TLS Key negotiation failed

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • runcross
    Junior Member
    • Oct 2024
    • 3

    TLS Key negotiation failed

    Hello,

    I know there are already a lot of post about blocking firewall about this, but we have disabled every firewall on server Side. Nothing helpt so fare. So thats the reason, why I'm asking again.

    Right now, we are using the Community Server, hosted in Switzerland. I will explain first a bit about our Server Setup. There are around 600 valid Certificate on our Server. Up to 200 are online at the same time. The clients that are connecting to the VPN Server are excavators all over the world. Those excavators are connected via mobile connection and sending the machine data through the VPN Tunnel to an MQTT Server.

    Until the 26.09.2024 everything was fine so far. All clients connected normally, and there were no noticeable anomalies in the network. However, on September 26, 2024, at 10:30 CEST, we suddenly experienced a significant drop in the amount of data coming into our server. Around 50 machines suddenly stopped connecting. At first, we assumed it was an MQTT issue, but after some time, we realized that our VPN server was experiencing problems.

    We then analyzed the data to identify which machines were actually affected and, after an initial analysis, found that only machines (clients) from Norway were impacted. The provider Telenor, which our clients use to establish the internet connection, assured us that they had not made any changes and that there were no issues with their network.

    What is particularly strange for us is that sometimes the connection to the clients is established, while at other times it drops again. Moreover, not all clients in Norway are affected.

    The issue that is occurring on the OpenVPN server is that the TLS key negotiation failed. I have also attached the log for reference with verbose 6. Unfortunately, we currently do not have access to the logs of the clients.

    Here our server.conf:

    Code:
    port 1194
    proto tcp
    dev tun
    ca ca.crt
    cert server.crt
    key server.key
    dh dh2048.pem
    server 10.8.0.0 255.255.0.0
    ifconfig-pool-persist ipp.txt
    client-config-dir ccd
    keepalive 10 120
    comp-lzo
    user nobody
    group nogroup
    persist-key
    persist-tun
    status ../openvpn-status.log
    log openvpn.log
    verb 6
    crl-verify crl.pem
    Thanks in advance for your help.
    Attached Files
    Last edited by runcross; 2024-10-04, 02:26 AM.
  • runcross
    Junior Member
    • Oct 2024
    • 3

    #2
    I have now a new hint. The P_CONTROL_V1 Message from OpenVPN get a TCP Retransmission, because it failes on client side. Probably this information is important. So, there is definitly a TLS Key exchange issue, where the Client can't send its message.

    Click image for larger version

Name:	image.png
Views:	48
Size:	489.4 KB
ID:	439

    Comment

    Working...
    😀
    😂
    🥰
    😘
    🤢
    😎
    😞
    😡
    👍
    👎