Hi Jason, On 07-10-14 21:59, Jason Haar wrote: > One thing we're doing is allowing "duplicate-cn", but using our NAC test > to reject clients using the same cert (get better logging of the > offenders that way). Anyway, I have a Mac and Windows box set up to use > the same cert to test this, and it causes an interesting situation... > > First client connects, second client connects, NAC script notices the > same cert in use and kills the first connection. Second client later > hangs up. If I then look at the first client hours later, it still > thinks it's logged in! There is no error, it still has the tun interface > up, but no traffic flows. The server shows no connection via either > client (I use the management api to confirm that) > > We use "--ping", and tcpdump confirms the first client and server are > still exchanging packets - but the server does not classify the client > as being connected. But as the openvpn pings are still working, the > client doesn't know it's actually disconnected. A simple "kill -HUP" on > the client fixes everything as it forces a full restart > > So I have two questions: > > 1. The client uses "explicit-exit-notify" - but it looks like using the > kill management command on the server does not tell the client it is > hanging up? Wouldn't that be a good idea?
Sounds like a reasonable plan to me, yes. Then again, I'm not very familiar the networking bits of openvpn. > 2. The fact that ping is still working makes me think that means ping > must be *separate* from session management? Isn't that a bad idea? In OpenVPN each connection actually consists of two. One 'control' and one 'data' channel. The control channel is actually the TLS connection, which is set up by the TLS/SSL library. The ping packets are sent over the control channel, indicating that the TLS connection is still fully functional. Seems like OpenVPN is shutting down the data channel, but not (successfully) shutting down the control channel. Sounds like a bug to me. -Steffan ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
