OpenVPN on 951G-2HnD disconnects clients every hour (v6.19).

etcnix · September 15, 2014, 10:35am

I have a problem with OVPN server on 951G-2HnD, v6.19. The server disconnects all of clients after 1 hour work.
I’ve tested clients on windows (v2.3.3 of openvpn client) and on linux (v2.3.4 of openvpn client).
Configuration of clients:

remote address port
dev tap
proto tcp-client
tls-client
ca ca.crt
auth-user-pass
pull
nobind
persist-key
resolv-retry infinite
script-security 2 system
auth-nocache
auth-user-pass auth.cfg
ping 10
remote-cert-tls server
verb 9
log-append openvpn-client.log
route-method exe
route-delay 2
redirect-gateway def1

OpenVPN settings on RouterBoard:

[admin@tik] > /ppp profile print where name="ovpn"
Flags: * - default
 0   name="ovpn" local-address=10.10.10.1 remote-address=ovpn_pool use-mpls=default use-compression=default
     use-vj-compression=default use-encryption=default only-one=default change-tcp-mss=default
     address-list=""

[admin@tik] > /interface ovpn-server server print
                     enabled: yes
                        port: 1194
                        mode: ethernet
                     netmask: 24
                 mac-address: FE:05:DF:70:59:A7
                     max-mtu: 1500
           keepalive-timeout: disabled
             default-profile: ovpn
                 certificate: cert_1
  require-client-certificate: no
                        auth: sha1,md5
                      cipher: blowfish128,aes128,aes192,aes256

[admin@tik] > /ppp active print
Flags: R - radius
 #   NAME         SERVICE CALLER-ID         ADDRESS         UPTIME   ENCODING
 0   u2           ovpn    x.x.x.x     10.10.10.10     45m36s   BF-128-CBC/SHA1
 1   cbtruck      ovpn    y.y.y.y     10.10.10.12     3m50s    BF-128-CBC/SHA1

vitaly777 · September 15, 2014, 2:25pm

Hi!
Check Limits settings (Session Timeout) in PPP Profile.
http://gyazo.com/1cebd4a249cc0aaac6ef3fdb88d4bb2c

Regards,
Vitaly

etcnix · September 15, 2014, 2:36pm

Hi,
Thanks for your reply but I’ve already tried to use this option and it’s don’t work with my RouterBoerd

etcnix · September 16, 2014, 10:42am

For example I set a parameter of Session Timeout = 2 minutes:

[admin@tik] > /ppp profile print where name="ovpn"
Flags: * - default
 0   name="ovpn" local-address=10.10.10.1 remote-address=ovpn_pool session-timeout=2m use-mpls=default
     use-compression=default use-vj-compression=default use-encryption=default only-one=default
     change-tcp-mss=yes address-list=""

And I get a disconnect after 2 minutes (and message ""terminating… - connect time expired):

10:02:17 ovpn,info,account u2 logged in, 10.10.10.10
10:02:17 ovpn,info <ovpn-u2>: connected
10:04:17 ovpn,info <ovpn-u2>: terminating... - connect time expired
10:04:18 ovpn,info,account u2 logged out, 121 34148 26622 157 118
10:04:18 ovpn,info <ovpn-u2>: disconnected

But when I changed this one in 1 hour 20 minutes I get the disconnect from MikroTik after 1 hour:

[admin@tik] > /ppp profile print where name="ovpn"
Flags: * - default
 0   name="ovpn" local-address=10.10.10.1 remote-address=ovpn_pool session-timeout=1h20m use-mpls=default
     use-compression=default use-vj-compression=default use-encryption=default only-one=default
     change-tcp-mss=yes address-list=""

Log (message “terminating… - internal error”):

12:27:04 ovpn,info,account u2 logged in, 10.10.10.10
12:27:04 ovpn,info <ovpn-u2>: connected
13:28:05 ovpn,info <ovpn-u2>: terminating... - internal error
13:28:06 ovpn,info,account u2 logged out, 3661 299352 307587 3041 2703
13:28:06 ovpn,info <ovpn-u2>: disconnected

What I’m doing wrong?

etcnix · September 18, 2014, 10:20am

Guys, any ideas?
May be I have to provide more information?
I need help with this trouble.

patrikg · September 18, 2014, 10:39am

Do you use dhcp ??
What lease time of the dhcp ??

etcnix · September 18, 2014, 11:03am

I use DHCP only for internal network, not for OVPN.
Lease time is set in 3 days:

patrikg · September 18, 2014, 11:47am

I just remember one case, then a loose a connection because of one firewall dropped the dhcp traffic.
Therefor I just wondered if you have some dhcp traffic.

And have you tried to use another time like 1h20m = 80m

etcnix · September 18, 2014, 12:20pm

Ok,
I will try setting the time limit like 80m.

etcnix · September 18, 2014, 12:24pm

It’s impossible to use a format like 80m.
Only such as: dd hh:mm:ss.

patrikg · September 18, 2014, 12:39pm

Okey
Like
Have you tried 01:20:00

etcnix · September 18, 2014, 12:43pm

Yes,
In winbox or webfig it can use only like 01:20:00

patrikg · September 18, 2014, 12:57pm

And when you print the settings from cli.. the syntax has changed to 1h20m ??? or…
Have you tried to enter the 01:20:00 syntax into the cli ??

The error maybe has something to be with time syntax.

etcnix · September 18, 2014, 1:04pm

The syntax like 1h20m displayed in a terminal command line.

mrz · September 18, 2014, 1:32pm

Please enable ovpn debug logs, wait until client disconnects, generate supout file and send it tu support[at]mikrotik.com

etcnix · September 18, 2014, 10:23pm

Thanks a lot for your reply,
I’ve sent the support file via email.

Zorro · September 20, 2014, 12:37am

yeah. aside checking logs, would be important just to sniff/dump traffic both on client computers and MikroTik itself to replicate moment when its happens.
in some ISP’s its misconfigured(sometimes on purpose, but usually due HRM issues)networking gear.
you found “packet sinffer” under “tools” portion of RouterOS. due to predictible size of dump for one hour session, you had to stream it somewhere outside MikroTik.

shed · September 20, 2014, 11:49pm

Add option under…

–reneg-sec 0

======================

–reneg-sec n : Renegotiate data chan. key after n seconds (default=3600).

etcnix · September 22, 2014, 8:10am

Thanks a lot, shed!
The problem was solved. I added this option on the client’s sides and it helped me.