Menu
▾
▴
[Openvpn-users] Tunnel instability, sporadic failure
|
From: Darren S. <dar...@se...> - 2005-03-29 00:47:07
|
We're trying to figure out one particular OpenVPN tunnel we have with a remote site. The OpenVPN server on our end is running 1.5.0 on Linux 2.4 kernel and maintains two other tunnels without a hitch. The problem tunnel terminates on a Windows 2003 Server running OpenVPN 2.0 and this is done through a port forward (udp/5001) on a WatchGuard firewall. The problem with this tunnel is very sporadic connectivity to the Windows server; sometimes ECONNREFUSED, sometimes HMAC authentication failures, sometimes a good tunnel setup with the ability to ping the remote tunnel endpoint followed by ECONNREFUSED when another protocol is attempted (RDP, SMB file transfer, etc.) Our command invocation locally is: openvpn --remote xx.35.140.34 --ifconfig 10.124.0.2 10.124.0.1 \ --secret static.key --proto udp --port 5001 --dev tun --mtu-test This situation reeks of MTU problems to me, so I gave a go with the --mtu-test option on our end. The issues are so sporadic I don't know whether to take the results of the test as definative in saying that the issue is MTU. Error sets 1, 2, and 3 below show various errors and MTU mismatches that occur when launching this test from our end. Error set 4 shows no real errors, and this situation occurs about 5 times out of 10. Even when this situation works, the tunnel won't stay functional for more than a few hours. We've investigated latency issues with the remote site and we see a pretty consistent RTT with ICMP of ~170ms with ~1% packet loss. I can't imagine that this would have an impact on the tunnel reliability. So again I'm back to MTU. Given the problems we're having, are we safe assuming MTU issues? Should we suspect specifically issues on the remote end as causing these issues? And which MTU related settings in OpenVPN should we use for our configuration to solve these? If not MTU related, should we suspect something specific to Windows 2003 Server? Thanks in advance, DS ----------------Error set 1-------------------------------------------- Mon Mar 28 16:02:06 2005 0: OpenVPN 1.5.0 i686-pc-linux-gnu [SSL] [LZO] built on Jan 4 2005 Mon Mar 28 16:02:06 2005 1: TUN/TAP device tun0 opened Mon Mar 28 16:02:06 2005 2: /sbin/ifconfig tun0 10.124.0.2 pointopoint 10.124.0.1 mtu 1256 Mon Mar 28 16:02:06 2005 3: UDPv4 link local (bound): [undef]:5001 Mon Mar 28 16:02:06 2005 4: UDPv4 link remote: xx.35.140.34:5001 Mon Mar 28 16:02:16 2005 5: Peer Connection Initiated with xx.35.140.34:5001 Mon Mar 28 16:02:18 2005 6: NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes. Mon Mar 28 16:04:41 2005 7: tun packet too large on write (tried=1259,max=1256) Mon Mar 28 16:04:46 2005 8: tun packet too large on write (tried=1259,max=1256) Mon Mar 28 16:04:52 2005 9: tun packet too large on write (tried=1259,max=1256) Mon Mar 28 16:05:00 2005 10: Authenticate/Decrypt packet error: packet HMAC authentication failed Mon Mar 28 16:05:02 2005 11: tun packet too large on write (tried=1259,max=1256) Mon Mar 28 16:05:05 2005 12: Authenticate/Decrypt packet error: packet HMAC authentication failed Mon Mar 28 16:05:11 2005 13: Authenticate/Decrypt packet error: packet HMAC authentication failed Mon Mar 28 16:05:13 2005 14: tun packet too large on write (tried=1259,max=1256) Mon Mar 28 16:05:18 2005 15: NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1300,1300] remote->local=[1308,1300] Mon Mar 28 16:05:18 2005 16: NOTE: This connection is unable to accomodate a UDP packet size of 1300. Consider using --fragment or --mssfix options as a workaround. Mon Mar 28 16:05:21 2005 17: Authenticate/Decrypt packet error: packet HMAC authentication failed Mon Mar 28 16:05:28 2005 18: tun packet too large on write (tried=1259,max=1256) Mon Mar 28 16:05:31 2005 19: Authenticate/Decrypt packet error: packet HMAC authentication failed Mon Mar 28 16:05:39 2005 20: select : Interrupted system call (code=4) Mon Mar 28 16:05:39 2005 21: SIGINT received, exiting ----------------Error set 2------------------------------------------- Mon Mar 28 16:28:50 2005 0: OpenVPN 1.5.0 i686-pc-linux-gnu [SSL] [LZO] built on Jan 4 2005 Mon Mar 28 16:28:50 2005 1: TUN/TAP device tun0 opened Mon Mar 28 16:28:50 2005 2: /sbin/ifconfig tun0 10.124.0.2 pointopoint 10.124.0.1 mtu 1256 Mon Mar 28 16:28:50 2005 3: UDPv4 link local (bound): [undef]:5001 Mon Mar 28 16:28:50 2005 4: UDPv4 link remote: xx.35.140.34:5001 Mon Mar 28 16:29:00 2005 5: Peer Connection Initiated with xx.35.140.34:5001 Mon Mar 28 16:29:02 2005 6: NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes. Mon Mar 28 16:30:14 2005 7: tun packet too large on write (tried=1259,max=1256) Mon Mar 28 16:30:19 2005 8: tun packet too large on write (tried=1259,max=1256) Mon Mar 28 16:30:25 2005 9: tun packet too large on write (tried=1259,max=1256) Mon Mar 28 16:30:35 2005 10: tun packet too large on write (tried=1259,max=1256) Mon Mar 28 16:30:45 2005 11: tun packet too large on write (tried=1259,max=1256) Mon Mar 28 16:31:00 2005 12: tun packet too large on write (tried=1259,max=1256) Mon Mar 28 16:31:16 2005 13: tun packet too large on write (tried=1259,max=1256) Mon Mar 28 16:31:21 2005 14: tun packet too large on write (tried=1259,max=1256) Mon Mar 28 16:31:28 2005 15: tun packet too large on write (tried=1259,max=1256) Mon Mar 28 16:31:38 2005 16: tun packet too large on write (tried=1259,max=1256) Mon Mar 28 16:31:49 2005 17: tun packet too large on write (tried=1259,max=1256) Mon Mar 28 16:32:02 2005 18: NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1300,1300] remote->local=[1300,1300] Mon Mar 28 16:32:04 2005 19: tun packet too large on write (tried=1259,max=1256) ----------------Error set 3------------------------------------------- Mon Mar 28 16:36:43 2005 0: OpenVPN 1.5.0 i686-pc-linux-gnu [SSL] [LZO] built on Jan 4 2005 Mon Mar 28 16:36:43 2005 1: TUN/TAP device tun0 opened Mon Mar 28 16:36:43 2005 2: /sbin/ifconfig tun0 10.124.0.2 pointopoint 10.124.0.1 mtu 1256 Mon Mar 28 16:36:43 2005 3: UDPv4 link local (bound): [undef]:5001 Mon Mar 28 16:36:43 2005 4: UDPv4 link remote: xx.35.140.34:5001 Mon Mar 28 16:36:53 2005 5: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Mon Mar 28 16:37:03 2005 6: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Mon Mar 28 16:37:13 2005 7: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Mon Mar 28 16:37:23 2005 8: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Mon Mar 28 16:37:33 2005 9: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Mon Mar 28 16:37:44 2005 10: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Mon Mar 28 16:37:53 2005 11: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) ----------------Error set 4------------------------------------------- Mon Mar 28 16:38:30 2005 0: OpenVPN 1.5.0 i686-pc-linux-gnu [SSL] [LZO] built on Jan 4 2005 Mon Mar 28 16:38:30 2005 1: TUN/TAP device tun0 opened Mon Mar 28 16:38:30 2005 2: /sbin/ifconfig tun0 10.124.0.2 pointopoint 10.124.0.1 mtu 1256 Mon Mar 28 16:38:30 2005 3: UDPv4 link local (bound): [undef]:5001 Mon Mar 28 16:38:30 2005 4: UDPv4 link remote: xx.35.140.34:5001 Mon Mar 28 16:38:40 2005 5: Peer Connection Initiated with xx.35.140.34:5001 Mon Mar 28 16:38:42 2005 6: NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes. Mon Mar 28 16:41:42 2005 7: NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1300,1300] remote->local=[1300,1300] (...no more output for >10 minutes.) -- Darren Spruell Sento I.S. Department dar...@se... |
