Okay I’m a bit at wits end here and not sure what to do. I have a number of Sangoma Series phones, mostly S500, S700, S705, that have been connecting for the last few years without issue to my PBX via OpenVPN. All the sudden last week they started becoming unreachable for a few moment and then become reachable again. The issue is consistent across all extensions connecting over the VPN. They are all using chan_SIP over standard ports (5060). NAT is set to Yes (force_rport,comedia). I’m running FPBX 14.0.13.4 with Asterisk 13.22.0. All my modules are up-to-date and I have no Yum updates. The PBX is a VMS running on CyberLynk’s servers. Not all the phones are on the same network. There are a couple of ATA devices for things like physical fax machine that connect not over VPN without any issues. If I disable the VPN for extensions in the EPM they seem to connect fine. When we can coonect a call them seem to drop after exactly 1 minute. I’m really scratching my head over here and not sure where to go next. Right now we basically have no choice but to run the business off our mobile phones which is a major issue. Does anyone have any thoughts?
look at the messages log - whats being reported by openvpn in var/log/messages
is the unreachable device associated with the tunnel being down ??? while the phone is reported as unreachable, do pings to its vpn ip fail ?
Here is what I am seeing, but I don’t really know what I am looking at. (Not I’ve redacted my IPs)
Jul 22 17:53:06 pbx1 openvpn: Mon Jul 22 17:53:06 2019 client29/XXX.XX.2XX.24X:35532 TLS: soft reset sec=0 bytes=553685/67108864 pkts=1753/0
Jul 22 17:53:06 pbx1 openvpn: Mon Jul 22 17:53:06 2019 client37/XX.1XX.1XX.7XX:60919 TLS: soft reset sec=0 bytes=324117/67108864 pkts=1307/0
Jul 22 17:53:06 pbx1 openvpn: Mon Jul 22 17:53:06 2019 client41/XXX.XX.2XX.24X:58424 TLS: tls_process: killed expiring key
Jul 22 17:53:06 pbx1 openvpn: Mon Jul 22 17:53:06 2019 client29/XXX.XX.2XX.24X:35532 VERIFY OK: depth=1, CN=FreePBX
Jul 22 17:53:06 pbx1 openvpn: Mon Jul 22 17:53:06 2019 client29/XXX.XX.2XX.24X:35532 VERIFY OK: depth=0, CN=client29
Jul 22 17:53:06 pbx1 openvpn: Mon Jul 22 17:53:06 2019 client29/XXX.XX.2XX.24X:35532 Outgoing Data Channel: Cipher ‘BF-CBC’ initialized with 128 bit key
Jul 22 17:53:06 pbx1 openvpn: Mon Jul 22 17:53:06 2019 client29/XXX.XX.2XX.24X:35532 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Jul 22 17:53:06 pbx1 openvpn: Mon Jul 22 17:53:06 2019 client29/XXX.XX.2XX.24X:35532 Outgoing Data Channel: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Jul 22 17:53:06 pbx1 openvpn: Mon Jul 22 17:53:06 2019 client29/XXX.XX.2XX.24X:35532 Incoming Data Channel: Cipher ‘BF-CBC’ initialized with 128 bit key
Jul 22 17:53:06 pbx1 openvpn: Mon Jul 22 17:53:06 2019 client29/XXX.XX.2XX.24X:35532 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Jul 22 17:53:06 pbx1 openvpn: Mon Jul 22 17:53:06 2019 client29/XXX.XX.2XX.24X:35532 Incoming Data Channel: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Jul 22 17:53:06 pbx1 openvpn: Mon Jul 22 17:53:06 2019 client29/XXX.XX.2XX.24X:35532 Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
Jul 22 17:53:06 pbx1 openvpn: Mon Jul 22 17:53:06 2019 client37/XX.1XX.1XX.7XX:60919 VERIFY OK: depth=1, CN=FreePBX
Jul 22 17:53:06 pbx1 openvpn: Mon Jul 22 17:53:06 2019 client37/XX.1XX.1XX.7XX:60919 VERIFY OK: depth=0, CN=client37
Jul 22 17:53:06 pbx1 openvpn: Mon Jul 22 17:53:06 2019 client37/XX.1XX.1XX.7XX:60919 Outgoing Data Channel: Cipher ‘BF-CBC’ initialized with 128 bit key
Jul 22 17:53:06 pbx1 openvpn: Mon Jul 22 17:53:06 2019 client37/XX.1XX.1XX.7XX:60919 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Jul 22 17:53:06 pbx1 openvpn: Mon Jul 22 17:53:06 2019 client37/XX.1XX.1XX.7XX:60919 Outgoing Data Channel: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Jul 22 17:53:06 pbx1 openvpn: Mon Jul 22 17:53:06 2019 client37/XX.1XX.1XX.7XX:60919 Incoming Data Channel: Cipher ‘BF-CBC’ initialized with 128 bit key
Jul 22 17:53:06 pbx1 openvpn: Mon Jul 22 17:53:06 2019 client37/XX.1XX.1XX.7XX:60919 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Jul 22 17:53:06 pbx1 openvpn: Mon Jul 22 17:53:06 2019 client37/XX.1XX.1XX.7XX:60919 Incoming Data Channel: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Jul 22 17:53:07 pbx1 openvpn: Mon Jul 22 17:53:07 2019 client37/XX.1XX.1XX.7XX:60919 Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
Jul 22 17:53:07 pbx1 openvpn: Mon Jul 22 17:53:07 2019 client41/XXX.XX.2XX.24X:58424 TLS: soft reset sec=0 bytes=433111/67108864 pkts=1400/0
Jul 22 17:53:07 pbx1 openvpn: Mon Jul 22 17:53:07 2019 client41/XXX.XX.2XX.24X:58424 VERIFY OK: depth=1, CN=FreePBX
Jul 22 17:53:07 pbx1 openvpn: Mon Jul 22 17:53:07 2019 client41/XXX.XX.2XX.24X:58424 VERIFY OK: depth=0, CN=client41
Jul 22 17:53:07 pbx1 openvpn: Mon Jul 22 17:53:07 2019 client41/XXX.XX.2XX.24X:58424 Outgoing Data Channel: Cipher ‘BF-CBC’ initialized with 128 bit key
Jul 22 17:53:07 pbx1 openvpn: Mon Jul 22 17:53:07 2019 client41/XXX.XX.2XX.24X:58424 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Jul 22 17:53:07 pbx1 openvpn: Mon Jul 22 17:53:07 2019 client41/XXX.XX.2XX.24X:58424 Outgoing Data Channel: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Jul 22 17:53:07 pbx1 openvpn: Mon Jul 22 17:53:07 2019 client41/XXX.XX.2XX.24X:58424 Incoming Data Channel: Cipher ‘BF-CBC’ initialized with 128 bit key
Jul 22 17:53:07 pbx1 openvpn: Mon Jul 22 17:53:07 2019 client41/XXX.XX.2XX.24X:58424 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Jul 22 17:53:07 pbx1 openvpn: Mon Jul 22 17:53:07 2019 client41/XXX.XX.2XX.24X:58424 Incoming Data Channel: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Jul 22 17:53:07 pbx1 openvpn: Mon Jul 22 17:53:07 2019 client41/XXX.XX.2XX.24X:58424 Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.