https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162021-03-18T11:39:02ZpfSense bugtrackerpfSense - Bug #11699: OpenVPN does not clean up parsed ``Cisco-AVPair`` rules on non-graceful disconnecthttps://redmine.pfsense.org/issues/11699?journal_id=525342021-03-18T11:39:02ZJim Pingle
<ul></ul><p>According to the OpenVPN docs and other posts I see, the disconnect script should be run even on ping timeout / unclean disconnects, so perhaps there is something else amiss here.</p>
<p>There was one user who said it didn't work in some cases, but it's an old post and they didn't follow up if they were ever able to resolve it: <a class="external" href="https://forums.openvpn.net/viewtopic.php?t=21869">https://forums.openvpn.net/viewtopic.php?t=21869</a></p> pfSense - Bug #11699: OpenVPN does not clean up parsed ``Cisco-AVPair`` rules on non-graceful disconnecthttps://redmine.pfsense.org/issues/11699?journal_id=525402021-03-18T12:07:07ZViktor Gurov
<ul></ul><p>Jim Pingle wrote:</p>
<blockquote>
<p>According to the OpenVPN docs and other posts I see, the disconnect script should be run even on ping timeout / unclean disconnects, so perhaps there is something else amiss here.</p>
<p>There was one user who said it didn't work in some cases, but it's an old post and they didn't follow up if they were ever able to resolve it: <a class="external" href="https://forums.openvpn.net/viewtopic.php?t=21869">https://forums.openvpn.net/viewtopic.php?t=21869</a></p>
</blockquote>
<p>It works</p>
<p>After connecting:<br /><pre>
# pfctl -a openvpn/ovpns1_raduser1_5558 -sr
pass in quick on ovpns1 inet proto udp from 3.3.3.3 to 7.7.7.7 port < 566 no state
pass in quick on ovpns1 inet proto udp from 3.3.3.3 to 7.7.7.7 port != 899 no state
</pre></p>
<p>Disconnect by timeout (inactive 100):<br /><pre>
Mar 18 20:02:40 pf41 openvpn[76775]: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.88.42:1194
Mar 18 20:02:40 pf41 openvpn[76775]: UDPv4 link local (bound): [AF_INET]192.168.88.41:0
Mar 18 20:02:40 pf41 openvpn[76775]: UDPv4 link remote: [AF_INET]192.168.88.42:1194
Mar 18 20:03:40 pf41 openvpn[76775]: Inactivity timeout (--ping-restart), restarting
Mar 18 20:03:40 pf41 openvpn[76775]: SIGUSR1[soft,ping-restart] received, process restarting
Mar 18 20:03:42 pf41 openvpn[60506]: CA41client/192.168.88.5:5558 Inactivity timeout (--inactive), exiting
</pre></p>
<p>Result:<br /><pre>
# pfctl -a openvpn/ovpns1_raduser1_5558 -sr
pfctl: DIOCGETRULES: Invalid argument
</pre></p> pfSense - Bug #11699: OpenVPN does not clean up parsed ``Cisco-AVPair`` rules on non-graceful disconnecthttps://redmine.pfsense.org/issues/11699?journal_id=525562021-03-19T04:14:26ZViktor Gurov
<ul></ul><p>I think it is better to set the inactive timeout to the default value (like 300 seconds) for new instances<br />to cleanup ACL and DNS entries for non-graceful disconnected clients</p> pfSense - Bug #11699: OpenVPN does not clean up parsed ``Cisco-AVPair`` rules on non-graceful disconnecthttps://redmine.pfsense.org/issues/11699?journal_id=526772021-03-25T01:17:20ZViktor Gurov
<ul></ul><p>Set default OpenVPN inactive timeout to 300:<br /><a class="external" href="https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/204">https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/204</a></p> pfSense - Bug #11699: OpenVPN does not clean up parsed ``Cisco-AVPair`` rules on non-graceful disconnecthttps://redmine.pfsense.org/issues/11699?journal_id=527292021-03-29T08:14:04ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Pull Request Review</i></li><li><strong>Target version</strong> set to <i>CE-Next</i></li><li><strong>Affected Version</strong> deleted (<del><i>2.5.0</i></del>)</li></ul> pfSense - Bug #11699: OpenVPN does not clean up parsed ``Cisco-AVPair`` rules on non-graceful disconnecthttps://redmine.pfsense.org/issues/11699?journal_id=535002021-05-11T15:11:08ZJim Pingle
<ul><li><strong>Plus Target Version</strong> set to <i>21.05</i></li></ul> pfSense - Bug #11699: OpenVPN does not clean up parsed ``Cisco-AVPair`` rules on non-graceful disconnecthttps://redmine.pfsense.org/issues/11699?journal_id=536152021-05-12T07:13:50ZAnonymous
<ul><li><strong>Status</strong> changed from <i>Pull Request Review</i> to <i>Feedback</i></li></ul> pfSense - Bug #11699: OpenVPN does not clean up parsed ``Cisco-AVPair`` rules on non-graceful disconnecthttps://redmine.pfsense.org/issues/11699?journal_id=537122021-05-12T14:41:47ZJim Pingle
<ul><li><strong>Subject</strong> changed from <i>OpenVPN doesn't cleanup parsed Cisco-AVPair rules on non-graceful disconnect</i> to <i>OpenVPN does not clean up parsed ``Cisco-AVPair`` rules on non-graceful disconnect</i></li></ul><p>Updating subject for release notes.</p> pfSense - Bug #11699: OpenVPN does not clean up parsed ``Cisco-AVPair`` rules on non-graceful disconnecthttps://redmine.pfsense.org/issues/11699?journal_id=540952021-05-27T07:55:51ZJim Pingle
<ul><li><strong>Target version</strong> changed from <i>CE-Next</i> to <i>2.5.2</i></li></ul> pfSense - Bug #11699: OpenVPN does not clean up parsed ``Cisco-AVPair`` rules on non-graceful disconnecthttps://redmine.pfsense.org/issues/11699?journal_id=542552021-06-02T13:26:26ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Closed</i></li></ul> pfSense - Bug #11699: OpenVPN does not clean up parsed ``Cisco-AVPair`` rules on non-graceful disconnecthttps://redmine.pfsense.org/issues/11699?journal_id=544172021-06-10T04:17:18ZViktor Gurov
<ul></ul><p>This is not enabled for new servers created by the Remote Access Wizard.</p>
<p>fix:<br /><a class="external" href="https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/280">https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/280</a></p>
<p>see also <a class="issue tracker-4 status-3 priority-4 priority-default closed" title="Todo: Set ``explicit-exit-notify`` option by default for new OpenVPN server instances (Resolved)" href="https://redmine.pfsense.org/issues/11684#note-7">#11684#note-7</a></p> pfSense - Bug #11699: OpenVPN does not clean up parsed ``Cisco-AVPair`` rules on non-graceful disconnecthttps://redmine.pfsense.org/issues/11699?journal_id=545482021-06-16T07:55:29ZRenato Botelhorenato@netgate.com
<ul><li><strong>Assignee</strong> set to <i>Viktor Gurov</i></li></ul> pfSense - Bug #11699: OpenVPN does not clean up parsed ``Cisco-AVPair`` rules on non-graceful disconnecthttps://redmine.pfsense.org/issues/11699?journal_id=561532021-09-01T20:10:04ZMarcos M
<ul><li><strong>File</strong> <i>playback_output.txt</i> added</li><li><strong>File</strong> <i>active_users.txt</i> added</li></ul> pfSense - Bug #11699: OpenVPN does not clean up parsed ``Cisco-AVPair`` rules on non-graceful disconnecthttps://redmine.pfsense.org/issues/11699?journal_id=561612021-09-02T10:53:30ZMarcos M
<ul><li><strong>File</strong> deleted (<del><i>active_users.txt</i></del>)</li></ul> pfSense - Bug #11699: OpenVPN does not clean up parsed ``Cisco-AVPair`` rules on non-graceful disconnecthttps://redmine.pfsense.org/issues/11699?journal_id=561622021-09-02T10:53:32ZMarcos M
<ul><li><strong>File</strong> deleted (<del><i>playback_output.txt</i></del>)</li></ul> pfSense - Bug #11699: OpenVPN does not clean up parsed ``Cisco-AVPair`` rules on non-graceful disconnecthttps://redmine.pfsense.org/issues/11699?journal_id=561642021-09-02T10:56:48ZMarcos M
<ul></ul><p>Moved possibly related issue to <a class="issue tracker-1 status-3 priority-4 priority-default closed" title="Bug: OpenVPN does not clear old Cisco-AVPair anchor rules in some cases (Resolved)" href="https://redmine.pfsense.org/issues/12332">#12332</a></p>