Martin Gignac wrote:
On 10/19/06, Bill <[EMAIL PROTECTED]> wrote:
The problem was with the "ping" that happens between OpenVPN endpoints
not being returned and the connection resetting every minute or so.
From the OpenVPN man page:
----------------------<snip>----------------------
--ping n
Ping remote over the TCP/UDP control channel if no packets have
been sent for at least n seconds (specify --ping on both peers to
cause ping packets to be sent in both directions since OpenVPN
ping packets are not echoed like IP ping packets). When used in
one of OpenVPN's secure modes (where --secret, --tls-server, or
--tls-client is specified), the ping packet will be
cryptographically secure.
This option has two intended uses:
(1) Compatibility with stateful firewalls. The periodic ping will
ensure that a stateful firewall rule which allows OpenVPN UDP
packets to pass will not time out.
(2) To provide a basis for the remote to test the existence of its
peer using the --ping-exit option.
----------------------<snip>----------------------
I'm sure it doesn't answer your question, but I was just surprised you
mentionned that "[...] the "ping" that happens between OpenVPN
endpoints not being returned [...]" since the man page clearly states
that they are *not* supposed to be returned anyway. But maybe I
misunderstood your statement...
And as Joachim stated OpenVPN shouldn't drop sessions under load.
I use it between an OpenBSD machine and a Linux box and I've never had
problems.
Did you try setting the verbosity to the max and checking if anything
is spewed out in the log that would indicate why this is happening?
And are you in control of both OpenVPN boxes? Are they both running
OpenBSD? Do you know which of the boxes drops the connection?
-Martin
Hi Martin,
Ah I misunderstood the usage of the "ping" in OpenVPN and that does shed
some new understanding on it - but still no solution.
I have set verbosity to 5 and watched it. I get lots of W (Writes) and
R's (Reads) while it is idle, which I was thinking was the pings. On the
client side I would see WRWRWRWRWRWWWWWWWWW... (drop and reset)
I was interpreting the WR as sending the ping and the R as reading the
ping. Sent my the keepalive setting.
The server is running OpenBSD 3.8 and the clients have been a mix of
linux/mac/windows. My linux/mac clients both run fine with an OpenBSD
3.8 OpenVPN server on another box. This box is not nearly as used, but
it is also much older hardware - but have never had a problem with it.
I've watched it do this while the server was about as idle as it could get.
If the pings as you point our are one-directional, then for some reason
it seems that the server would stop pinging the client then...
In a new development I removed the nice setting today and things are
still really running smooth with the client. Which leads me to really
want to smash my head into the desk repeatedly.
I would feel much better knowing why the problem seems to have gone
away, than just have the problem go away without knowing why.
I am hoping the problem returns soon...
Thanks!
