Opened 7 years ago
Closed 7 years ago
#883 closed Bug / Defect (notabug)
server connection leak
Reported by: | zealot | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.3.4 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
Client has been stopped for days, but server still sending packet to client.
Config:
port 1194 proto udp dev tun9 ca XXX cert XXX key XXX dh XXX topology subnet server 172.28.10.0 255.255.255.0 ifconfig-pool-persist ipp.txt float push "topology subnet" push "route 10.0.0.0 255.0.0.0 net_gateway" push "route 172.16.0.0 255.240.0.0 net_gateway" push "route 192.168.0.0 255.255.0.0 net_gateway" push "route 224.0.0.0 224.0.0.0 net_gateway" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" duplicate-cn tls-auth tls.key 0 comp-lzo persist-key persist-tun status openvpn-status.log replay-window 8192 verb 4 mssfix 1400
Server log:
Wed May 3 18:46:29 2017 us=2559 user/client:57594 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Wed May 3 18:46:29 2017 us=2619 user/client:57594 TLS Error: TLS handshake failed Wed May 3 18:47:45 2017 us=43050 user/client:57594 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Wed May 3 18:47:45 2017 us=43099 user/client:57594 TLS Error: TLS handshake failed Wed May 3 18:49:00 2017 us=403452 user/client:57594 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Wed May 3 18:49:00 2017 us=403515 user/client:57594 TLS Error: TLS handshake failed
Tcpdump:
18:46:44.121138 IP server.openvpn > client.57594: UDP, length 42 18:46:46.289049 IP server.openvpn > client.57594: UDP, length 42 18:46:50.077733 IP server.openvpn > client.57594: UDP, length 42 18:46:58.610614 IP server.openvpn > client.57594: UDP, length 42 18:47:14.461792 IP server.openvpn > client.57594: UDP, length 42 18:48:00.094284 IP server.openvpn > client.57594: UDP, length 42 18:48:02.058499 IP server.openvpn > client.57594: UDP, length 42 18:48:06.308484 IP server.openvpn > client.57594: UDP, length 42 18:48:14.283636 IP server.openvpn > client.57594: UDP, length 42 18:48:30.052212 IP server.openvpn > client.57594: UDP, length 42 18:49:16.006188 IP server.openvpn > client.57594: UDP, length 42 18:49:19.098406 IP server.openvpn > client.57594: UDP, length 42 18:49:24.066512 IP server.openvpn > client.57594: UDP, length 42
Packet content:
OpenVPN Protocol Type: 0x40 [opcode/key_id] 0100 0... = Opcode: P_CONTROL_HARD_RESET_SERVER_V2 (0x08) .... .000 = Key ID: 0 Session ID: 3110211901374068699 HMAC: cdcdd7e5fd57d571f6b2bb9689fbe46df473be1e Packet-ID: 1 Net Time: May 3, 2017 18:46:44.000000000 CST Message Packet-ID Array Length: 0 Message Packet-ID: 0
Change History (3)
comment:1 Changed 7 years ago by
comment:2 Changed 7 years ago by
Right - what dazo says. Unless there is a keepalive, *or* the client has told the server (when using --explicit-exit-notify
the server doesn't know the client "has been stopped". As far as the server is concerned, it's just hiding behind a broken router etc. and could be back any minute.
No need to set float
in server
mod, btw, won't do anything :-)
comment:3 Changed 7 years ago by
Priority: | major → minor |
---|---|
Resolution: | → notabug |
Status: | new → closed |
Note: See
TracTickets for help on using
tickets.
Are you really using OpenVPN v2.3.4? That must be upgraded to at least v2.3.13. Preferably v2.4.1.
Also, try to add
--keepalive
to your configuration. That is how you tell OpenVPN how long a client can be away without responding.