Viscosity can't reconnect after network(wifi) interruption

Got a problem with Viscosity or need help? Ask here!

Bastiaan

Posts: 2
Joined: Thu Feb 22, 2018 7:22 pm

Post by Bastiaan » Thu Feb 22, 2018 7:55 pm
Hi,

We have run into a problem with the viscosity client on windows 10 laptops.
The issues only occurs after windows 10 was unable to correctly shutdown the wifi connection (e.g. OS crash or roaming issues)
After the system resarts or the connecton comes backup we receive the following error from viscosity :
Code: Select all
feb 21 18:20:48: Set TAP-Windows TUN subnet mode network/local/netmask = 195.169.127.240/195.169.127.254/255.255.255.240 [SUCCEEDED]
feb 21 18:20:48: ERROR: There is a clash between the --ifconfig local address and the internal DHCP server address -- both are set to 195.169.127.254 -- please use the --ip-win32 dynamic option to choose a different free address from the --ifconfig subnet for the internal DHCP server
At this point the only thing I can do to resolve this issues is to completely reset windows networking (remove & install driver)
This leads to believe the issues is primarily caused by viscosity or windows&viscosity?
I'm looking for the source, client of server side, of this behavior (or someone who can point me in the right direction ;) )

Regards,

Bastiaan

PS. Below you'll find the complete log:
Code: Select all
feb 21 09:48:31: Reconnecting connection as it is now reachable.
feb 21 09:48:31: Status gewijzigd naar Connecting
feb 21 09:48:31: Viscosity Windows 1.7.7 (1549)
feb 21 09:48:31: Loopt op Microsoft Windows 10 Enterprise
feb 21 09:48:31: Loopt op .NET Framework Version 4.7.02556.461308
feb 21 09:48:31: Bringing up interface...
feb 21 09:48:32: OpenVPN 2.4.4 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 18 2017
feb 21 09:48:32: library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.09
feb 21 09:48:33: Checking remote host "vpn.surf.nl" is reachable...
feb 21 09:48:33: Server reachable. Connecting to 145.0.7.13.
feb 21 09:48:34: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
feb 21 09:48:35: TCP/UDP: Preserving recently used remote address: [AF_INET]145.0.7.13:1194
feb 21 09:48:35: UDP link local: (not bound)
feb 21 09:48:35: UDP link remote: [AF_INET]145.0.7.13:1194
feb 21 09:48:35: Status gewijzigd naar Authenticating
feb 21 09:48:35: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
feb 21 09:48:35: [OpenVPN Server] Peer Connection Initiated with [AF_INET]145.0.7.13:1194
feb 21 09:48:36: Status gewijzigd naar Connecting
feb 21 09:48:41: Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection> blocks 
feb 21 09:48:41: Obsolete option --dhcp-release detected. This is now on by default
feb 21 09:48:41: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:7: block-ipv6 (2.4.4)
feb 21 09:48:41: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
feb 21 09:48:41: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
feb 21 09:48:41: WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
feb 21 09:48:41: open_tun
feb 21 09:48:41: TAP-WIN32 device [[email protected]] opened: \\.\Global\{EC79F8D6-113E-4CD5-94EB-0CBCDFB7019F}.tap
feb 21 09:48:41: Set TAP-Windows TUN subnet mode network/local/netmask = 195.169.127.240/195.169.127.248/255.255.255.240 [SUCCEEDED]
feb 21 09:48:41: Notified TAP-Windows driver to set a DHCP IP/netmask of 195.169.127.248/255.255.255.240 on interface {EC79F8D6-113E-4CD5-94EB-0CBCDFB7019F} [DHCP-serv: 195.169.127.254, lease-time: 31536000]
feb 21 09:48:41: Successful ARP Flush on interface [21] {EC79F8D6-113E-4CD5-94EB-0CBCDFB7019F}
feb 21 09:48:44: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
feb 21 09:48:49: Initialization Sequence Completed
feb 21 09:48:49: WARNING: Split DNS is being used however no DNS domains are present. The DNS servers for this connection may not be used. For more information please see: https://www.sparklabs.com/support/kb/article/warning-split-dns-is-being-used-however-no-dns-domains-are-present
Server - 195.169.124.124:53; Lookup Type - Any; Domains - surf.nl.
Server - 192.87.36.36:53; Lookup Type - Any; Domains - surf.nl.

feb 21 09:48:49: Status gewijzigd naar Connected
feb 21 11:32:13: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
feb 21 11:32:13: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
feb 21 14:01:29: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
feb 21 14:01:29: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
feb 21 16:58:45: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
feb 21 16:58:45: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
feb 21 17:03:38: Status gewijzigd naar Disconnecting
feb 21 17:03:38: SIGTERM received, sending exit notification to peer
feb 21 17:03:53: Status gewijzigd naar Disconnected
feb 21 18:20:23: Connection will be reconnected when it becomes reachable
feb 21 18:20:24: Reconnecting connection as it is now reachable.
feb 21 18:20:24: Status gewijzigd naar Connecting
feb 21 18:20:24: Viscosity Windows 1.7.7 (1549)
feb 21 18:20:27: Loopt op Microsoft Windows 10 Enterprise
feb 21 18:20:27: Loopt op .NET Framework Version 4.7.02556.461308
feb 21 18:20:27: Bringing up interface...
feb 21 18:20:30: OpenVPN 2.4.4 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 18 2017
feb 21 18:20:30: library versions: OpenSSL 1.0.2n  7 Dec 2017, LZO 2.09
feb 21 18:20:31: Checking remote host "vpn.surf.nl" is reachable...
feb 21 18:20:31: Server reachable. Connecting to 145.0.7.13.
feb 21 18:20:32: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
feb 21 18:20:33: TCP/UDP: Preserving recently used remote address: [AF_INET]145.0.7.13:1194
feb 21 18:20:33: UDP link local: (not bound)
feb 21 18:20:33: UDP link remote: [AF_INET]145.0.7.13:1194
feb 21 18:20:36: Status gewijzigd naar Authenticating
feb 21 18:20:36: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
feb 21 18:20:42: [OpenVPN Server] Peer Connection Initiated with [AF_INET]145.0.7.13:1194
feb 21 18:20:43: Status gewijzigd naar Connecting
feb 21 18:20:43: AUTH: Received control message: AUTH_FAILED,SESSION: Your session has expired, please reauthenticate
feb 21 18:20:43: SIGUSR1[soft,auth-failure] received, process restarting
feb 21 18:20:43: Status gewijzigd naar Connecting
feb 21 18:20:43: Checking remote host "vpn.surf.nl" is reachable...
feb 21 18:20:44: Server reachable. Connecting to 145.0.7.13.
feb 21 18:20:45: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
feb 21 18:20:45: TCP/UDP: Preserving recently used remote address: [AF_INET]145.0.7.13:1194
feb 21 18:20:45: UDP link local: (not bound)
feb 21 18:20:45: UDP link remote: [AF_INET]145.0.7.13:1194
feb 21 18:20:47: Status gewijzigd naar Authenticating
feb 21 18:20:47: [OpenVPN Server] Peer Connection Initiated with [AF_INET]145.0.7.13:1194
feb 21 18:20:48: Status gewijzigd naar Connecting
feb 21 18:20:48: Option 'explicit-exit-notify' in [PUSH-OPTIONS]:1 is ignored by previous <connection> blocks 
feb 21 18:20:48: Obsolete option --dhcp-release detected. This is now on by default
feb 21 18:20:48: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:7: block-ipv6 (2.4.4)
feb 21 18:20:48: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
feb 21 18:20:48: WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
feb 21 18:20:48: WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
feb 21 18:20:48: open_tun
feb 21 18:20:48: TAP-WIN32 device [[email protected]] opened: \\.\Global\{EC79F8D6-113E-4CD5-94EB-0CBCDFB7019F}.tap
feb 21 18:20:48: Set TAP-Windows TUN subnet mode network/local/netmask = 195.169.127.240/195.169.127.254/255.255.255.240 [SUCCEEDED]
feb 21 18:20:48: ERROR: There is a clash between the --ifconfig local address and the internal DHCP server address -- both are set to 195.169.127.254 -- please use the --ip-win32 dynamic option to choose a different free address from the --ifconfig subnet for the internal DHCP server
feb 21 18:20:48: Status gewijzigd naar Disconnected

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Fri Feb 23, 2018 9:59 am
Hi Bastiaan,

It looks like you are running out of IP Addresses in your pool. The last IP address in a pool is used by OpenVPN TUN as a psuedo-DHCP server. The error thus is actually quite literal, the IP Address being supplied to the client is the same as the DHCP IP address. The reason resetting the network on the client is resolving the issue is because it's simply taking long enough that another IP address is becoming free in the server-issued client pool in the mean time.

I'd recommend reducing your IP address pool on your server from .240-.254 to .240-.253 to avoid this problem in future.

Please take a look at the suggested commands in the error message you have highlighted for more information.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

Bastiaan

Posts: 2
Joined: Thu Feb 22, 2018 7:22 pm

Post by Bastiaan » Thu Mar 15, 2018 7:35 pm
Eric,

Thanks for the reply.
I will have a look at our dhcp scope and see if we can make the suggested changes.
I'll keep you posted..
3 posts Page 1 of 1