(connections.c.1692) SSL (error): 5 -1 1 Operation not permitted

Mithrondil

Im getting this error message in the openvpn logs:
lighttpd[99704]: (connections.c.1692) SSL (error): 5 -1 1 Operation not permitted.

What is this, and how do I fix it?

sslerror.jpg_thumb

acegreen

I am having this issue as well any insight would be much appreciated

Feb 20 13:07:48 lighttpd[65607]: (network_openssl.c.118) SSL: 5 -1 1 Operation not permitted
Feb 20 13:07:48 lighttpd[65607]: (connections.c.619) connection closed: write failed on fd 16
Feb 20 13:07:48 lighttpd[65607]: (connections.c.1692) SSL (error): 5 -1 1 Operation not permitted
Feb 20 13:10:15 lighttpd[65607]: (connections.c.1692) SSL (error): 5 -1 1 Operation not permitted
Feb 20 13:10:20 lighttpd[65607]: (connections.c.1692) SSL (error): 5 -1 1 Operation not permitted
Feb 20 13:12:20 lighttpd[65607]: (connections.c.1692) SSL (error): 5 -1 1 Operation not permitted
Feb 20 13:12:21 lighttpd[65607]: (connections.c.1692) SSL (error): 5 -1 1 Operation not permitted
Feb 20 13:14:19 lighttpd[65607]: (connections.c.1692) SSL (error): 5 -1 1 Operation not permitted
Feb 20 13:17:26 lighttpd[65607]: (connections.c.1692) SSL (error): 5 -1 1 Operation not permitted
Feb 20 13:17:27 lighttpd[65607]: (connections.c.1692) SSL (error): 5 -1 1 Operation not permitted
Feb 20 13:20:00 lighttpd[65607]: (connections.c.1692) SSL (error): 5 -1 1 Operation not permitted
Feb 20 13:21:55 lighttpd[65607]: (connections.c.1692) SSL (error): 5 -1 1 Operation not permitted
Feb 20 13:22:03 lighttpd[65607]: (connections.c.1692) SSL (error): 5 -1 1 Operation not permitted

doktornotor

Useless noise. Disable the lighttpd logging.

acegreen

Well my connection to it from other devices on my lan keeps dropping ans has to reconnect every 2 minutes it looks to be taking place

EDIT:

okay here is my log
attachment

log.txt

doktornotor

@acegreen:

Well my connection to it from other devices on my lan keeps dropping ans has to reconnect every 2 minutes it looks to be taking place

What's IT?

effgra

I am also seeing this error message (along with a number of other equally confusing messages). My scenario sounds similar…

I have two pfSense boxes both running 2.2.2-RELEASE and are configured for HA via CARP (we will call them fw1 and fw2). A few weeks ago, fw1 (primary) started exhibiting weird issues that match acegreen's issue.

Setup:


fw1-lagg0 -> LACP Trunk (passive) -> Cisco 2960X FlexStack (LACP Active) (External VLAN)
fw1-lagg1 -> LACP Trunk (passive) -> Cisco 2960X FlexStack (LACP Active) (Internal VLANs)
fw1-en0 -> fw2-en0 (Pfsync)

fw2-lagg0 -> LACP Trunk (passive) -> Cisco 2960X FlexStack (LACP Active) (External VLAN)
fw2-lagg1 -> LACP Trunk (passive) -> Cisco 2960X FlexStack (LACP Active) (Internal VLANs)
fw1-en0 -> fw2-en0 (Pfsync)

I have checked the Cisco's and verified that the Port-Channel interface is not showing that the interfaces are flapping

Upstream (fw1-lagg0)


sw-master#show etherchannel 1 port-channel
                Port-channels in the group:
                ---------------------------

Port-channel: Po1    (Primary Aggregator)

------------

Age of the Port-channel   = 18d:02h:51m:24s
Logical slot/port   = 9/1          Number of ports = 2
HotStandBy port = null
Port state          = Port-channel Ag-Inuse
Protocol            =   LACP
Port security       = Disabled

Ports in the Port-channel:

Index   Load   Port     EC state        No of bits
------+------+------+------------------+-----------
  0     00     Gi1/0/37 Active             0
  0     00     Gi2/0/37 Active             0

Time since last port bundled:    1d:03h:31m:30s    Gi2/0/37
Time since last port Un-bundled: 1d:03h:33m:03s    Gi2/0/37

Downstream (fw1-lagg1)


sw-master#show etherchannel 2 port-channel
                Port-channels in the group:
                ---------------------------

Port-channel: Po2    (Primary Aggregator)

------------

Age of the Port-channel   = 18d:02h:52m:16s
Logical slot/port   = 9/2          Number of ports = 2
HotStandBy port = null
Port state          = Port-channel Ag-Inuse
Protocol            =   LACP
Port security       = Disabled

Ports in the Port-channel:

Index   Load   Port     EC state        No of bits
------+------+------+------------------+-----------
  0     00     Gi1/0/38 Active             0
  0     00     Gi2/0/38 Active             0

Time since last port bundled:    1d:03h:32m:24s    Gi2/0/38
Time since last port Un-bundled: 1d:03h:33m:59s    Gi2/0/38

Any HTTP conversation I attempt to have it results in a response from the pfsense device, followed by a browser timeout, and the below log message:


lighttpd[91121]: (connections.c.1692) SSL (error): 5 -1 1 Operation not permitted

Any OpenVPN connection that occurs results in an establishment of the session, then the session is dropped. In the logs it is followed by:


openvpn[93326]: write TCPv4_SERVER: Operation not permitted (code=1)

Any SSH sessions I attempt to start allow me to login, then timeout with a Write failed: Broken pipe message. And a log on the server of


sshd[10183]: fatal: Write failed: Operation not permitted

I assumed this may have been due to a failure of a NIC, however, a continuous ICMP check (during the failure times) never registers any packet loss.

What usually resolves this is a forced power off, let it set for a minute, then power back on… however that did not solve it this time. Since i have failed over to fw2, I have been able to leave fw1 in this state. It is ripe for analysis.

Any help would be appreciated.

cmb

Those logs are all indicative of the state table being wiped, or at least the HTTPS and SSH states in particular where that's being logged.

In OP's case, I'm guessing that's a different issue than yours effgra. Yours is likely somehow pfsync-related. I'd like to check out that system with you if possible, if you can PM me to arrange something.

acherman

I am facing a similar issue - it started Sunday afternoon, seemingly out of nowhere. Similar install - 2 CARP systems, Master and Slave (both on 2.2.2-Release, master on 64-bit, slave on 32-bit). The problem seems to only be affecting my Master - we have been running fine on the Slave since Monday morning. Since Sunday afternoon, very slow performance with the Master, even just with it's web interface. I originally thought a hardware failure of some sort (memory, NIC, CPU, etc), but after multiple tests, and rebuilds from scratch (with both 32- and 64-bit), the trouble appears only when I enable the very top check box in High Availability Sync - Synchronize States.

After a scratch build of the interfaces, I slowly synced each section that I needed, looking and waiting for performance drop. The last section was the firewall rules, which had no issue, and then turning on sync states, it immediately slowed down. CPU and memory usage show no changes. The reason I found this thread was the OP's error showed up in my general logs when I enabled sync states.

cmb, you may recall my troubles with BGP a couple years ago, and you guys were great in getting that going, no issues since. BGP runs fine, along with everything else, until that sync states box is checked, and it all poops the bed. But, as soon as I uncheck that box and save, it all seems fine. I'm a little hesitant about trying it live like this (I know the changeover will cause interruptions). I believe the system in question was originally running v2.2.

Aaron

acherman

Sorry for the hijack. After more reading through other threads in the CARP section, I think I will try a downgrade to something like 2.2 on each box.