Bug 969433 - OpenVPN frequently disconnects
OpenVPN frequently disconnects
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: NetworkManager-openvpn (Show other bugs)
20
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Dan Williams
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-31 08:05 EDT by Vít Ondruch
Modified: 2015-12-18 02:26 EST (History)
10 users (show)

See Also:
Fixed In Version: NetworkManager-openvpn-1.0.0-4.el7 NetworkManager-openvpn-1.0.8-1.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-18 02:26:05 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vít Ondruch 2013-05-31 08:05:31 EDT
Description of problem:
Since I installed F19, OpenVPN frequently disconnects. I have never had any issues with OpenVPN when using F18, so I assume something bad happened to NM.

Version-Release number of selected component (if applicable):
$ rpm -q NetworkManager-openvpn 
NetworkManager-openvpn-0.9.6.0-2.fc19.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Connect to OpenVPN
2. journalctl: kvě 31 08:57:56 unused-4-195.brq.redhat.com nm-openvpn[13599]: Initialization Sequence Completed
3. journalctl: 

kvě 31 10:18:18 unused-4-195.brq.redhat.com nm-openvpn[13599]: [ovpn-ams2.redhat.com] Inactivity timeout (--ping-exit), exiting
kvě 31 10:18:18 unused-4-195.brq.redhat.com avahi-daemon[642]: Withdrawing workstation service for tun0.
kvě 31 10:18:18 unused-4-195.brq.redhat.com nm-openvpn[13599]: SIGTERM[soft,ping-exit] received, process exiting
kvě 31 10:18:25 unused-4-195.brq.redhat.com NetworkManager[783]: <info> VPN service 'openvpn' disappeared


Actual results:
OpenVPN is frequently disconnecting.

Expected results:
OpenVPN is stalbe as it used to be on F18

Additional info:
Comment 1 Jirka Klimes 2013-07-18 04:38:53 EDT
There's an update for NM-openvpn plugin: NetworkManager-openvpn-0.9.8.2-2.fc19

I'm not sure what/if something changed in regard to the issue. But the update works for me without disconnects. I'm now connected for more than 10 hours.
Comment 2 Vít Ondruch 2013-08-23 04:56:21 EDT
Still an issue :/

$ rpm -q NetworkManager-openvpn
NetworkManager-openvpn-0.9.8.2-3.fc19.x86_64

In 1 hour after connection, I can find this log entries:

srp 23 10:16:02 localhost nm-openvpn[2162]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1417'
srp 23 10:16:02 localhost nm-openvpn[2162]: WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1360'

and in another 20 minutes the connection drops:

srp 23 10:36:36 localhost nm-openvpn[2162]: [ovpn-ams2.redhat.com] Inactivity timeout (--ping-exit), exiting
srp 23 10:36:36 localhost avahi-daemon[670]: Withdrawing workstation service for tun0.
srp 23 10:36:36 localhost nm-openvpn[2162]: SIGTERM[soft,ping-exit] received, process exiting
srp 23 10:36:36 localhost NetworkManager[757]: <info> VPN plugin state changed: stopped (6)
srp 23 10:36:36 localhost NetworkManager[757]: <info> VPN plugin state change reason: 0
srp 23 10:36:36 localhost avahi-daemon[670]: Withdrawing address record for 192.168.0.112 on wlp3s0.
srp 23 10:36:36 localhost avahi-daemon[670]: Leaving mDNS multicast group on interface wlp3s0.IPv4 with address 192.168.0.112.
srp 23 10:36:36 localhost avahi-daemon[670]: Interface wlp3s0.IPv4 no longer relevant for mDNS.
srp 23 10:36:36 localhost avahi-daemon[670]: Joining mDNS multicast group on interface wlp3s0.IPv4 with address 192.168.0.112.
srp 23 10:36:36 localhost avahi-daemon[670]: New relevant interface wlp3s0.IPv4 for mDNS.
srp 23 10:36:36 localhost avahi-daemon[670]: Registering new address record for 192.168.0.112 on wlp3s0.IPv4.
srp 23 10:36:37 localhost NetworkManager[757]: <info> Policy set 'VitaLinksysE4200' (wlp3s0) as default for IPv4 routing and DNS.
srp 23 10:36:38 localhost dbus-daemon[671]: dbus[671]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.se
srp 23 10:36:38 localhost dbus-daemon[671]: dbus[671]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.nm-dispatcher.service': Unit dbus-org.freedesktop.n
srp 23 10:36:38 localhost dbus[671]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
srp 23 10:36:38 localhost dbus[671]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.nm-dispatcher.service': Unit dbus-org.freedesktop.nm-dispatcher.servi
srp 23 10:36:38 localhost NetworkManager[757]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
srp 23 10:36:38 localhost NetworkManager[757]: <warn> (4) failed to find interface name for index
srp 23 10:36:38 localhost NetworkManager[757]: nm_system_iface_flush_routes: assertion `iface != NULL' failed
srp 23 10:36:38 localhost NetworkManager[757]: <warn> (4) failed to find interface name for index
srp 23 10:36:38 localhost NetworkManager[757]: <warn> Dispatcher failed: (32) Unit dbus-org.freedesktop.nm-dispatcher.service failed to load: No such file or directory. See sys
srp 23 10:36:43 localhost NetworkManager[757]: <info> VPN service 'openvpn' disappeared
Comment 3 Vít Ondruch 2013-09-27 04:28:07 EDT
The same issue on F20:

$ rpm -q NetworkManager-openvpn
NetworkManager-openvpn-0.9.8.2-3.fc20.x86_64
Comment 4 Dan Williams 2013-11-26 11:33:50 EST
Do you know what the remote server configuration is?  Does the remote server have an inactivity timeout setting enable that causes the remote side to disconnect if the client doesn't pass traffic for a while?
Comment 6 Vít Ondruch 2014-12-10 05:02:09 EST
I resolved this issue by setting "Use custom renegotiation interval" to zero. I really don't understand, why this is not set by default? Why anybody would like to reconnect and why is this behaving so strange after the default one hour timeout.

Could you please change the default? Thanks.
Comment 7 Dan Williams 2015-04-08 10:59:49 EDT
We can default this to zero in the client to disable *client* renegotiation requests, but note that since openvpn does not really negotiate values between client and server (and instead expects the values to just magically match) the server can have a completely different renegotiation interval.

That said, using a default value of 0 for the client will stop this gotcha, at least for those of us that use two-factor authentication.
Comment 8 Fedora Update System 2015-04-08 11:17:41 EDT
NetworkManager-openvpn-1.0.0-2.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/NetworkManager-openvpn-1.0.0-2.fc21
Comment 9 Fedora Update System 2015-04-08 11:19:50 EDT
NetworkManager-openvpn-1.0.0-3.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/NetworkManager-openvpn-1.0.0-3.fc22
Comment 10 Fedora Update System 2015-04-09 05:12:46 EDT
Package NetworkManager-openvpn-1.0.0-2.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing NetworkManager-openvpn-1.0.0-2.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-5847/NetworkManager-openvpn-1.0.0-2.fc21
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2015-04-14 12:50:41 EDT
NetworkManager-openvpn-1.0.0-3.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/NetworkManager-openvpn-1.0.0-3.el7
Comment 12 Fedora Update System 2015-04-16 10:46:53 EDT
NetworkManager-openvpn-1.0.0-4.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/NetworkManager-openvpn-1.0.0-4.el7
Comment 13 Suren Karapetyan 2015-04-18 19:06:52 EDT
The fix causes issues if using preshared key auth:

nm-openvpn[22134]: Options error: Parameter renegotiate_seconds can only be specified in TLS-mode, i.e. where --tls-server o
r --tls-client is also specified.

When I set the interval to 3600 it works.
Comment 14 Fedora Update System 2015-04-21 14:57:03 EDT
NetworkManager-openvpn-1.0.0-3.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora End Of Life 2015-05-29 05:05:26 EDT
This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 16 Fedora End Of Life 2015-06-29 21:31:31 EDT
Fedora 20 changed to end-of-life (EOL) status on 2015-06-23. Fedora 20 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 17 Fedora Update System 2015-11-24 08:05:39 EST
NetworkManager-fortisslvpn-1.0.8-1.el7 NetworkManager-vpnc-1.0.8-1.el7 NetworkManager-openvpn-1.0.8-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-2919d6d7d9
Comment 18 Fedora Update System 2015-11-24 14:57:48 EST
NetworkManager-openvpn-1.0.0-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2015-11-25 19:54:21 EST
NetworkManager-fortisslvpn-1.0.8-1.el7, NetworkManager-openvpn-1.0.8-1.el7, NetworkManager-vpnc-1.0.8-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'yum --enablerepo=epel-testing update NetworkManager-openvpn NetworkManager-vpnc NetworkManager-fortisslvpn'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-2919d6d7d9
Comment 20 Fedora Update System 2015-12-01 11:56:15 EST
NetworkManager-openvpn-1.0.8-1.el7 NetworkManager-vpnc-1.0.8-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-2919d6d7d9
Comment 21 Fedora Update System 2015-12-02 23:21:01 EST
NetworkManager-openvpn-1.0.8-1.el7, NetworkManager-vpnc-1.0.8-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'yum --enablerepo=epel-testing update NetworkManager-openvpn NetworkManager-vpnc'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-2919d6d7d9
Comment 22 Fedora Update System 2015-12-18 02:25:58 EST
NetworkManager-openvpn-1.0.8-1.el7, NetworkManager-vpnc-1.0.8-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.