OpenVPN Error - packet with wrong KeyID

RouterOS General
1

Hello all,

Every so often some of our routers become slow and unusable. The erros are always “packet with wrong KeyID.” Reboting the router sometimes helps, sometimes not. We have not restarted our openvpn server and I can’t think of anything that changed. This week this happened to at least three (out of our 150) routers, and rebooting has not helped. I’m including 2 logs (the router and the server) and 2 configs (the router and the server) below, with some comments. Can anyone please help?

  1. The router’s error log shows this:
    sep/13/2019 11:19:19 ovpn,debug,error,bgp,info,script,critical,critical,error packet with wrong keyID 6, expected 7, dropping
    sep/13/2019 11:19:20 ovpn,debug,error,bgp,info,script,critical,critical,error packet with wrong keyID 6, expected 7, dropping

  2. The server’s log shows the follwing. Every hour the router “checks in” with the server, and we see in the logs like the lines below at 9:18 an 10:18. At about 11AM (I imagine at 11:19), the client’s Internet became slow. The log below shows, at 11:19, “Connection reset, restarting [-1]” and “SIGUSR1[soft,connection-reset] received, client-instance restarting” and after that, the client router gets “wrong Key” errors. Here’s the relevant server log:

Fri Sep 13 09:18:51 2019 client0075/198.nnn.nnn.nn:27434 TLS: tls_process: killed expiring key
Fri Sep 13 09:18:53 2019 client0075/198.nnn.nnn.nn:27434 TLS: soft reset sec=0 bytes=192340211/0 pkts=248337/0
Fri Sep 13 09:18:55 2019 client0075/198.nnn.nnn.nn:27434 VERIFY OK: depth=1, /C=US/ST=NY/L=NewYork/O=ournetwork/OU=ournetwork/CN=ournetwork/name=ournetwork/emailAddress=support@ournetwork.com
Fri Sep 13 09:18:55 2019 client0075/198.nnn.nnn.nn:27434 VERIFY OK: depth=0, /C=US/ST=NY/L=NewYork/O=ournetwork/OU=ournetwork/CN=client0075/name=ournetwork/emailAddress=support@ournetwork.com
Fri Sep 13 09:18:55 2019 client0075/198.nnn.nnn.nn:27434 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Fri Sep 13 09:18:55 2019 client0075/198.nnn.nnn.nn:27434 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Fri Sep 13 09:18:55 2019 client0075/198.nnn.nnn.nn:27434 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

Fri Sep 13 10:18:53 2019 client0075/198.nnn.nnn.nn:27434 TLS: tls_process: killed expiring key
Fri Sep 13 10:18:55 2019 client0075/198.nnn.nnn.nn:27434 TLS: soft reset sec=0 bytes=196140441/0 pkts=237463/0
Fri Sep 13 10:18:58 2019 client0075/198.nnn.nnn.nn:27434 VERIFY OK: depth=1, /C=US/ST=NY/L=NewYork/O=ournetwork/OU=ournetwork/CN=ournetwork/name=ournetwork/emailAddress=support@ournetwork.com
Fri Sep 13 10:18:58 2019 client0075/198.nnn.nnn.nn:27434 VERIFY OK: depth=0, /C=US/ST=NY/L=NewYork/O=ournetwork/OU=ournetwork/CN=client0075/name=ournetwork/emailAddress=support@ournetwork.com
Fri Sep 13 10:18:58 2019 client0075/198.nnn.nnn.nn:27434 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Fri Sep 13 10:18:58 2019 client0075/198.nnn.nnn.nn:27434 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Fri Sep 13 10:18:58 2019 client0075/198.nnn.nnn.nn:27434 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

Fri Sep 13 11:18:55 2019 client0075/198.nnn.nnn.nn:27434 TLS: tls_process: killed expiring key
Fri Sep 13 11:18:58 2019 client0075/198.nnn.nnn.nn:27434 TLS: soft reset sec=0 bytes=140446386/0 pkts=184153/0
Fri Sep 13 11:19:29 2019 client0075/198.nnn.nnn.nn:27434 Connection reset, restarting [-1]
Fri Sep 13 11:19:29 2019 client0075/198.nnn.nnn.nn:27434 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Sep 13 11:19:31 2019 198.nnn.nnn.nn:52120 VERIFY OK: depth=0, /C=US/ST=NY/L=NewYork/O=ournetwork/OU=ournetwork/CN=client0075/name=ournetwork/emailAddress=support@ournetwork.com
Fri Sep 13 11:19:32 2019 198.nnn.nnn.nn:52120 [client0075] Peer Connection Initiated with [AF_INET]198.nnn.nnn.nn:52120
Fri Sep 13 11:19:32 2019 client0075/198.nnn.nnn.nn:52120 MULTI_sva: pool returned IPv4=10.200.0.75, IPv6=2500::8bd:c98e:c955:0
Fri Sep 13 11:19:32 2019 client0075/198.nnn.nnn.nn:52120 MULTI: Learn: 10.200.0.75 → client0075/198.nnn.nnn.nn:52120
Fri Sep 13 11:19:32 2019 client0075/198.nnn.nnn.nn:52120 MULTI: primary virtual IP for client0075/198.nnn.nnn.nn:52120: 10.200.0.75
Fri Sep 13 11:19:32 2019 client0075/198.nnn.nnn.nn:52120 PUSH: Received control message: ‘PUSH_REQUEST’
Fri Sep 13 11:19:32 2019 client0075/198.nnn.nnn.nn:52120 send_push_reply(): safe_cap=960
Fri Sep 13 11:19:32 2019 client0075/198.nnn.nnn.nn:52120 SENT CONTROL [client0075]: ‘PUSH_REPLY,dhcp-option DNS 4.2.2.2,socket-flags TCP_NODELAY,route-gateway 10.200.0.1,topology subnet,ifconfig 10.200.0.75 255.255.0.0’ (status=1)
Fri Sep 13 11:41:24 2019 198.nnn.nnn.nn:17993 VERIFY OK: depth=0, /C=US/ST=NY/L=NewYork/O=ournetwork/OU=ournetwork/CN=client0075/name=ournetwork/emailAddress=support@ournetwork.com
Fri Sep 13 11:41:25 2019 198.nnn.nnn.nn:17993 [client0075] Peer Connection Initiated with [AF_INET]198.nnn.nnn.nn:17993
Fri Sep 13 11:41:25 2019 client0075/198.nnn.nnn.nn:17993 TCP/UDP: Closing socket
Fri Sep 13 11:41:25 2019 MULTI: new connection by client ‘client0075’ will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Fri Sep 13 11:41:25 2019 MULTI: Learn: 10.200.0.75 → client0075/198.nnn.nnn.nn:17993
Fri Sep 13 11:41:25 2019 MULTI: primary virtual IP for client0075/198.nnn.nnn.nn:17993: 10.200.0.75
Fri Sep 13 11:41:25 2019 client0075/198.nnn.nnn.nn:17993 PUSH: Received control message: ‘PUSH_REQUEST’
Fri Sep 13 11:41:25 2019 client0075/198.nnn.nnn.nn:17993 send_push_reply(): safe_cap=960
Fri Sep 13 11:41:25 2019 client0075/198.nnn.nnn.nn:17993 SENT CONTROL [client0075]: ‘PUSH_REPLY,dhcp-option DNS 4.2.2.2,socket-flags TCP_NODELAY,route-gateway 10.200.0.1,topology subnet,ifconfig 10.200.0.75 255.255.0.0’ (status=1)
Fri Sep 13 12:41:25 2019 client0075/198.nnn.nnn.nn:17993 TLS: soft reset sec=0 bytes=89953563/0 pkts=121254/0
Fri Sep 13 12:41:28 2019 client0075/198.nnn.nnn.nn:17993 VERIFY OK: depth=1, /C=US/ST=NY/L=NewYork/O=ournetwork/OU=ournetwork/CN=ournetwork/name=ournetwork/emailAddress=support@ournetwork.com
Fri Sep 13 12:41:28 2019 client0075/198.nnn.nnn.nn:17993 VERIFY OK: depth=0, /C=US/ST=NY/L=NewYork/O=ournetwork/OU=ournetwork/CN=client0075/name=ournetwork/emailAddress=support@ournetwork.com
Fri Sep 13 12:41:29 2019 client0075/198.nnn.nnn.nn:17993 Data Channel Encrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Fri Sep 13 12:41:29 2019 client0075/198.nnn.nnn.nn:17993 Data Channel Decrypt: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Fri Sep 13 12:41:29 2019 client0075/198.nnn.nnn.nn:17993 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA


3. The openvpn config is simple. Here’s the router config:
name=“ovpn-out1” mac-address=xx:xx:xx:xx:xx:xx max-mtu=1500 connect-to=nnn.nnn.nnn.nnn port=1194 mode=ip user=“xxx” password=“xxx” profile=default certificate=cert2 auth=sha1 cipher=null add-default-route=no

  1. And here is our openvpn server config:
    dev tun
    tls-server
    ca ca.crt
    dh dh2048.pem
    cert proxy1.crt
    key proxy1.key
    port 1194
    ping 15
    ping-timer-rem
    persist-tun
    persist-key
    verb 3
    proto tcp-server
    server 10.200.0.0 255.255.0.0
    ifconfig-pool-persist tls-clients.txt
    socket-flags TCP_NODELAY
    cipher none
    push “dhcp-option DNS 4.2.2.2”
    push “socket-flags TCP_NODELAY”
    topology subnet
    log /var/log/openvpn_0.log
    status /var/log/openvpn_0_status.log
    client-config-dir client-configs

Thank you!