SparkLabs Forum.

Community Help.


Reneg-sec option not working

I currently have reneg-sec 10 set on both the server and client; however; the client is not being prompted to re-auth after the 10 second interval.

Seems to work in the openvpn client itself fine; however, testing with viscosity it does not.

Any ideas?
Hi patd,

Your auth credentials are most likely either being cached, or you have them saved, which would be why you are not seeing a credential window appear. Can you see a reneg occurring in the log?

https://sparklabs.com/support/kb/articl ... envpn-log/

Regards,
Eric
Hi Eric,

Thank you for your reply.

I have auth-nocache defined in my config file as well reneg-sec 10 (just for testing). I don't see any attempt to renegotiate after the 10 second timer has expired.

I've also tried pushing these commands from my openvpn access server to the viscosity client.

The log reads as follows when connecting.

Options error: options "auth-nocache' cannot be used in this context {[PUSH-OPTIONS]}
Options error: options "reneg-sec' cannot be used in this context {[PUSH-OPTIONS}]
Hi patd,

Those options can't be pushed as the option-error says.

First off, please try adding verb 5 to your config, as the standard verb level may not be displaying the reneg in the log.

From here, a few things could be happening:

The renegotiation is successfully taking place, you're simply not seeing it in the log.

The issue may be how low you have the reneg-sec setting, that the reneg might be taking place before the connection is properly established and breaking the functionality. You could try upping the timer to reneg-sec 30.

Finally, as you are using Access Server, please keep in mind that you have support for session tokens. Viscosity supports session tokens where as OpenVPN on it's own does not. The session token is generated when you first connect and is used between the client (whether this be Viscosity or the AS Client) and Access Server so a username/password does not need to be prompted for on each renegotiation. Session tokens are on by default in Access Server, I believe there is an option to disable them though somewhere.

Regards,
Eric
Eric,

Thank you for all the helpful information.

I'll dig around and tweak a few settings and see what I can find.

Thanks again.
5 posts Page 1 of 1

Copyright © 2016 SparkLabs Pty Ltd. All Rights Reserved. Privacy Policy