Reneg-sec option not working

Got a problem with Viscosity or need help? Ask here!

patd

Posts: 3
Joined: Fri Nov 09, 2018 3:09 am

Post by patd » Fri Nov 09, 2018 3:15 am
I currently have reneg-sec 10 set on both the server and client; however; the client is not being prompted to re-auth after the 10 second interval.

Seems to work in the openvpn client itself fine; however, testing with viscosity it does not.

Any ideas?

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Fri Nov 09, 2018 1:51 pm
Hi patd,

Your auth credentials are most likely either being cached, or you have them saved, which would be why you are not seeing a credential window appear. Can you see a reneg occurring in the log?

https://sparklabs.com/support/kb/articl ... envpn-log/

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

patd

Posts: 3
Joined: Fri Nov 09, 2018 3:09 am

Post by patd » Sat Nov 10, 2018 6:08 am
Hi Eric,

Thank you for your reply.

I have auth-nocache defined in my config file as well reneg-sec 10 (just for testing). I don't see any attempt to renegotiate after the 10 second timer has expired.

I've also tried pushing these commands from my openvpn access server to the viscosity client.

The log reads as follows when connecting.

Options error: options "auth-nocache' cannot be used in this context {[PUSH-OPTIONS]}
Options error: options "reneg-sec' cannot be used in this context {[PUSH-OPTIONS}]

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Mon Nov 12, 2018 1:45 pm
Hi patd,

Those options can't be pushed as the option-error says.

First off, please try adding verb 5 to your config, as the standard verb level may not be displaying the reneg in the log.

From here, a few things could be happening:

The renegotiation is successfully taking place, you're simply not seeing it in the log.

The issue may be how low you have the reneg-sec setting, that the reneg might be taking place before the connection is properly established and breaking the functionality. You could try upping the timer to reneg-sec 30.

Finally, as you are using Access Server, please keep in mind that you have support for session tokens. Viscosity supports session tokens where as OpenVPN on it's own does not. The session token is generated when you first connect and is used between the client (whether this be Viscosity or the AS Client) and Access Server so a username/password does not need to be prompted for on each renegotiation. Session tokens are on by default in Access Server, I believe there is an option to disable them though somewhere.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

patd

Posts: 3
Joined: Fri Nov 09, 2018 3:09 am

Post by patd » Tue Nov 13, 2018 12:29 am
Eric,

Thank you for all the helpful information.

I'll dig around and tweak a few settings and see what I can find.

Thanks again.
5 posts Page 1 of 1