Occasionally the clients connection to the Internet is down, but that's understandable that we can't reach them. On most occasions, however, I'm able to modem in to the client and get the connection going by pinging through the tunnel to our Openvpn server. That is, ping 10.230.0.1, leave it for a minute, and more often than not, the tunnel will come up within a minute even though it failed to do so by itself in the previous hours.
These clients can't negotiate the tunnel unless a ping is issued and left running for a minute. I often see the same clients on my "VPN down" list.
What is the best way to bring these clients up when were getting "TLS Error TLS key negotiation failed" in the Openvpn client logs?
listed is the Log file Fragment I'm occasionally receiving, along with the server configuration, and one example of the client configuration that is typical to all 300 Client configurations.
log File Fragment:
Jul 2 11:19:07 Europa openvpn: TLS Error: TLS key negotiation failed to occur within 60 seconds (
check your network connectivity)
Jul 2 11:19:07 Europa openvpn: TLS Error: TLS handshake failed
Jul 2 11:19:07 Europa openvpn: TCP/UDP: Closing socket
Jul 2 11:19:07 Europa openvpn: SIGUSR1[soft,tls-error] received, process restarting
Jul 2 11:19:07 Europa openvpn: Restart pause, 2 second(s)
server configuration :
key /etc/openvpn/keys/openvpn.key # This file should be kept secret
server 10.230.0.0 255.255.0.0
push "route <this IP must be secret> 255.255.255.255"
route 10.230.0.0 255.255.0.0
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher DES-EDE3-CBC # Triple-DES
Typical client Configuration:
remote <this is the server IP> 1194
tls-auth ta.key 1
What gives? I hate to run a continuous ping script that runs on everbody all the time when we only so
occasionally seeing the "TLS Error" shown in the log file frag above.
How can I address this problem?