Q: VPN fails when rebooted

I did some more experimenting and it seems that there is an timing problem with when the network interface is connected and when raccoon starts. I see the below errors. Apparently even though the VPN service shows as Up in the Server app it isn't actually running because raccoon can't bind. Any ideas how to fix this? The computer is on a wired Ethernet connection and has a static IP assigned (a fixed address from the DHCP server). I have no idea why the interface isn't ready immediately. The hostname assigned to the machine is via dynalias.com.

Mar 18 13:18:25 mydomain.com racoon[291]: failed to bind to address fd30:bd15:8e4d:d4a:ac9c:c970:5377:f344[500] (Can't assign requested address).

Mar 18 13:18:25 mydomain.com racoon[291]: failed to bind to address fd30:bd15:8e4d:d4a:ac9c:c970:5377:f344[500]: because interface address is/was not ready (flags 2).

Mar 18 13:18:25 mydomain.com racoon[291]: failed to bind to address fd30:bd15:8e4d:d4a:ac9c:c970:5377:f344[4500] (Can't assign requested address).

Mar 18 13:18:25 mydomain.com racoon[291]: failed to bind to address fd30:bd15:8e4d:d4a:ac9c:c970:5377:f344[4500]: because interface address is/was not ready (flags 2).

Mar 18 13:18:25 mydomain.com racoon[291]: failed to bind to address fd30:bd15:8e4d:d4a:ac9c:c970:5377:f344[500] (Can't assign requested address).

Mar 18 13:18:25 mydomain.com racoon[291]: failed to bind to address fd30:bd15:8e4d:d4a:ac9c:c970:5377:f344[500]: because interface address is/was not ready (flags 2).

Mar 18 13:18:25 mydomain.com racoon[291]: failed to bind to address fd30:bd15:8e4d:d4a:ac9c:c970:5377:f344[4500] (Can't assign requested address).

Mar 18 13:18:25 mydomain.com racoon[291]: failed to bind to address fd30:bd15:8e4d:d4a:ac9c:c970:5377:f344[4500]: because interface address is/was not ready (flags 2).

Mar 18 13:18:25 mydomain.com racoon[291]: failed to bind to address fd30:bd15:8e4d:d4a:ac9c:c970:5377:f344[500] (Can't assign requested address).

Mar 18 13:18:25 mydomain.com racoon[291]: failed to bind to address fd30:bd15:8e4d:d4a:ac9c:c970:5377:f344[500]: because interface address is/was not ready (flags 2).

Mar 18 13:18:25 mydomain.com racoon[291]: failed to bind to address fd30:bd15:8e4d:d4a:ac9c:c970:5377:f344[4500] (Can't assign requested address).

Mar 18 13:18:25 mydomain.com racoon[291]: failed to bind to address fd30:bd15:8e4d:d4a:ac9c:c970:5377:f344[4500]: because interface address is/was not ready (flags 2).

I've been digging online and through the log files and cannot find a clue of what is causing this or how to 'fix' it. I'll probably test using a script to automatically stop and then restart the VPNs after a reboot

Writing the script isn't a problem for me. Figuring out how to run it a few minutes after a boot up is the trick. It's doable, I just need some time to research a robust approach.

OK, this solution works for me. First, create this script in /usr/local/bin and call it restartvpn.sh:

#!/bin/sh

#

# The "live" version of this script lives in /usr/local/bin

#

 

# In Yosemite and Server 4.0.x the racoon daemon fails to start correctly when there is a reboot

# It gives an error that it can't bind to an address

# The solution is to turn the VPN off and then back on, which clears this up

# That can be done manually but it's easy to forget when there is a reboot

# so this tries to automate that as a launchctl script

 

# If this runs immediately serveradmin returns an error and the script doesn't work so sleep some first

sleep 60

 

# Stop the VPN

/Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin stop vpn

echo Sleep until things settle down

sleep 180

 

# Now start it back up

echo Restarting VPN

/Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin start vpn

echo VPN restart complete

Then create this plist file /Library/LaunchDaemons/yourdomain.restart.plist. Note you should put a domain in the name, instead of yourdomain, in the plist file name and in the Label value in the plist but it isn't mandatory AFAIK

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

    <key>Label</key>

    <string>yourdomain.restartvpn</string>

    <key>ProgramArguments</key>

    <array>

        <string>/usr/local/bin/restartvpn.sh</string>

    </array>

    <key>StandardOutPath</key>

    <string>/var/log/restartvpn.log</string>

    <key>StandardErrorPath</key>

    <string>/var/log/restartvpn.log</string>

    <key>RunAtLoad</key>

    <true/>

    <key>ExitTimeOut</key>

    <integer>300</integer>

    <key>LaunchOnlyOnce</key>

    <true/>

</dict>

</plist>

 

Now load it using

sudo launchctl load -w /Library/LaunchDaemons/yourdomain.restartvpn.plist

When you login after reboot this should get the VPN working. It logs to /var/log/restartvpn.log so you can watch the progress. Both sleeps seem necessary though I didn't experiment to see how short they could be.

I'm no expect at these launch daemons but this seems to work and I don't think there are any bad side effects. If there are, don't blame me

Hi Nico - I'm not having any other issues so I don't think I'll try setting up a new admin account but it's good to know that might something to try.

Ron

The scripts will only run after a reboot. You probably did one but didn't mention it so just in case.

I'm not an expert on launchctl and I've found it to be very fussy. If there is no /var/log/restartvpn.log file then it surely hasn't run. In my tests this file was routinely created, I think before the script even writes out anything.

Do you set the restartvpn.sh file to be executable: chmod +x /usr/local/bin/restartvpn.sh