Re: [Openvpn-users] OpenVPN freezes few seconds after each connection

Mon, 05 Jul 2021 02:31:08 -0700 

Hi,

On 04/07/21 20:43, Thibault JY Derrien wrote:


Dear OpenVPN community,


I'm writing as I obtain a systematic freeze on a production machine 
today. Problem is that is gets frozen systematically few seconds after 
connection. It is not the first time and seem to be random. This is 
preventing any remote work to be performed on the machine at the 
moment (urgent task needed).



I'm using OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] 
[LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 27 2021

library versions: OpenSSL 1.1.1f  31 Mar 2020, LZO 2.10

1/ From verbose = 5, freezing can be evidenced in the LOG below.

Sun Jul  4 20:14:40 2021 us=254348 Initialization Sequence Completed
WrWrWrWRwrWrWRwrWRwrWRwRwrWrWRwRwRwrWRwrWRwrWrWRwrWrWrWRwrWRwrWRwrWRWrWRwrWRwrWRwrWRWRrWRwrWrWRwrWRwrWRwrWRWRWffrWRwrWrWRwrWRWWRWR*rWrWrWrWrWrWrWrWrWrWrWrWrWrWrWWrWWWrWWWWW*


Sun Jul  4 20:18:36 2021 us=233613 [server] Inactivity timeout 
(--ping-restart), restarting

Sun Jul  4 20:18:36 2021 us=233829 TCP/UDP: Closing socket

Sun Jul  4 20:18:36 2021 us=233888 SIGUSR1[soft,ping-restart] 
received, process restarting

Sun Jul  4 20:18:36 2021 us=233915 Restart pause, 5 second(s)



[...]


The RrWw line suggests that you have a connection for a little while and 
then no traffic stops coming in. Without server-side logs it is 
impossible to tell what is happening (yes, like other said, you *will* 
need to talk to your VPN server admin to get to the bottom of this) but 
this suspiciously looks like a firewall with SPI is blocking your 
connection are a few seconds/minutes.  If the client is located in an 
"free-internet-unfriendly" location or country (most airport terminals, 
China, Iran, various others) then there is very little you can do to 
overcome this.



Meddling with the tun-mtu/link-mtu/fragment/keep-alive parameters on the 
client side does very little without corresponding changes on the server 
side. The parameters that would have the biggest impact is

  fragment 1400
on both client and server side.

This can be determined quite easily using
  ping -s 1400 <remote-IP>

and then increase 1400 to 1410, 1420, 1430 etc.

HTH,

JJK


_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to