Community discussions

MikroTik App
 
User avatar
vmiro
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sun Jan 29, 2006 6:53 pm

OpenVPN stuck occasionally

Thu Apr 16, 2020 12:06 pm

Hi,
last few months we are experiencing a quite strange problem with OpenVPN connections on MT with several non related companies.
Remote locations (with MT) and users (OpenVPN client for Win) are using OpenVPN to connect to HQ. Problem happens when client aren't able to connect with OVPN or some of the remote location gets unavailable. Checking a router I can see a client connection stuck in Active Connection. I tried to delete the stale connection but after few seconds the user connection appears in the list with the Uptime continued (after reconnecting it should start from 00:00:00), and the clienta are still unable to connect. It is the same with the MT connections on remote location.
I tried to disable and enable OVPN Server, tried with RouterOS uprade (it happens on 6.42.6, 6.42.7, 6.46.4)...but, only restart of the MT helps. After the incident everything work with no problem for several days, even months.
Routers have active between 50 and 130 OpenVPN connections depending on the company. Some companies with OVPN connections fewer than 50 connections didn't experience this type of problem so far.

I'm not sure what causes this problem, and how to solve it. Any suggestion is appreciated. Thanks.

mIRO
 
User avatar
vmiro
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sun Jan 29, 2006 6:53 pm

Re: OpenVPN stuck occasionally

Tue May 05, 2020 3:05 pm

Hi,
yesterday one of our client router stuck again, after 21 days.
Log is full of ovpn and l2tp entries:
May/04/2020 22:48:53 ovpn,info TCP connection established from 95.156.170.96
May/04/2020 22:48:53 ovpn,info TCP connection established from 46.239.53.103
May/04/2020 22:48:53 ovpn,info TCP connection established from 95.156.172.18
May/04/2020 22:48:54 ovpn,info TCP connection established from 109.165.199.171
May/04/2020 22:48:54 ovpn,info TCP connection established from 31.223.135.229
May/04/2020 22:48:54 ovpn,info TCP connection established from 178.77.33.52
May/04/2020 22:48:54 ovpn,info : using encoding - AES-256-CBC/SHA1
May/04/2020 22:48:54 ovpn,info TCP connection established from 1.1.1.1
May/04/2020 22:48:54 ovpn,info TCP connection established from 1.1.1.2
May/04/2020 22:48:54 ovpn,info TCP connection established from 1.1.1.3
May/04/2020 22:48:54 ovpn,info : using encoding - AES-256-CBC/SHA1
May/04/2020 22:48:55 ovpn,info : using encoding - AES-256-CBC/SHA1
May/04/2020 22:48:55 ovpn,info : using encoding - AES-256-CBC/SHA1
May/04/2020 22:48:55 ovpn,info : using encoding - AES-256-CBC/SHA1
May/04/2020 22:48:55 ovpn,info : using encoding - AES-256-CBC/SHA1
May/04/2020 22:48:55 ovpn,info : using encoding - AES-256-CBC/SHA1
May/04/2020 22:48:55 ovpn,info : using encoding - AES-256-CBC/SHA1
May/04/2020 22:48:55 ovpn,info TCP connection established from 1.1.1.4
May/04/2020 22:48:55 ovpn,info TCP connection established from 1.1.1.5
May/04/2020 22:48:55 ovpn,info : using encoding - AES-256-CBC/SHA1
May/04/2020 22:48:56 ovpn,info : using encoding - BF-128-CBC/SHA1
May/04/2020 22:48:56 ovpn,info : using encoding - AES-256-CBC/SHA1
May/04/2020 22:48:56 ovpn,info TCP connection established from 1.1.1.6
May/04/2020 22:48:56 ovpn,info : using encoding - AES-256-CBC/SHA1
May/04/2020 22:48:56 ovpn,info : using encoding - BF-128-CBC/SHA1
May/04/2020 22:48:56 ovpn,info : using encoding - AES-256-CBC/SHA1
May/04/2020 22:48:56 ovpn,info TCP connection established from 1.1.1.7
May/04/2020 22:48:56 ovpn,debug,error duplicate packet, dropping
May/04/2020 22:48:56 ovpn,info TCP connection established from 1.1.1.8
May/04/2020 22:48:56 ovpn,info : using encoding - AES-256-CBC/SHA1
May/04/2020 22:48:56 ovpn,info : using encoding - AES-256-CBC/SHA1
May/04/2020 22:48:57 ovpn,info TCP connection established from 1.1.1.9
May/04/2020 22:48:57 ovpn,info : using encoding - AES-256-CBC/SHA1
May/04/2020 22:48:57 ovpn,info TCP connection established from 1.1.1.10
May/04/2020 22:48:57 ovpn,info TCP connection established from 1.1.1.11
May/04/2020 22:48:57 ovpn,info TCP connection established from 1.1.1.12
May/04/2020 22:48:57 ovpn,info TCP connection established from 1.1.1.13
May/04/2020 22:48:57 ovpn,info TCP connection established from 1.1.1.14
May/04/2020 22:48:57 ovpn,info : using encoding - AES-256-CBC/SHA1
May/04/2020 22:48:58 ovpn,info TCP connection established from 1.1.1.15
May/04/2020 22:48:58 ovpn,info TCP connection established from 1.1.1.16
May/04/2020 22:48:58 ovpn,info TCP connection established from 1.1.1.17
May/04/2020 22:48:58 l2tp,info first L2TP UDP packet received from 1.1.1.17
May/04/2020 22:48:58 ovpn,info TCP connection established from 1.1.1.18
May/04/2020 22:48:58 ovpn,info TCP connection established from 1.1.1.19
May/04/2020 22:48:58 ovpn,info TCP connection established from 1.1.1.20
May/04/2020 22:48:58 ovpn,info TCP connection established from 1.1.1.21
May/04/2020 22:48:58 ovpn,info : using encoding - AES-256-CBC/SHA1
May/04/2020 22:48:58 l2tp,ppp,error <1.1.1.17>: user USER01 is already active
May/04/2020 22:48:58 ovpn,info TCP connection established from 1.1.1.22
May/04/2020 22:48:58 ovpn,info : using encoding - AES-256-CBC/SHA1
May/04/2020 22:48:58 l2tp,info first L2TP UDP packet received from 1.1.1.23
May/04/2020 22:48:58 ovpn,info : using encoding - AES-256-CBC/SHA1
May/04/2020 22:48:58 l2tp,ppp,error <1.1.1.23>: user USER02 is already active
May/04/2020 22:48:58 ovpn,info TCP connection established from 1.1.1.24
Real public addresses are mapped to 1.1.1.X addresses for the sake of the security.

This problem affected ovpn and l2tp connections, ipsec as well (connection is established but the connections to remote server experience a lot of lost packets).
I've turned on a debug logging for ovpn. Among other non human readable data here is the one entry:
May/04/2020 22:57:03 ovpn,debug <1.1.1.1>: disconnected <user USER is already active>
I tried disabling OVPN, L2TP service, remove stale VPN connection, like I did before...but the reboot is the only remedy :(

Any thoughts ??

mIRO
 
openmisak
just joined
Posts: 2
Joined: Tue May 05, 2020 3:21 pm

Re: OpenVPN stuck occasionally

Tue May 05, 2020 3:29 pm

Hi,
I have no suggestion for you, but I can confirm, that with new version 6.46.6 I am facing the same issue like you. I can see
2020-05-05 14:28:20.548237 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2020-05-05 14:28:20.550072 TLS Error: TLS handshake failed
in log file of my OVPN client and only rebooting the device helps. Now I am unable to connect to the remote router, so I can't send you more information from the log file. Will do it later today to see what happened. I though that this error was caused by not fully finished upgrade to the new version. but it seems more than error in this version of RouterOS. Previous stable version worked fine for months without any issue.
 
patrickmkt
Member Candidate
Member Candidate
Posts: 200
Joined: Sat Jul 28, 2012 5:21 pm

Re: OpenVPN stuck occasionally

Mon May 11, 2020 11:18 pm

I am having problem also with ovpn for a month now as reported in my other post.

From Win 10 to Mikrotik:
OpenSSL: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
it is to be noted that the certificates, CA and crl are all current and verified as such in terminal mode. I can connect with the same certificates via ikev2.
However if I uncheck Require Client Certificate on the ovpn server side of the Mikrotik it will connect. So there is an issue with the certificate checking on the Mikrotik side in the ovpn part.

From mikrotik to mikrotik, I have a TLS failed error:
ovpn-out1: disconnected <TLS failed>
ovpn-out1: terminating... - TLS failed
From iOS to mikrotik:
VERIFY OK (CA)
VERIFY OK (sub CA)
VERIFY OK (server cert)
Client exception in transport_recv_excode: mbed TLS: SSL read error: SSL - A fatal alert message was received from our peer. 
If you have any idea why or how to fix it that will make my day...
 
openmisak
just joined
Posts: 2
Joined: Tue May 05, 2020 3:21 pm

Re: OpenVPN stuck occasionally

Tue May 12, 2020 9:09 am

I made a downgrade of my RB951Ui-2HnD to the stable version 6.46.5 (stable) and OpenVPN started working like a charm before the last upgrade. I also noticed, that time for the OpenVPN connection decreased from up to 1 minute to couple of seconds from iOS and from my MacOS Tunnelblick client. Also firmware was downgraded to the same version. Maybe this could help you to solve this issue for this moment.
 
User avatar
vmiro
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Sun Jan 29, 2006 6:53 pm

Re: OpenVPN stuck occasionally

Tue May 12, 2020 9:15 am

I use to have problems with TLS like you do and I had to disable "Require Client Certificate" option. The problem I got now with OVPN seems like a MT bug. No matter what I do in the configuration only reboot helps. Changing to some other VPN protocol is not an option, because I have hundreds of remote locations and clients :(
 
macrokernel
just joined
Posts: 1
Joined: Tue Nov 24, 2020 10:55 am

Re: OpenVPN stuck occasionally

Tue Nov 24, 2020 10:56 am

I am experiencing the same issue with 4.67 stable. OpenVPN hangs once in about a month or two. No new connections can be established. Reboot helps.
Last edited by macrokernel on Tue Nov 24, 2020 11:04 am, edited 1 time in total.
 
jaxed7
newbie
Posts: 32
Joined: Wed May 17, 2023 11:15 pm

Re: OpenVPN stuck occasionally

Tue May 30, 2023 2:11 am

Having the same problem on V7.9.1
Still no fix?
 
mukkelek
just joined
Posts: 7
Joined: Sun Feb 28, 2016 2:51 pm

Re: OpenVPN stuck occasionally

Tue May 30, 2023 5:14 pm

Hi!

I'm on 7.9.1. What is this: "recvd P_DATA packet, dropping" and after: "<IP....>: disconnected <bad packet received>" Openvpn error. It is working, but slow, and the error is continuous. But sometimes there is no error (after reconnect manually). UDP.
 
AbyssMoon
just joined
Posts: 4
Joined: Fri Jan 16, 2015 8:36 am

Re: OpenVPN stuck occasionally

Wed Jul 05, 2023 4:45 pm

Having the same problem on V7.8, 7.9, 7.9.1, 7.9.2, 7.10, 7.10.1

At one point, all connections hang up and users can no longer connect. Only this is in the logs.
Jul/05/2023 15:07:52 ovpn,info connection established from 37.19.73.209, port: 45024 to WAN_IP
Jul/05/2023 15:07:53 ovpn,info connection established from 79.139.174.75, port: 1124 to WAN_IP
Jul/05/2023 15:07:54 ovpn,info connection established from 95.64.179.118, port: 61699 to WAN_IP
Jul/05/2023 15:07:57 ovpn,info connection established from 5.227.27.208, port: 5500 to WAN_IP
Jul/05/2023 15:07:58 ovpn,info connection established from 89.23.149.110, port: 49799 to WAN_IP
Jul/05/2023 15:07:58 ovpn,info connection established from 95.64.179.118, port: 44519 to WAN_IP
Jul/05/2023 15:08:00 ovpn,info connection established from 212.193.50.247, port: 43240 to WAN_IP
Jul/05/2023 15:08:00 ovpn,info connection established from 78.184.96.83, port: 59869 to WAN_IP
Jul/05/2023 15:08:00 ovpn,info connection established from 37.204.14.211, port: 63941 to WAN_IP
Jul/05/2023 15:08:03 ovpn,info connection established from 80.77.162.61, port: 53889 to WAN_IP
Jul/05/2023 15:08:08 ovpn,info connection established from 81.88.218.16, port: 62438 to WAN_IP
Usually about 60 ovpn connections are connected.
Usually once a week the ovpn server itself freezes. To bring him to his senses is obtained only by rebooting the router.
 
AbyssMoon
just joined
Posts: 4
Joined: Fri Jan 16, 2015 8:36 am

Re: OpenVPN stuck occasionally

Thu Jul 27, 2023 10:18 am

Enabled debug, found new messages:
ovpn,debug no more listening for incoming connections: too busy
ovpn,debug listening again for incoming connections
only a reboot helps
which way can you think to solve the problem?

Who is online

Users browsing this forum: coffee1978, Sailwebwifi and 64 guests