Posted: Thu Feb 01, 2007 12:43 Post subject: OpenVPN looses connection every hour.
This is a Windows 2000 Server with OpenVPN 2.0.7 (server) and DD-WRT v23sp2 vpn (clients)
The problem is that the connection is very shortly interrupted every hour by this message:
"TLS: tls_process: killed"
Then the connection is restored.
This makes IP-phones drop and terminal sessions to disconnect.
I've tried changing the global tcp/udp timeout under "Administration" from 3600 to 600. This doesn't change anything.
Any of you heroes know how to fix this problem?
From the OpenVPN log on the server:
Code:
Thu Feb 01 11:58:32 2007 MULTI: Learn: 10.12.0.1 -> rtrske/[Ext.Ip.Addr.Here]:2051
Thu Feb 01 12:03:54 2007 MULTI: Learn: 10.12.0.1 -> rtrske/[Ext.Ip.Addr.Here]:2051
Thu Feb 01 12:12:17 2007 MULTI: Learn: 10.12.0.139 -> rtrske/[Ext.Ip.Addr.Here]:2051
[b]Thu Feb 01 12:13:00 2007 rtrske/[Ext.Ip.Addr.Here]:2051 TLS: tls_process: killed expiring key[/b]
Thu Feb 01 12:13:02 2007 rtrske/[Ext.Ip.Addr.Here]:2051 TLS: soft reset sec=0 bytes=199773637/0 pkts=285530/0
Thu Feb 01 12:13:05 2007 rtrske/[Ext.Ip.Addr.Here]:2051 VERIFY OK: depth=1,
Thu Feb 01 12:13:05 2007 rtrske/[Ext.Ip.Addr.Here]:2051 VERIFY OK: depth=0,
Thu Feb 01 12:13:05 2007 rtrske/[Ext.Ip.Addr.Here]:2051 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Feb 01 12:13:05 2007 rtrske/[Ext.Ip.Addr.Here]:2051 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 01 12:13:05 2007 rtrske/[Ext.Ip.Addr.Here]:2051 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Feb 01 12:13:05 2007 rtrske/[Ext.Ip.Addr.Here]:2051 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 01 12:13:06 2007 rtrske/[Ext.Ip.Addr.Here]:2051 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Feb 01 12:29:22 2007 MULTI: Learn: 10.12.0.139 -> rtrske/[Ext.Ip.Addr.Here]:2051
Thu Feb 01 12:44:15 2007 MULTI: Learn: 10.12.0.123 -> rtrske/[Ext.Ip.Addr.Here]:2051
Thu Feb 01 12:46:28 2007 MULTI: Learn: 10.12.0.139 -> rtrske/[Ext.Ip.Addr.Here]:2051
Thu Feb 01 13:03:34 2007 MULTI: Learn: 10.12.0.139 -> rtrske/[Ext.Ip.Addr.Here]:2051
[b]Thu Feb 01 13:13:03 2007 rtrske/[Ext.Ip.Addr.Here]:2051 TLS: tls_process: killed expiring key[/b]
Thu Feb 01 13:13:06 2007 rtrske/[Ext.Ip.Addr.Here]:2051 VERIFY OK: depth=1,
Thu Feb 01 13:13:06 2007 rtrske/[Ext.Ip.Addr.Here]:2051 VERIFY OK: depth=0,
Thu Feb 01 13:13:06 2007 rtrske/[Ext.Ip.Addr.Here]:2051 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Feb 01 13:13:06 2007 rtrske/[Ext.Ip.Addr.Here]:2051 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 01 13:13:06 2007 rtrske/[Ext.Ip.Addr.Here]:2051 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Feb 01 13:13:06 2007 rtrske/[Ext.Ip.Addr.Here]:2051 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 01 13:13:07 2007 rtrske/[Ext.Ip.Addr.Here]:2051 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Feb 01 13:15:47 2007 rtrske/[Ext.Ip.Addr.Here]:2051 MULTI: Learn: 10.12.0.123 -> rtrske/[Ext.Ip.Addr.Here]:2051
Thu Feb 01 13:20:37 2007 MULTI: Learn: 10.12.0.139 -> rtrske/[Ext.Ip.Addr.Here]:2051
I ran across the solution to your problem while perusing an openvpn mailing list. You want to increase the openvpn parameter reneg-sec from its default of 3600 seconds. You have to do it on both the client and server ends. I believe if you set the parameter to 0, it will disable renegotiation completely.