Netgate SG-1000 microFirewall

Author Topic: site-to-site VPN reconnects every couple of minutes  (Read 118 times)

0 Members and 1 Guest are viewing this topic.

Offline sysoict

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
site-to-site VPN reconnects every couple of minutes
« on: January 30, 2018, 07:15:26 pm »
Hi,

I`ve a couple of OpenVPN servers running on PFsense. Some of them are of type 'remote access' and two are peer to peer (site-to-site)

The remote access VPN`s work very stable. Site-to-site not. On the server side I see that both are reconnecting every couple of minutes. They run a PFsense router as well.
The Pfsense`s on the client side show that they are connected for 8+ hours while on the server side Pfsense shows the real 'connected since' value.

The reconnect only takes 1 or 2 seconds, but its quite annoying since RDP is routed over these tunnels.

One client connects using ADSL (fixed IP) while the other connects over 4G (dynamic ip). Both clients have exactly the same issues.

Any hints?

Client log:
Code: [Select]
Jan 31 01:18:27 openvpn 14069 UDPv4 link remote: [AF_INET]80.82.72.17:1194
Jan 31 01:18:29 openvpn 14069 Peer Connection Initiated with [AF_INET]80.82.72.17:1194
Jan 31 01:18:30 openvpn 14069 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 31 01:18:30 openvpn 14069 Initialization Sequence Completed
Jan 31 01:18:31 openvpn 14069 PID_ERR replay-window backtrack occurred [1] [STATIC-0] [0_000000000000000000000000000111122__________] 1517357843:45 1517357843:44 t=1517357911[0] r=[-2,64,15,1,1] sl=[19,45,64,528]
Jan 31 01:18:31 openvpn 14069 PID_ERR replay-window backtrack occurred [2] [STATIC-0] [0__00000_0000000000000000000000000000000000000000000000000000000] 1517357843:83 1517357843:81 t=1517357911[0] r=[-2,64,15,2,1] sl=[45,64,64,528]
Jan 31 01:18:31 openvpn 14069 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 31 01:18:31 openvpn 14069 MANAGEMENT: CMD 'state 1'
Jan 31 01:18:31 openvpn 14069 MANAGEMENT: CMD 'status 2'
Jan 31 01:18:31 openvpn 14069 MANAGEMENT: Client disconnected
Jan 31 01:18:32 openvpn 14069 PID_ERR replay-window backtrack occurred [3] [STATIC-0] [0___000000000000000000000000000000000000000000000000000000000000] 1517357843:684 1517357843:681 t=1517357912[0] r=[-3,64,15,3,1] sl=[20,64,64,528]
Jan 31 01:50:55 openvpn 14069 PID_ERR replay-window backtrack occurred [4] [STATIC-0] [0____00000000000000000000000000000000000000000000000_00000000000] 1517360089:183 1517360089:179 t=1517359855[0] r=[-2,64,15,4,1] sl=[9,64,64,528]
Jan 31 02:04:24 openvpn 14069 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 31 02:04:24 openvpn 14069 MANAGEMENT: CMD 'state 1'
Jan 31 02:04:24 openvpn 14069 MANAGEMENT: CMD 'status 2'
Jan 31 02:04:24 openvpn 14069 MANAGEMENT: Client disconnected
Jan 31 02:11:39 openvpn 14069 MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Jan 31 02:11:39 openvpn 14069 MANAGEMENT: CMD 'state 1'
Jan 31 02:11:39 openvpn 14069 MANAGEMENT: CMD 'status 2'
Jan 31 02:11:39 openvpn 14069 MANAGEMENT: Client disconnected

Server side:
Code: [Select]
Jan 31 01:41:22 openvpn 99595 UDPv4 link local (bound): [AF_INET]80.82.72.17:1194
Jan 31 01:41:22 openvpn 99595 UDPv4 link remote: [AF_UNSPEC]
Jan 31 01:41:22 openvpn 99595 Peer Connection Initiated with [AF_INET]143.179.6.63:8616
Jan 31 01:41:22 openvpn 73548 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 31 01:41:22 openvpn 73548 Re-using pre-shared static key
Jan 31 01:41:22 openvpn 73548 Preserving previous TUN/TAP instance: ovpns3
Jan 31 01:41:22 openvpn 73548 UDPv4 link local (bound): [AF_INET]80.82.72.17:1562
Jan 31 01:41:22 openvpn 73548 UDPv4 link remote: [AF_UNSPEC]
Jan 31 01:41:23 openvpn 99595 Initialization Sequence Completed
Jan 31 01:41:25 openvpn 99595 PID_ERR replay-window backtrack occurred [7] [STATIC-0] [0_0_0_0_00000000000000000000000000000000111111111111111111111111] 1517357907:8568 1517357907:8561 t=1517359522[237] r=[234,64,15,7,1] sl=[24,64,64,528]
Jan 31 01:41:29 openvpn 73548 Peer Connection Initiated with [AF_INET]85.149.43.135:63558
Jan 31 01:41:29 openvpn 73548 Initialization Sequence Completed
Jan 31 01:41:32 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:41:32 openvpn 99595 MANAGEMENT: CMD 'state 1'
Jan 31 01:41:32 openvpn 99595 MANAGEMENT: CMD 'status 2'
Jan 31 01:41:32 openvpn 99595 MANAGEMENT: Client disconnected
Jan 31 01:41:32 openvpn 73548 WARNING: 'tun-ipv6' is present in remote config but missing in local config, remote='tun-ipv6'
Jan 31 01:41:59 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:41:59 openvpn 99595 MANAGEMENT: CMD 'status 2'
Jan 31 01:41:59 openvpn 99595 MANAGEMENT: CMD 'quit'
Jan 31 01:41:59 openvpn 99595 MANAGEMENT: Client disconnected
Jan 31 01:43:02 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:43:02 openvpn 99595 MANAGEMENT: CMD 'status 2'
Jan 31 01:43:03 openvpn 99595 MANAGEMENT: CMD 'quit'
Jan 31 01:43:03 openvpn 99595 MANAGEMENT: Client disconnected
Jan 31 01:44:05 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:44:05 openvpn 99595 MANAGEMENT: CMD 'status 2'
Jan 31 01:44:06 openvpn 99595 MANAGEMENT: CMD 'quit'
Jan 31 01:44:06 openvpn 99595 MANAGEMENT: Client disconnected
Jan 31 01:45:08 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:45:09 openvpn 99595 MANAGEMENT: CMD 'status 2'
Jan 31 01:45:09 openvpn 99595 MANAGEMENT: CMD 'quit'
Jan 31 01:45:09 openvpn 99595 MANAGEMENT: Client disconnected
Jan 31 01:46:11 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:46:12 openvpn 99595 MANAGEMENT: CMD 'status 2'
Jan 31 01:46:12 openvpn 99595 MANAGEMENT: CMD 'quit'
Jan 31 01:46:12 openvpn 99595 MANAGEMENT: Client disconnected
Jan 31 01:47:14 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:47:15 openvpn 99595 MANAGEMENT: CMD 'status 2'
Jan 31 01:47:15 openvpn 99595 MANAGEMENT: CMD 'quit'
Jan 31 01:47:15 openvpn 99595 MANAGEMENT: Client disconnected
Jan 31 01:48:18 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:48:18 openvpn 99595 MANAGEMENT: CMD 'status 2'
Jan 31 01:48:18 openvpn 99595 MANAGEMENT: CMD 'quit'
Jan 31 01:48:18 openvpn 99595 MANAGEMENT: Client disconnected
Jan 31 01:49:21 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:49:21 openvpn 99595 MANAGEMENT: CMD 'status 2'
Jan 31 01:49:21 openvpn 99595 MANAGEMENT: CMD 'quit'
Jan 31 01:49:21 openvpn 99595 MANAGEMENT: Client disconnected
Jan 31 01:50:47 openvpn 99595 Inactivity timeout (--ping-restart), restarting
Jan 31 01:50:47 openvpn 99595 TCP/UDP: Closing socket
Jan 31 01:50:47 openvpn 99595 SIGUSR1[soft,ping-restart] received, process restarting
Jan 31 01:50:47 openvpn 99595 Restart pause, 5 second(s)
Jan 31 01:50:48 openvpn 73548 Inactivity timeout (--ping-restart), restarting
Jan 31 01:50:48 openvpn 73548 SIGUSR1[soft,ping-restart] received, process restarting
Jan 31 01:49:53 openvpn 99595 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 31 01:49:53 openvpn 99595 Re-using pre-shared static key
Jan 31 01:49:53 openvpn 99595 Preserving previous TUN/TAP instance: ovpns5
Jan 31 01:49:53 openvpn 99595 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:396 ET:0 EL:3 ]
Jan 31 01:49:53 openvpn 99595 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,ifconfig 10.10.15.2 10.10.15.1,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Jan 31 01:49:53 openvpn 99595 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,ifconfig 10.10.15.1 10.10.15.2,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Jan 31 01:49:53 openvpn 99595 Socket Buffers: R=[42080->42080] S=[57344->57344]
Jan 31 01:49:53 openvpn 99595 UDPv4 link local (bound): [AF_INET]80.82.72.17:1194
Jan 31 01:49:53 openvpn 99595 UDPv4 link remote: [AF_UNSPEC]
Jan 31 01:49:53 openvpn 99595 Peer Connection Initiated with [AF_INET]143.179.6.63:8616
Jan 31 01:49:54 openvpn 99595 Initialization Sequence Completed
Jan 31 01:49:54 openvpn 73548 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 31 01:49:54 openvpn 73548 Re-using pre-shared static key
Jan 31 01:49:54 openvpn 73548 Preserving previous TUN/TAP instance: ovpns3
Jan 31 01:49:54 openvpn 73548 UDPv4 link local (bound): [AF_INET]80.82.72.17:1562
Jan 31 01:49:54 openvpn 73548 UDPv4 link remote: [AF_UNSPEC]
Jan 31 01:49:55 openvpn 73548 Peer Connection Initiated with [AF_INET]85.149.43.135:63558
Jan 31 01:49:55 openvpn 73548 Initialization Sequence Completed
Jan 31 01:49:55 openvpn 99595 PID_ERR replay-window backtrack occurred [7] [STATIC-0] [0_0_0_0_00000000000000000000000000000000000000000000000000000000] 1517357907:11050 1517357907:11043 t=1517360091[296] r=[294,64,15,7,1] sl=[13,64,64,528]
Jan 31 01:49:55 openvpn 99595 PID_ERR replay-window backtrack occurred [8] [STATIC-0] [000000_0_0000000000000000000000000000000000000000000000000000000] 1517357907:11203 1517357907:11195 t=1517360091[296] r=[294,64,15,8,1] sl=[52,64,64,528]
Jan 31 01:50:04 openvpn 73548 WARNING: 'tun-ipv6' is present in remote config but missing in local config, remote='tun-ipv6'
Jan 31 01:50:24 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:50:24 openvpn 99595 MANAGEMENT: CMD 'status 2'
Jan 31 01:50:24 openvpn 99595 MANAGEMENT: CMD 'quit'
Jan 31 01:50:24 openvpn 99595 MANAGEMENT: Client disconnected
Jan 31 01:51:27 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:51:27 openvpn 99595 MANAGEMENT: CMD 'status 2'
Jan 31 01:51:27 openvpn 99595 MANAGEMENT: CMD 'quit'
Jan 31 01:51:27 openvpn 99595 MANAGEMENT: Client disconnected
Jan 31 01:52:30 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:52:30 openvpn 99595 MANAGEMENT: CMD 'status 2'
Jan 31 01:52:30 openvpn 99595 MANAGEMENT: CMD 'quit'
Jan 31 01:52:30 openvpn 99595 MANAGEMENT: Client disconnected
Jan 31 01:53:33 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:53:33 openvpn 99595 MANAGEMENT: CMD 'status 2'
Jan 31 01:53:34 openvpn 99595 MANAGEMENT: CMD 'quit'
Jan 31 01:53:34 openvpn 99595 MANAGEMENT: Client disconnected
Jan 31 01:54:36 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:54:37 openvpn 99595 MANAGEMENT: CMD 'status 2'
Jan 31 01:54:37 openvpn 99595 MANAGEMENT: CMD 'quit'
Jan 31 01:54:37 openvpn 99595 MANAGEMENT: Client disconnected
Jan 31 01:55:39 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:55:40 openvpn 99595 MANAGEMENT: CMD 'status 2'
Jan 31 01:55:40 openvpn 99595 MANAGEMENT: CMD 'quit'
Jan 31 01:55:40 openvpn 99595 MANAGEMENT: Client disconnected
Jan 31 01:56:43 openvpn 99595 MANAGEMENT: Client connected from /var/etc/openvpn/server5.sock
Jan 31 01:56:43 openvpn 99595 MANAGEMENT: CMD 'status 2'
Jan 31 01:56:43 openvpn 99595 MANAGEMENT: CMD 'quit'
Jan 31 01:56:43 openvpn 99595 MANAGEMENT: Client disconnected
Jan 31 01:58:28 openvpn 73548 Inactivity timeout (--ping-restart), restarting
Jan 31 01:58:28 openvpn 73548 SIGUSR1[soft,ping-restart] received, process restarting
Jan 31 01:58:28 openvpn 99595 Inactivity timeout (--ping-restart), restarting
Jan 31 01:58:28 openvpn 99595 TCP/UDP: Closing socket
Jan 31 01:58:28 openvpn 99595 SIGUSR1[soft,ping-restart] received, process restarting
Jan 31 01:58:28 openvpn 99595 Restart pause, 5 second(s)
Jan 31 01:57:34 openvpn 99595 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 31 01:57:34 openvpn 99595 Re-using pre-shared static key
Jan 31 01:57:34 openvpn 99595 Preserving previous TUN/TAP instance: ovpns5
Jan 31 01:57:34 openvpn 99595 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:396 ET:0 EL:3 ]
Jan 31 01:57:34 openvpn 99595 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,ifconfig 10.10.15.2 10.10.15.1,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Jan 31 01:57:34 openvpn 99595 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto UDPv4,ifconfig 10.10.15.1 10.10.15.2,cipher AES-128-CBC,auth SHA1,keysize 128,secret'
Jan 31 01:57:34 openvpn 99595 Socket Buffers: R=[42080->42080] S=[57344->57344]
Jan 31 01:57:34 openvpn 99595 UDPv4 link local (bound): [AF_INET]80.82.72.17:1194
Jan 31 01:57:34 openvpn 99595 UDPv4 link remote: [AF_UNSPEC]
Jan 31 01:57:34 openvpn 73548 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 31 01:57:34 openvpn 73548 Re-using pre-shared static key
Jan 31 01:57:34 openvpn 73548 Preserving previous TUN/TAP instance: ovpns3
Jan 31 01:57:34 openvpn 73548 UDPv4 link local (bound): [AF_INET]80.82.72.17:1562
Jan 31 01:57:34 openvpn 73548 UDPv4 link remote: [AF_UNSPEC]
Jan 31 01:57:36 openvpn 99595 Peer Connection Initiated with [AF_INET]143.179.6.63:8616
Jan 31 01:57:36 openvpn 99595 Initialization Sequence Completed
Jan 31 01:57:37 openvpn 99595 PID_ERR replay-window backtrack occurred [7] [STATIC-0] [0_0_0_0_00000000000000000000000000000000000000000000000000000111] 1517357907:13601 1517357907:13594 t=1517360612[355] r=[354,64,15,7,1] sl=[37,64,64,528]
Jan 31 01:57:43 openvpn 73548 Peer Connection Initiated with [AF_INET]85.149.43.135:63558
Jan 31 01:57:43 openvpn 73548 Initialization Sequence Completed

PID 995595 = client with 4G
PID 73547 = client with ADSL
« Last Edit: January 30, 2018, 07:18:36 pm by sysoict »

Offline sysoict

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: site-to-site VPN reconnects every couple of minutes
« Reply #1 on: February 02, 2018, 11:15:07 am »
I also see that the 'Connected since' time is ahead of the PFsense time. The time show correctly for the OpenVPN servers that are setup as 'remote access'

Does anyone have a clue?