After upgrade 1.3 Mac hangs after confirming reachability.

Got a problem with Viscosity or need help? Ask here!

matt.wasserman

Posts: 14
Joined: Sun May 22, 2011 9:41 pm

Post by matt.wasserman » Mon May 30, 2011 11:54 pm
I have this problem on 3 machines at the moment. I'm concerned that there will be more once people come back from the holiday weekend.

On one of my personal machines, I have 2 VPNs configured. Our corporate VPN, and another one. The other one works fine. When I attempt to connect to the corporate VPN, it connects and then immediately disconnects. the log says
WARNING: External program may not be called unless '--script-security 2' or higher is enabled. Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier.
which is interesting, because it's the error message you get when you run OpenVPN on Vista or Win 7 without admin privileges. I've never seen this message on a Mac before, and never had to do anything with permissions beyond letting them get changed when the program is first run.

Tunnelblick continues to work fine, though returning to it means accepting the reliability issues that caused us to buy Viscosity in the first place.

I know I may be asking for too much here, but it would be really great to have a good solution for this before I have 50 users contacting me first thing tomorrow morning :)

Thanks
Matt

matt.wasserman

Posts: 14
Joined: Sun May 22, 2011 9:41 pm

Post by matt.wasserman » Tue May 31, 2011 1:50 am
Update -

So after uninstalling everything (using app cleaner) and installing version 1.2, everything is working again.

Not sure what changes I made trying to fix this may have caused. But a user machine that couldn't connect after installing 1.3 and had no other changes made to it went right on after going back to the older version.

talltexan

Posts: 6
Joined: Sun May 29, 2011 6:26 am

Post by talltexan » Tue May 31, 2011 1:55 am
James, hooray for weekends.
Today, Monday, 30 May, I was going to do the revert to version 1.2.3 .... and pulled up the log to answer your question about no additional messages.
And
it worked. I am connected. If I had not been trying this weekend, I probably never would have known about the problem. John (co-worker) says he had a situation with a dead socket that cleared up after multiple shutdown/reboots. Guess this was something similar.
Thanks for your help during the off hours.

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue May 31, 2011 7:54 am
Hi Matt,

Can you post a full copy of the OpenVPN log (minus any sensitive addresses)?

The "script-security" message is normal. Version 1.2.3 and previous versions of Viscosity changed this value as it needed elevated permissions for its DNS support requests, however version 1.3 no longer needs to do this and uses the OpenVPN default value (1), which results in the warning.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue May 31, 2011 7:56 am
Hi talltexan,

Glad to hear it's working for you now, and thanks for the follow up.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue May 31, 2011 9:00 am
Notice For Those With Problems

If you are just seeing the following two lines on the OpenVPN log, and nothing else, please try the steps below. We'd greatly appreciate your feedback.
"Checking reachability status of connection...
Connection is reachable. Starting connection attempt."
1. Reinstall Viscosity by dragging the Viscosity application to the trash, and then downloading and installing version 1.3 again.

2. Restart your computer. Please actually try this one.

3. Try installing the experimental build below and connecting with it. Again, we'd really appreciate your feedback here.
http://www.thesparklabs.com/downloads/b ... .3.1b1.zip

Just some extra notes about number 3: We think the problem might be related to a management interface bug in OpenVPN 2.2 itself. We saw this in the Windows version (and worked around it), but we have never seen it in the Mac version. Under the Windows version it would only occur on slower machines. This build includes the same workarounds - so while we can't test it (as neither we or our testers have experienced the problem) - we'd appreciate it if you could give it a try and see if it resolves the problem for you.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

matt.wasserman

Posts: 14
Joined: Sun May 22, 2011 9:41 pm

Post by matt.wasserman » Tue May 31, 2011 10:56 pm
Tried 1.3b - still no good.

Here is the log:

Checking reachability status of connection...
Connection is reachable. Starting connection attempt.
May 31 08:47:09: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
May 31 08:47:09: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
May 31 08:47:10: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
May 31 08:47:10: LZO compression initialized
May 31 08:47:10: Attempting to establish TCP connection with xxx.xxx.xxx.xxx:443 [nonblock]
May 31 08:47:14: TCP connection established with xxx.xxx.xxx.xxx:443
May 31 08:47:14: TCPv4_CLIENT link local: [undef]
May 31 08:47:14: TCPv4_CLIENT link remote: xxx.xxx.xxx.xxx:443
May 31 08:47:15: [openvpn] Peer Connection Initiated with xxx.xxx.xxx.xxx:443
May 31 08:47:17: TUN/TAP device /dev/tap0 opened
May 31 08:47:17: /sbin/ifconfig tap0 delete
May 31 08:47:17: NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
May 31 08:47:17: /sbin/ifconfig tap0 xxx.xxx.xxx.xxx netmask 255.255.255.0 mtu 1500 up
May 31 08:47:17: ./up.sh tap0 1500 1576 xxx.xxx.xxx.xxx 255.255.255.0 init
May 31 08:47:17: WARNING: External program may not be called unless '--script-security 2' or higher is enabled. Use '--script-security 3 system' for backward compatibility with 2.1_rc8 and earlier. See --help text or man page for detailed info.

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Jun 01, 2011 1:11 am
Hi Matt,

It seems like you are using a custom OpenVPN up script (up.sh) - do you know what it does? Are you able to post its contents (minus any sensitive addresses)?

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

jprez1980

Posts: 2
Joined: Wed Jun 01, 2011 1:14 am

Post by jprez1980 » Wed Jun 01, 2011 1:20 am
James,

I wanted to also let you know that we're experiencing the same problem with 1.3. Upon downgrading to 1.2.3 we are now able to successfully VPN back in.

This is as far as we can get in 1.3:

Checking reachability status of connection...
Connection is reachable. Starting connection attempt.
(Hangs)

Thanks,
JP

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Jun 01, 2011 1:26 am
Hi JP,

Thanks for the notice. Do you have any better luck with the experimental build posted above?

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
27 posts Page 2 of 3