на сервере openvpn-2.1.1
на клиенте Win7 Openvpn 1.0.3Сотрудник подключался говорит все было в норме, вдруг недавно у него пошли обрывы.
В логах на сервере естьMon Jul 4 22:12:28 2011 vv/27.539.37.226:19876 SENT CONTROL [vv]: 'PUSH_REPLY,route 195.136.172.0 255.255.255.0,route 172.172.172.0 255.255.255.0,route 10.111.111.1,topology net30,ping 10,ping-restart 120,ifconfig 10.111.111.6 10.111.111.5' (status=1)
Mon Jul 4 22:16:44 2011 vv/27.539.37.226:19876 TLS: new session incoming connection from 27.539.37.226:19876
Mon Jul 4 22:17:44 2011 vv/27.539.37.226:19876 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jul 4 22:17:44 2011 vv/27.539.37.226:19876 TLS Error: TLS handshake failed
Mon Jul 4 22:17:47 2011 vv/27.539.37.226:19876 TLS: new session incoming connection from 27.539.37.226:19876
Mon Jul 4 22:18:47 2011 vv/27.539.37.226:19876 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jul 4 22:18:47 2011 vv/27.539.37.226:19876 TLS Error: TLS handshake failed
Mon Jul 4 22:18:49 2011 vv/27.539.37.226:19876 TLS: new session incoming connection from 27.539.37.226:19876
Mon Jul 4 22:18:49 2011 vv/27.539.37.226:19876 VERIFY OK: depth=1, /C=RU/ST=RU/L=Moscow/O=testdomen/OU=server/CN=testdomen_CA/name=as/emailAddress=as@testdomen.ru
Mon Jul 4 22:18:49 2011 vv/27.539.37.226:19876 VERIFY OK: depth=0, /C=RU/ST=RU/L=Moscow/O=testdomen/OU=vv/CN=vv/name=vv/emailAddress=vv@testdomen.ru
Mon Jul 4 22:19:49 2011 vv/27.539.37.226:19876 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jul 4 22:19:49 2011 vv/27.539.37.226:19876 TLS Error: TLS handshake failed
Mon Jul 4 22:19:51 2011 vv/27.539.37.226:19876 TLS: new session incoming connection from 27.539.37.226:19876
Mon Jul 4 22:19:53 2011 vv/27.539.37.226:19876 VERIFY OK: depth=1, /C=RU/ST=RU/L=Moscow/O=testdomen/OU=server/CN=testdomen_CA/name=as/emailAddress=as@testdomen.ru
Mon Jul 4 22:19:53 2011 vv/27.539.37.226:19876 VERIFY OK: depth=0, /C=RU/ST=RU/L=Moscow/O=testdomen/OU=vv/CN=vv/name=vv/emailAddress=vv@testdomen.ru
Mon Jul 4 22:19:53 2011 vv/27.539.37.226:19876 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jul 4 22:19:53 2011 vv/27.539.37.226:19876 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 4 22:19:53 2011 vv/27.539.37.226:19876 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jul 4 22:19:53 2011 vv/27.539.37.226:19876 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 4 22:19:53 2011 vv/27.539.37.226:19876 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
Mon Jul 4 22:19:53 2011 vv/27.539.37.226:19876 TLS: tls_multi_process: untrusted session promoted to semi-trusted
Mon Jul 4 22:19:53 2011 vv/27.539.37.226:19876 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Jul 4 22:19:55 2011 vv/27.539.37.226:19876 PUSH: Received control message: 'PUSH_REQUEST'
Mon Jul 4 22:19:55 2011 vv/27.539.37.226:19876 SENT CONTROL [vv]: 'PUSH_REPLY,route 195.136.172.0 255.255.255.0,route 172.172.172.0 255.255.255.0,route 10.111.111.1,topology net30,ping 10,ping-restart 120,ifconfig 10.111.111.6 10.111.111.5' (status=1)
Mon Jul 4 22:50:12 2011 vv/27.539.37.226:19876 TLS: tls_multi_process: killed expiring key
Mon Jul 4 23:19:53 2011 vv/27.539.37.226:19876 TLS: soft reset sec=0 bytes=46720/0 pkts=776/0
Mon Jul 4 23:19:54 2011 vv/27.539.37.226:19876 VERIFY OK: depth=1, /C=RU/ST=RU/L=Moscow/O=testdomen/OU=server/CN=testdomen_CA/name=as/emailAddress=as@testdomen.ru
Mon Jul 4 23:19:54 2011 vv/27.539.37.226:19876 VERIFY OK: depth=0, /C=RU/ST=RU/L=Moscow/O=testdomen/OU=vv/CN=vv/name=vv/emailAddress=vv@testdomen.ru
Mon Jul 4 23:20:53 2011 vv/27.539.37.226:19876 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jul 4 23:20:53 2011 vv/27.539.37.226:19876 TLS Error: TLS handshake failed
Mon Jul 4 23:20:53 2011 vv/27.539.37.226:19876 TLS: move_session: dest=TM_LAME_DUCK src=TM_ACTIVE reinit_src=1
Mon Jul 4 23:21:08 2011 vv/27.539.37.226:19876 TLS: Initial packet from 27.539.37.226:19876, sid=7e2c0dfe 30d53dda
Mon Jul 4 23:22:08 2011 vv/27.539.37.226:19876 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Jul 4 23:22:08 2011 vv/27.539.37.226:19876 TLS Error: TLS handshake failed
Mon Jul 4 23:22:23 2011 vv/27.539.37.226:19876 TLS: Initial packet from 27.539.37.226:19876, sid=c8086e40 35a42b05
Mon Jul 4 23:22:24 2011 vv/27.539.37.226:19876 VERIFY OK: depth=1, /C=RU/ST=RU/L=Moscow/O=testdomen/OU=server/CN=testdomen_CA/name=as/emailAddress=as@testdomen.ru
Mon Jul 4 23:22:24 2011 vv/27.539.37.226:19876 VERIFY OK: depth=0, /C=RU/ST=RU/L=Moscow/O=testdomen/OU=vv/CN=vv/name=vv/emailAddress=vv@testdomen.ru
Mon Jul 4 23:22:24 2011 vv/27.539.37.226:19876 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jul 4 23:22:24 2011 vv/27.539.37.226:19876 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 4 23:22:24 2011 vv/27.539.37.226:19876 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Jul 4 23:22:24 2011 vv/27.539.37.226:19876 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 4 23:22:24 2011 vv/27.539.37.226:19876 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Jul 4 23:22:34 2011 vv/27.539.37.226:19876 Authenticate/Decrypt packet error: packet HMAC authentication failed
Mon Jul 4 23:22:44 2011 vv/27.539.37.226:19876 Authenticate/Decrypt packet error: packet HMAC authentication failed
Mon Jul 4 23:22:54 2011 vv/27.539.37.226:19876 Authenticate/Decrypt packet error: packet HMAC authentication failed
Mon Jul 4 23:23:04 2011 vv/27.539.37.226:19876 Authenticate/Decrypt packet error: packet HMAC authentication failed
Mon Jul 4 23:23:15 2011 vv/27.539.37.226:19876 Authenticate/Decrypt packet error: packet HMAC authentication failedip и имена доменов сознательно изменены.
Куда копать, что смотреть и какие еще данные предоставить если нужно.
>[оверквотинг удален]
> Mon Jul 4 23:22:44 2011 vv/27.539.37.226:19876 Authenticate/Decrypt packet error: packet
> HMAC authentication failed
> Mon Jul 4 23:22:54 2011 vv/27.539.37.226:19876 Authenticate/Decrypt packet error: packet
> HMAC authentication failed
> Mon Jul 4 23:23:04 2011 vv/27.539.37.226:19876 Authenticate/Decrypt packet error: packet
> HMAC authentication failed
> Mon Jul 4 23:23:15 2011 vv/27.539.37.226:19876 Authenticate/Decrypt packet error: packet
> HMAC authentication failed
> ip и имена доменов сознательно изменены.
> Куда копать, что смотреть и какие еще данные предоставить если нужно.Ну первое, что приходит на ум это перевыдать клиенту сертификаты.
Сотрудник говорит что иногда работает иногда нет.
В чем смысл перевыдачи сертификата? имеете ввиду .crt .csr .key ?
У сотрудника есть касперский, может он режет, проверю.
Еще идеи есть?
может из за TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)