Fatal Error if radius with 2fa doesnt answer for longer time

SBA

L.S.,

We experience a fatal error when the radius server is waiting for a 2fa reponse.
I can reproduce the fatal error, by putting the reneg to a smaller time frame. Radius check the user credentials and sends out the 2fa push to DUO mobile. After not replying for 7 minutes the OpenVPN server crashes completely.

Log:
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 UDPv4 READ [128] from [AF_INET]83...79:1194: P_CONTROL_V1 kid=0 sid=e3cee021 abcdefgh tls_hmac=aecabcda 98abcd aabcd 519abcd 8abcd7b a6abcd737 d49600d5 eddb428e 2d75f4ed 8e02e133 0fabcda4 eabcdc1 5abcd0 eabcdd74 dabcd5 45abcd4 pid=[ #14 / time = (1551383018) Thu Feb 28 20:43:38 2019 ] [
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 TLS: control channel, op=P_CONTROL_V1, IP=[AF_INET]83...79:1194
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 TLS: initial packet test, i=0 state=S_ACTIVE, mysid=082aec1e f54eb2e9, rec-sid=e3cee021 abcdefgh, rec-ip=[AF_INET]83...79:1194, stored-sid=e3cee021 abcdefgh, stored-ip=[AF_INET]83...79:1194
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 TLS: found match, session[0], sid=e3cee021 abcdefgh
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 DECRYPT FROM: abcdefgh abcdefgh abcdefgh abcdefgh abcdefgh abcdefgh d49600d5 eddb428[more...]
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 PID_TEST [0] [TLS_WRAP-0] [0022222222222] 1551383018:13 1551383018:14 t=1551383018[0] r=[-2,64,15,0,1] sl=[51,13,64,528]
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 TLS: received control channel packet s#=0 sid=e3cee021 abcdefgh
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 ACK read ID 7 (buf->len=42)
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 ACK RWBS rel->size=8 rel->packet_id=00000007 id=00000007 ret=1
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 ACK mark active incoming ID 7
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 ACK acknowledge ID 7 (ack->len=1)
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 TLS: tls_multi_process: i=0 state=S_ACTIVE, mysid=082aec1e f54eb2e9, stored-sid=e3cee021 abcdefgh, stored-ip=[AF_INET]83...79:1194
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 TLS: tls_process: chg=0 ks=S_ACTIVE lame=S_UNDEF to_link->len=0 wakeup=604800
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 ACK reliable_can_send active=0 current=0 : [7]
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 BIO write tls_write_ciphertext 42 bytes
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 Incoming Ciphertext -> TLS
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 BIO read tls_read_plaintext 13 bytes
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 TLS -> Incoming Plaintext
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 TLS: tls_process: chg=1 ks=S_ACTIVE lame=S_UNDEF to_link->len=0 wakeup=604800
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 ACK reliable_can_send active=0 current=0 : [7]
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 ACK write ID 7 (ack->len=1, n=1)
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 ENCRYPT HMAC: 2b3a9d92 c4ac4db1 6c47d41e f3f0a0dd 0d041b37 f7986f93 2e4cdbb2 d6e7542[more...]
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 ENCRYPT TO: 2b3a9d92 c4ac4db1 6c47d41e f3f0a0dd 0d041b37 f7986f93 2e4cdbb2 d6e7542[more...]
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 Dedicated ACK -> TCP/UDP
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 ACK reliable_send_timeout 604800 [7]
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 TLS: tls_process: timeout set to 57
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=77e900c0 72746aa5, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 TLS: tls_multi_process: i=2 state=S_ERROR, mysid=7c91aba7 e2b69d69, stored-sid=b6506718 838b8ba1, stored-ip=[AF_INET]83...79:1194
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 PUSH: Received control message: 'PUSH_REQUEST'
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 BIO write tls_write_plaintext_const 217 bytes
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 SENT CONTROL [username]: 'PUSH_REPLY,dhcp-option DNS 10.72.0.10,dhcp-option DNS 10.72.0.1,block-outside-dns,redirect-gateway def1,route 10.50.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.50.0.6 10.50.0.5,peer-id 0,cipher AES-256-CBC' (status=1)
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 MTU DYNAMIC mtu=1450, flags=2, 1602 -> 1450
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 Data Channel MTU parms [ L:1602 D:1450 EF:102 EB:406 ET:0 EL:3 ]
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 Assertion failed at ssl.c:1929 (ks->authenticated)
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 Exiting due to fatal error
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 /sbin/route delete -net 10.50.0.0 10.50.0.2 255.255.255.0
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 Closing TUN/TAP interface
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1622 10.50.0.1 10.50.0.2 init

Can anyone help with this? To prevent the OpenVPN server from crashing?

Kind Regards,

Sander

jimp

Which version of pfSense is this on?

If it's not current, upgrade.

Otherwise you might want to report this specific error condition upstream to OpenVPN:

Feb 28 20:43:38 openvpn 1805 username/83...79:1194 Assertion failed at ssl.c:1929 (ks->authenticated)
Feb 28 20:43:38 openvpn 1805 username/83...79:1194 Exiting due to fatal error