Connection failure on only one machine

Got a problem with Viscosity or need help? Ask here!

mbell697

Posts: 2
Joined: Tue May 10, 2016 8:24 am

Post by mbell697 » Tue May 10, 2016 8:50 am
I'm seeing intermittent connection failure on only one machine, details:

2 machines, one late 2013 rMBP 15, one early 2015 rMBP 13. Both machines are running OSX 10.11.4, both machines have nearly identical configurations, both were provisioned with the same Chef recipe. Both imported the same config bundle generated by the endpoint, a pfsense VM running on AWS.

The 13" laptop has no issues connecting to a VPN endpoint. The 15" has intermittent issues connection issues. This is not an issue of both connecting and having openVPN configured on the pfsense side to only allow a single session.

What I see on the 15" is it will work for awhile after a fresh restart, for example it stayed connected for 1 hour, then became stuck in a connecting loop, there was an open ssh connection with activity during this hour and the ssh connection was still open when it entered the connecting loop:

```
May 09 16:59:56: Viscosity Mac 1.6.2 (1342)
May 09 16:59:56: Viscosity OpenVPN Engine Started
May 09 16:59:56: Running on Mac OS X 10.11.4
May 09 16:59:56: ---------
May 09 16:59:56: Checking reachability status of connection...
May 09 16:59:56: Connection is reachable. Starting connection attempt.
May 09 16:59:57: OpenVPN 2.3.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Mar 2 2016
May 09 16:59:57: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.09
May 09 17:00:00: UDPv4 link local (bound): [undef]
May 09 17:00:00: UDPv4 link remote: [AF_INET]xx.xx.xx.xx:1194
May 09 17:00:00: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
May 09 17:00:01: [Netgate VPN Server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
May 09 17:00:04: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: register-dns (2.3.10)
May 09 17:00:04: Opened utun device utun0
May 09 17:00:04: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
May 09 17:00:04: /sbin/ifconfig utun0 delete
May 09 17:00:04: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
May 09 17:00:04: /sbin/ifconfig utun0 10.188.0.6 10.188.0.5 mtu 1500 netmask 255.255.255.255 up
May 09 17:00:04: Initialization Sequence Completed
May 09 17:00:04: DNS mode set to: Split
May 09 18:09:22: [Netgate VPN Server] Inactivity timeout (--ping-restart), restarting
May 09 18:09:22: SIGUSR1[soft,ping-restart] received, process restarting
May 09 18:09:23: UDPv4 link local (bound): [undef]
May 09 18:09:23: UDPv4 link remote: [AF_INET]xx.xx.xx.xx:1194
May 09 18:10:23: [UNDEF] Inactivity timeout (--ping-restart), restarting
May 09 18:10:23: SIGUSR1[soft,ping-restart] received, process restarting
May 09 18:10:24: UDPv4 link local (bound): [undef]
May 09 18:10:24: UDPv4 link remote: [AF_INET]xx.xx.xx.xx:1194
```

The final sequence of 4 log messages repeats every 60 seconds with the connection stuck in 'connecting', until I disabled the connection and then re-enable it, the this occurs:

```
May 09 18:20:32: SIGTERM[hard,] received, process exiting
May 09 18:20:36: Viscosity Mac 1.6.2 (1342)
May 09 18:20:36: Viscosity OpenVPN Engine Started
May 09 18:20:36: Running on Mac OS X 10.11.4
May 09 18:20:36: ---------
May 09 18:20:36: Checking reachability status of connection...
May 09 18:20:36: Connection is reachable. Starting connection attempt.
May 09 18:20:37: OpenVPN 2.3.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Mar 2 2016
May 09 18:20:37: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.09
May 09 18:20:40: UDPv4 link local (bound): [undef]
May 09 18:20:40: UDPv4 link remote: [AF_INET]xx.xx.xx.xx:1194
May 09 18:21:40: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
May 09 18:21:40: TLS Error: TLS handshake failed
May 09 18:21:40: SIGUSR1[soft,tls-error] received, process restarting
``

The TLS connection error will continue forever, attempts to disconnect then reconnect has no effect.

Some times, I can quit, then start Viscosity and get a connection:

```
May 09 18:22:02: SIGTERM[hard,] received, process exiting
May 09 18:26:35: Viscosity Mac 1.6.2 (1342)
May 09 18:26:35: Viscosity OpenVPN Engine Started
May 09 18:26:35: Running on Mac OS X 10.11.4
May 09 18:26:35: ---------
May 09 18:26:35: Checking reachability status of connection...
May 09 18:26:35: Connection is reachable. Starting connection attempt.
May 09 18:26:35: OpenVPN 2.3.10 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Mar 2 2016
May 09 18:26:35: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.09
May 09 18:26:38: UDPv4 link local (bound): [undef]
May 09 18:26:38: UDPv4 link remote: [AF_INET]xx.xx.xx.xx:1194
May 09 18:26:38: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
May 09 18:26:39: [Netgate VPN Server] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:1194
May 09 18:26:41: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: register-dns (2.3.10)
May 09 18:26:41: Opened utun device utun0
May 09 18:26:41: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
May 09 18:26:41: /sbin/ifconfig utun0 delete
May 09 18:26:41: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
May 09 18:26:41: /sbin/ifconfig utun0 10.188.0.6 10.188.0.5 mtu 1500 netmask 255.255.255.255 up
May 09 18:26:41: Initialization Sequence Completed
May 09 18:26:41: DNS mode set to: Split
```

However more often, I'm unable to reconnect until I reboot the machine.

There is no internet connection issue, the 13" can freely connect and disconnect without drop or issue while the 15" is 'stuck'. The router for the local network is in my control and has no special rules, blocks, or other configuration for either machine. I don't see any indication of blocked connections in the router logs.

Any idea what is causing one machine to have issues with this connection?

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed May 11, 2016 5:00 pm
Hi mbell697,

Generally when there are discrepancies between two machines like this it comes down to a client-config-dir (CCD) command that is present for one specific user/account but not for others. I'd recommend checking the CCD directory for your OpenVPN server setup and see whether the second user has any specific commands that could vary.

Otherwise I'd recommend checking that the ping/ping-restart (or keepalive shortcut) values match on both the server and clients. Traffic passing through the tunnel counts as a "ping", so it may merely be that the second laptop isn't generating traffic though the tunnel and the ping-restart value is being reached.

In addition, make sure both clients have the "No Bind" option set (so they both get different random local port numbers assigned). Otherwise if they're both attempting to use the same local port number your router may end up with overlapping internal NAT rules that can cause connections to fail.

Finally, Viscosity performs "reachability checks" both before connecting and while a connection to ensure that the end server is theoretically reachable as far as the client computer/network is concerned. As these are being passed the problem unlikely lies with a routing or network problem on the computer and most likely lies with server or router.

For more information please see:
http://www.sparklabs.com/support/kb/art ... g-restart/
http://www.sparklabs.com/support/kb/art ... 0-seconds/

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

mbell697

Posts: 2
Joined: Tue May 10, 2016 8:24 am

Post by mbell697 » Fri May 13, 2016 8:43 am
Thanks James, the `nobind` option seems to have been the solution.
3 posts Page 1 of 1