Den torsdag 2.mar kl. 19:17 skrev Sameh Attia:
Hi,
We would like to share this with you. We have OpenVPN server
2.0.5 on CentOS 4.2 before it was on Red Hat Enterprise AS 4 and
clients are Windows XP.
We would love to help you, but we lack the client and server config.
Sent it in here without lines starting with # or ;
Also no lines with only whitespace.
Our clients were suffering strange VPN lockups every few minutes on
a random basis which resulted in all services provided through the
VPN to be not responding. We were using an external LDAP server to
authenticate clients against it.
After deep investigations we found that, the LDAP, was the source
of the problem. It was not responding too fast and sometimes was
suffering lockups due to some corruptions in its database.
How about deploying extra LDAP servers? or maybe a caching LDAP server?
Which LDAP server is it running anyway?
The problem is that the VPN client was re-authenticating every few
minutes randomly. During this time; if the LDAP was locked up; clients
were not able to send any traffic through the tunnel. We worked around
this by returning an "always successful" result to the
authentication and re-authentication requests.
Why does it re-authenticate?
Do your clients timeout? => Increase the timeout on the server.
Do you clients change ip? => --float
We know that using "auth-retry none" at the client side may solve the
problem but we would like to know what happens at the client's
side? Does OpenVPN ignore any traffic sent over the tunnel during
this time while waiting for the result of the re-authentication? We
think it is so
because people complain that the services are not available and by
sniffing we found that not traffic arriving during this period.
This workaround succeeded with clients who are not using Avaya's
soft phone. While those who are using the soft phone are stuck at
another
problem. The client is still sending, approximately every two
minutes and 5 seconds (125 seconds) according to our logs, the re-
authentication
requests.
Cheat your clients to think the tunnel is still open. Does the network
interface close when the network breaks down?
During normal VPN operation, i.e. before the re-authentication request
is sent, the call is in peer-to-peer mode and once the client sends a
re-authentication request; the soft phone drops the peer-to-peer
connection and switches to Avaya's MedPro server and it does not go
back
to the other peer.
This sounds complicated. Doesnt it work like any other internet
connection?
JonB
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-03/msg00025.html on line 230
Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-03/msg00025.html on line 230
|