OpenVPN UDP/TCP disconnect after 10–15 min (poll error, P_DATA dropping) on CCR1009 RouterOS 7.21.2

RouterOS General
1

Hello,
I have a MikroTik CCR1009-7G-1C (tile) running RouterOS 7.21.2.

I configured OpenVPN server in both UDP and TCP with:

  • certificate + username/password (mschap2)

  • require-client-certificate=yes

Problem: OpenVPN clients (OpenVPN Connect / OpenVPN GUI) connect successfully but after ~10–15 minutes the tunnel drops.

MikroTik logs show:

  • <client-ip>: disconnected <poll error>

  • <user>: terminating... - poll error

  • user logged out ... from <public-ip>

  • <user>: disconnected

Then I see a loop:

error recv'd P_DATA packet, dropping

It looks like the client still believes it is connected, so the client UI does not immediately show the disconnect, but traffic stops.
Only later the client keepalive detects the issue and reconnects.

If I use another MikroTik router as OpenVPN client, the connection stays stable indefinitely.

OVPN server config

/interface ovpn-server server
0 name="ovpn-UDP" port=1194 mode=ip protocol=udp netmask=24 max-mtu=1500 keepalive-timeout=60
  certificate=server.crt_0 require-client-certificate=yes tls-version=any
  auth=sha1,md5,sha256 cipher=blowfish128,aes128-cbc,aes256-cbc reneg-sec=3600
  redirect-gateway=def1 user-auth-method=mschap2 default-profile=radius-in-client

1 name="ovpn-TCP" port=1194 mode=ip protocol=tcp netmask=24 max-mtu=1500 keepalive-timeout=60
  certificate=server.crt_0 require-client-certificate=yes tls-version=any
  auth=sha1,md5,sha256 cipher=blowfish128,aes128-cbc,aes256-cbc reneg-sec=3600
  redirect-gateway=def1 user-auth-method=mschap2 default-profile=radius-in-client

Client .ovpn

client
dev tun
remote intranet.xxx.com 1194 udp
resolv-retry 3
nobind
remote-cert-tls server
auth-user-pass
auth SHA256
cipher AES-256-CBC
data-ciphers AES-256-CBC
verb 2
pull
persist-key
persist-tun
<ca>
xxx
</ca>
<cert>
xxx
</cert>
<key>
xxx
</key>

PPP profile
     name="radius-in-client" local-address=10.0.31.254 bridge-learning=default use-ipv6=no use-mpls=no use-compression=yes use-encryption=yes only-one=no 
     change-tcp-mss=yes use-upnp=no address-list="" dns-server=10.39.224.1,10.39.224.2 on-up="" on-down="" 



Firewall has an input accept rule for TCP/UDP 1194.
1 Like