has been scanned for viruses and dangerous content by MailScanner and F-Prot Antivirus.
--
This message and any attachments may contain information that is protected by law as privileged and confidential, and is transmitted for the sole use of the intended recipient(s). If you are not the intended recipient, you are hereby notified that any use, dissemination, copying or retention of this e-mail or the information contained herein is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender by e-mail, and permanently delete this e-mail.
______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users