Community discussions

 
ygreenfield
just joined
Topic Author
Posts: 9
Joined: Wed May 29, 2013 7:29 am

OpenVPN Error - packet with wrong KeyID

Fri Sep 13, 2019 8:21 pm

Hello all,

Every so often some of our routers become slow and unusable. The erros are always "packet with wrong KeyID." Reboting the router sometimes helps, sometimes not. We have not restarted our openvpn server and I can't think of anything that changed. This week this happened to at least three (out of our 150) routers, and rebooting has not helped. I'm including 2 logs (the router and the server) and 2 configs (the router and the server) below, with some comments. Can anyone please help?

1. The router's error log shows this:
sep/13/2019 11:19:19 ovpn,debug,error,,,,,,,,,bgp,info,,script,,,critical,,,,,,,,,critical,,,,error packet with wrong keyID 6, expected 7, dropping
sep/13/2019 11:19:20 ovpn,debug,error,,,,,,,,,bgp,info,,script,,,critical,,,,,,,,,critical,,,,error packet with wrong keyID 6, expected 7, dropping

2. The server's log shows the follwing. Every hour the router "checks in" with the server, and we see in the logs like the lines below at 9:18 an 10:18. At about 11AM (I imagine at 11:19), the client's Internet became slow. The log below shows, at 11:19, "Connection reset, restarting [-1]" and "SIGUSR1[soft,connection-reset] received, client-instance restarting" and after that, the client router gets "wrong Key" errors. Here's the relevant server log:

Fri Sep 13 09:18:51 2019 client0075/198.nnn.nnn.nn:27434 TLS: tls_process: killed expiring key
Fri Sep 13 09:18:53 2019 client0075/198.nnn.nnn.nn:27434 TLS: soft reset sec=0 bytes=192340211/0 pkts=248337/0
Fri Sep 13 09:18:55 2019 client0075/198.nnn.nnn.nn:27434 VERIFY OK: depth=1, /C=US/ST=NY/L=NewYork/O=ournetwork/OU=ournetwork/CN=ournetwork/name=ournetwork/emailAddress=support@ournetwork.com
Fri Sep 13 09:18:55 2019 client0075/198.nnn.nnn.nn:27434 VERIFY OK: depth=0, /C=US/ST=NY/L=NewYork/O=ournetwork/OU=ournetwork/CN=client0075/name=ournetwork/emailAddress=support@ournetwork.com
Fri Sep 13 09:18:55 2019 client0075/198.nnn.nnn.nn:27434 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 13 09:18:55 2019 client0075/198.nnn.nnn.nn:27434 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 13 09:18:55 2019 client0075/198.nnn.nnn.nn:27434 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

Fri Sep 13 10:18:53 2019 client0075/198.nnn.nnn.nn:27434 TLS: tls_process: killed expiring key
Fri Sep 13 10:18:55 2019 client0075/198.nnn.nnn.nn:27434 TLS: soft reset sec=0 bytes=196140441/0 pkts=237463/0
Fri Sep 13 10:18:58 2019 client0075/198.nnn.nnn.nn:27434 VERIFY OK: depth=1, /C=US/ST=NY/L=NewYork/O=ournetwork/OU=ournetwork/CN=ournetwork/name=ournetwork/emailAddress=support@ournetwork.com
Fri Sep 13 10:18:58 2019 client0075/198.nnn.nnn.nn:27434 VERIFY OK: depth=0, /C=US/ST=NY/L=NewYork/O=ournetwork/OU=ournetwork/CN=client0075/name=ournetwork/emailAddress=support@ournetwork.com
Fri Sep 13 10:18:58 2019 client0075/198.nnn.nnn.nn:27434 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 13 10:18:58 2019 client0075/198.nnn.nnn.nn:27434 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 13 10:18:58 2019 client0075/198.nnn.nnn.nn:27434 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA

Fri Sep 13 11:18:55 2019 client0075/198.nnn.nnn.nn:27434 TLS: tls_process: killed expiring key
Fri Sep 13 11:18:58 2019 client0075/198.nnn.nnn.nn:27434 TLS: soft reset sec=0 bytes=140446386/0 pkts=184153/0
Fri Sep 13 11:19:29 2019 client0075/198.nnn.nnn.nn:27434 Connection reset, restarting [-1]
Fri Sep 13 11:19:29 2019 client0075/198.nnn.nnn.nn:27434 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Sep 13 11:19:31 2019 198.nnn.nnn.nn:52120 VERIFY OK: depth=0, /C=US/ST=NY/L=NewYork/O=ournetwork/OU=ournetwork/CN=client0075/name=ournetwork/emailAddress=support@ournetwork.com
Fri Sep 13 11:19:32 2019 198.nnn.nnn.nn:52120 [client0075] Peer Connection Initiated with [AF_INET]198.nnn.nnn.nn:52120
Fri Sep 13 11:19:32 2019 client0075/198.nnn.nnn.nn:52120 MULTI_sva: pool returned IPv4=10.200.0.75, IPv6=2500::8bd:c98e:c955:0
Fri Sep 13 11:19:32 2019 client0075/198.nnn.nnn.nn:52120 MULTI: Learn: 10.200.0.75 -> client0075/198.nnn.nnn.nn:52120
Fri Sep 13 11:19:32 2019 client0075/198.nnn.nnn.nn:52120 MULTI: primary virtual IP for client0075/198.nnn.nnn.nn:52120: 10.200.0.75
Fri Sep 13 11:19:32 2019 client0075/198.nnn.nnn.nn:52120 PUSH: Received control message: 'PUSH_REQUEST'
Fri Sep 13 11:19:32 2019 client0075/198.nnn.nnn.nn:52120 send_push_reply(): safe_cap=960
Fri Sep 13 11:19:32 2019 client0075/198.nnn.nnn.nn:52120 SENT CONTROL [client0075]: 'PUSH_REPLY,dhcp-option DNS 4.2.2.2,socket-flags TCP_NODELAY,route-gateway 10.200.0.1,topology subnet,ifconfig 10.200.0.75 255.255.0.0' (status=1)
Fri Sep 13 11:41:24 2019 198.nnn.nnn.nn:17993 VERIFY OK: depth=0, /C=US/ST=NY/L=NewYork/O=ournetwork/OU=ournetwork/CN=client0075/name=ournetwork/emailAddress=support@ournetwork.com
Fri Sep 13 11:41:25 2019 198.nnn.nnn.nn:17993 [client0075] Peer Connection Initiated with [AF_INET]198.nnn.nnn.nn:17993
Fri Sep 13 11:41:25 2019 client0075/198.nnn.nnn.nn:17993 TCP/UDP: Closing socket
Fri Sep 13 11:41:25 2019 MULTI: new connection by client 'client0075' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Fri Sep 13 11:41:25 2019 MULTI: Learn: 10.200.0.75 -> client0075/198.nnn.nnn.nn:17993
Fri Sep 13 11:41:25 2019 MULTI: primary virtual IP for client0075/198.nnn.nnn.nn:17993: 10.200.0.75
Fri Sep 13 11:41:25 2019 client0075/198.nnn.nnn.nn:17993 PUSH: Received control message: 'PUSH_REQUEST'
Fri Sep 13 11:41:25 2019 client0075/198.nnn.nnn.nn:17993 send_push_reply(): safe_cap=960
Fri Sep 13 11:41:25 2019 client0075/198.nnn.nnn.nn:17993 SENT CONTROL [client0075]: 'PUSH_REPLY,dhcp-option DNS 4.2.2.2,socket-flags TCP_NODELAY,route-gateway 10.200.0.1,topology subnet,ifconfig 10.200.0.75 255.255.0.0' (status=1)
Fri Sep 13 12:41:25 2019 client0075/198.nnn.nnn.nn:17993 TLS: soft reset sec=0 bytes=89953563/0 pkts=121254/0
Fri Sep 13 12:41:28 2019 client0075/198.nnn.nnn.nn:17993 VERIFY OK: depth=1, /C=US/ST=NY/L=NewYork/O=ournetwork/OU=ournetwork/CN=ournetwork/name=ournetwork/emailAddress=support@ournetwork.com
Fri Sep 13 12:41:28 2019 client0075/198.nnn.nnn.nn:17993 VERIFY OK: depth=0, /C=US/ST=NY/L=NewYork/O=ournetwork/OU=ournetwork/CN=client0075/name=ournetwork/emailAddress=support@ournetwork.com
Fri Sep 13 12:41:29 2019 client0075/198.nnn.nnn.nn:17993 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 13 12:41:29 2019 client0075/198.nnn.nnn.nn:17993 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Sep 13 12:41:29 2019 client0075/198.nnn.nnn.nn:17993 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA


3. The openvpn config is simple. Here's the router config:
name="ovpn-out1" mac-address=xx:xx:xx:xx:xx:xx max-mtu=1500 connect-to=nnn.nnn.nnn.nnn port=1194 mode=ip user="xxx" password="xxx" profile=default certificate=cert2 auth=sha1 cipher=null add-default-route=no

4. And here is our openvpn server config:
dev tun
tls-server
ca ca.crt
dh dh2048.pem
cert proxy1.crt
key proxy1.key
port 1194
ping 15
ping-timer-rem
persist-tun
persist-key
verb 3
proto tcp-server
server 10.200.0.0 255.255.0.0
ifconfig-pool-persist tls-clients.txt
socket-flags TCP_NODELAY
cipher none
push "dhcp-option DNS 4.2.2.2"
push "socket-flags TCP_NODELAY"
topology subnet
log /var/log/openvpn_0.log
status /var/log/openvpn_0_status.log
client-config-dir client-configs

Thank you!

Who is online

Users browsing this forum: No registered users and 58 guests