I am getting the subject error of IP pool being full on one of my newly configured servers. For reference, this VPN server is configured with a /27 pool with a maximum of 3 devices to be connected at a time. Furthermore, the organization attached to this server has two users created at the moment out of which one is a test user which was only used for initial verification. Afterwards, since the older versions of pritunl (mine is currently v1.32.3805.95) did not have pool_cursor set to null, I also checked my database to verify in case this was the point of issue but it was already set to null as expected. Now, I am at a loss as to what could be the issue as the pool is clearly big enough to cater the user(s) but after a while (I’m assuming when all IPs are leased), the VPN refuses to connect to more than one device citing authentication failure at the client end but pool full errors on system logs. If anyone has any idea what may be the source of issue for this single VPN server, I would appreciate any help/pointers I get. Thanks in advance!
All users attached to the server are assigned a static IP address even if the user doesn’t connect. The virtual network subnet size should be large enough for all the static IP addresses and if multiple devices are allowed additional space for those temporary addresses.
Thanks for the support, as per usual! I understand that the first IP is statically assigned to each user (profile) and the other two IPs will be dynamically assigned. Seeing as how I only have two users (so a maximum of 6 IPs assigned at one time due to the limit), I don’t see how the /27 pool can be fully utilized in this case. The current theory I have is that the leased IPs are not being released upon user disconnect (maybe there is a huge lease time). If this is the case, can you guide me how to verify this? Otherwise, what could be causing this issue?
Each server consumes a user on a randomly selected attached organization which is used for the server certificate. These server users can be seen by holding shift and clicking the green Organization label.
User certificates can take time to generate so the server pre-generates users set by sudo pritunl set app.user_pool_size 6 to have available for faster single sign-on login. That can be reduced but the existing pooled users will still exist and there is no method in the web console to remove those hidden users. Each organization will have pooled users.
There are also unresolved issues with the method used to handle IP addresses on servers with multiple devices enabled. It isn’t a DHCP server with lease times, it’s handled in the Pritunl server but there are issues with IP addresses not being correctly restored to the pool.
Appreciate the support, Zach! As per my understanding then, there are still enough IP addresses freely available to cater the random user generating user certificates. While I understand that the issues you have highlighted with servers having multiple devices enabled may be the source of this issue, it is still concerning for us as I have manually restart the server every day so that my users are able to carry on working without facing extensive downtime. Is there any solution or workaround to this issue that I could implement at my end? If possible, can you confirm if there is a CLI-based command that would allow me to restart the one specific VPN server so that I may set up a cron as a solution for now in order to avoid periods of complete inaccessibility of VPN on secondary devices for my users.
I’ve been unable to reproduce the issue. Check the clients_pool collection for documents with a null user_id, these indicate available addresses. If the pool is full and there are no null user_id documents check for matching user_id documents to see if the IP address are left allocated to uses no longer connected. If there are check if it’s from a OpenPVN or WireGuard connection.