none
Looping Connection Reset in OpenVPN with cert auth

    Question

  • Hi guys,


    I'm wondering if anyone has hit this issue before or knows where to try and look? So we've configured OpenVPN with an enterprise cert auth - and the authentication succeeds, however when we are trying to connect, it appears to be stuck in a loop without any reason for resetting the connection. Here is the log from OpenVPN:

    Fri Mar 15 16:13:56 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
    Fri Mar 15 16:13:56 2019 Windows version 6.2 (Windows 8 or greater) 64bit
    Fri Mar 15 16:13:56 2019 library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
    Enter Management Password:
    Fri Mar 15 16:13:56 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
    Fri Mar 15 16:13:56 2019 Need hold release from management interface, waiting...
    Fri Mar 15 16:13:57 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
    Fri Mar 15 16:13:57 2019 MANAGEMENT: CMD 'state on'
    Fri Mar 15 16:13:57 2019 MANAGEMENT: CMD 'log all on'
    Fri Mar 15 16:13:57 2019 MANAGEMENT: CMD 'echo all on'
    Fri Mar 15 16:13:57 2019 MANAGEMENT: CMD 'bytecount 5'
    Fri Mar 15 16:13:57 2019 MANAGEMENT: CMD 'hold off'
    Fri Mar 15 16:13:57 2019 MANAGEMENT: CMD 'hold release'
    Fri Mar 15 16:13:57 2019 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
    Fri Mar 15 16:13:57 2019 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
    Fri Mar 15 16:13:57 2019 MANAGEMENT: >STATE:1552626837,RESOLVE,,,,,,
    Fri Mar 15 16:13:57 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:443
    Fri Mar 15 16:13:57 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
    Fri Mar 15 16:13:57 2019 Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:443 [nonblock]
    Fri Mar 15 16:13:57 2019 MANAGEMENT: >STATE:1552626837,TCP_CONNECT,,,,,,
    Fri Mar 15 16:13:58 2019 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:443
    Fri Mar 15 16:13:58 2019 TCP_CLIENT link local: (not bound)
    Fri Mar 15 16:13:58 2019 TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
    Fri Mar 15 16:13:58 2019 MANAGEMENT: >STATE:1552626838,WAIT,,,,,,
    Fri Mar 15 16:13:58 2019 MANAGEMENT: >STATE:1552626838,AUTH,,,,,,
    Fri Mar 15 16:13:58 2019 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:443, sid=bdd68f7c 804b05a6
    Fri Mar 15 16:13:58 2019 VERIFY OK: depth=2, C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
    Fri Mar 15 16:13:58 2019 VERIFY OK: depth=1, C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
    Fri Mar 15 16:13:58 2019 VERIFY KU OK
    Fri Mar 15 16:13:58 2019 Validating certificate extended key usage
    Fri Mar 15 16:13:58 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
    Fri Mar 15 16:13:58 2019 VERIFY EKU OK
    Fri Mar 15 16:13:58 2019 VERIFY X509NAME OK: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=xxx.vpn.azure.com
    Fri Mar 15 16:13:58 2019 VERIFY OK: depth=0, C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=xxx.vpn.azure.com
    Fri Mar 15 16:14:13 2019 Connection reset, restarting [0]
    Fri Mar 15 16:14:13 2019 SIGUSR1[soft,connection-reset] received, process restarting
    Fri Mar 15 16:14:13 2019 MANAGEMENT: >STATE:1552626853,RECONNECTING,connection-reset,,,,,
    Fri Mar 15 16:14:13 2019 Restart pause, 5 second(s)
    Fri Mar 15 16:14:17 2019 SIGTERM[hard,init_instance] received, process exiting
    Fri Mar 15 16:14:17 2019 MANAGEMENT: >STATE:1552626857,EXITING,init_instance,,,,,


    I've found this website for reference, and have already tried the suggestions in it:

    https://social.msdn.microsoft.com/Forums/azure/en-US/023b18e1-877e-4ec9-b118-408bbcc95701/looping-connection-reset-in-openvpn-client-when-connecting-to-azure-p2s-gateway?forum=WAVirtualMachinesVirtualNetwork


    But still getting the same issues.

    Any assistance would be greatly appreciated!



    Friday, March 15, 2019 5:33 AM

All replies

  • Hi, 

    Can you try uninstalling the VPN package which is downloaded from Azure and try downloading again and install?

    Check this Doc: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-point-to-site-gateway-public-ca

    Maybe your gateway haven't been updated. So downloading the package again and re-installing would help.

    Just to make sure, you download the latest config from P2S blade and lets check if that fixes the issue. 

    Regards, 

    Msrini


    Friday, March 15, 2019 5:55 AM
    Moderator
  • Hey mate,

    We have only just set up the VPN so we are using the certificate which is created by Azure (as per the link) and I have tried the latest configuration settings from the website. Still the same issue :(

    Any other ideas?

    Best regards,

    Mic

    23 hours 29 minutes ago
  • Please try the script at https://github.com/RZomerman/AzureGWOpenVPN to modify the ovpn profile and then try the connection again.
    8 hours 19 minutes ago
  • The client cert to be used for authentication must have "client authentication" eku. Looks like the cert that you have created doesn't have this eku. Please create a new certificate specifically with this eku.
    7 hours 47 minutes ago