Project

General

Profile

Bug #3022

OpenVPN does not failover to the 2nd configured LDAP auth.server

Added by Alexander Kolesnik about 6 years ago. Updated about 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
06/05/2013
Due date:
% Done:

0%

Estimated time:
Affected Version:
Affected Architecture:

Description

More details:
http://forum.pfsense.org/index.php/topic,62570.msg337904.html#msg337904

It might be a limitation of PHP 5.2 which does not provide LDAP_OPT_NETWORK_TIMEOUT option, so ldap_connect() tries to connect to ldap server over and over, even if there's another one configured.

History

#1 Updated by Alexander Kolesnik about 4 years ago

two years has passed.. any chances to have that fixed in near future?

#2 Updated by Chris Buechler over 3 years ago

  • Category set to OpenVPN

#3 Updated by Sven Lennartz about 3 years ago

Facing the same issue.
Currently we have 2 entries for 'Backend for authentication' selected (Active Directory domain controllers).
Whenever the first one goes down, OpenVPN connections get lost, new connections do not work.

Here's a snippet from the logs for one login attempt:

Jun 21 08:08:21 openvpn 21624 109.44.3.38:33876 TLS Error: TLS handshake failed
Jun 21 08:08:21 openvpn 21624 109.44.3.38:33876 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jun 21 08:07:47 openvpn 21624 109.44.3.38:33876 TLS Error: incoming packet authentication failed from [AF_INET]109.44.3.38:33876
Jun 21 08:07:47 openvpn 21624 109.44.3.38:33876 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #7 / time = (1466489247) Tue Jun 21 08:07:27 2016 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Jun 21 08:07:47 openvpn 21624 109.44.3.38:33876 TLS Error: incoming packet authentication failed from [AF_INET]109.44.3.38:33876
Jun 21 08:07:47 openvpn 21624 109.44.3.38:33876 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #7 / time = (1466489247) Tue Jun 21 08:07:27 2016 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Jun 21 08:07:47 openvpn 21624 109.44.3.38:33876 TLS Error: incoming packet authentication failed from [AF_INET]109.44.3.38:33876
Jun 21 08:07:47 openvpn 21624 109.44.3.38:33876 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #7 / time = (1466489247) Tue Jun 21 08:07:27 2016 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Jun 21 08:07:47 openvpn 21624 109.44.3.38:33876 TLS Error: incoming packet authentication failed from [AF_INET]109.44.3.38:33876
Jun 21 08:07:47 openvpn 21624 109.44.3.38:33876 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #7 / time = (1466489247) Tue Jun 21 08:07:27 2016 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Jun 21 08:07:47 openvpn 21624 109.44.3.38:33876 TLS Error: incoming packet authentication failed from [AF_INET]109.44.3.38:33876
Jun 21 08:07:47 openvpn 21624 109.44.3.38:33876 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #7 / time = (1466489247) Tue Jun 21 08:07:27 2016 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Jun 21 08:07:47 openvpn user 'svenl' authenticated
Jun 21 08:07:47 openvpn /openvpn.auth-user.php: ERROR! Could not bind to server w2003svr1.

Also available in: Atom PDF