TLS Error: local/remote TLS keys are out of sync
- 
 Hello everybody! I have set up a freeipa with a freeradius, and I use my openvpn with a password and a token: very secure! :D But the problem that I am having is the users are suffering vpn problems every hour aprox. 
 I was checking logs and it seems to happes always at XX:42:XX time.I was reading a lot of documentation about radius and ipa and i have changed some config on them, but it is still failing, and the only info that i get from logs in my pfsense is: Mar 17 14:36:06 openvpn 66107 XXX.XXX.XXX.XXX:56645 [xx-openvpn] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:56645 
 Mar 17 14:36:06 openvpn 66107 XXX.XXX.XXX.XXX:56645 TLS Auth Error: Auth Username/Password verification failed for peer
 Mar 17 14:36:06 openvpn 66107 XXX.XXX.XXX.XXX:56645 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
 Mar 17 14:36:06 openvpn user 'xx-openvpn' could not authenticate.
 Mar 17 14:35:04 openvpn 66107 xx-openvpn/XXX.XXX.XXX.XXX:52420 [xx-openvpn] Inactivity timeout (–ping-restart), restarting
 Mar 17 14:35:01 openvpn 66107 xx-openvpn/XXX.XXX.XXX.XXX:52420 TLS Error: local/remote TLS keys are out of sync: [AF_INET]XXX.XXX.XXX.XXX:52420 [1]
 Mar 17 14:34:58 openvpn 66107 xx-openvpn/XXX.XXX.XXX.XXX:52420 TLS Error: local/remote TLS keys are out of sync: [AF_INET]XXX.XXX.XXX.XXX::52420 [1]
 Mar 17 14:34:57 openvpn 66107 xx-openvpn/XXX.XXX.XXX.XXX:52420 TLS Error: local/remote TLS keys are out of sync: [AF_INET]XXX.XXX.XXX.XXX::52420 [1]I thing that when i start to have the TLS error, it generate a timeout activty. The client try to reconnect but it needs a new token and them it fails. So i have all my users (100) suffering an unstable service everyday. i also have a "normal" openvpn server in my pfsense and it doesn 't happen… PLEASE HELP ME ;D ;D 
- 
 What version of pfSense / OpenVPN is used on each side of this? Do you have any custom configuration settings anywhere that might be altering OpenVPN's renegotiation parameters? 
- 
 I am getting me crazy cause I was readiing all weekend forums and documentation about it…: pfsense version: 2.3.3-RELEASE-p1 (amd64) 
 openvpn: on pfsense what is with the version, on my laptop for example OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb 2 2016As this problem is composed by 3 parts IPA+FreeRadius+Openvpn I have checked all the possibilities: In IPA changing this data: Password Policy 
 Max lifetime (days)
 90
 Min lifetime (hours)
 3
 History size (number of passwords)
 0
 Character classes
 0
 Min length
 8
 Max failures
 6
 Failure reset interval (seconds)
 60
 Lockout duration (seconds)
 600Kerberos Ticket Policy 
 Max renew (seconds)
 604800
 Max life (seconds)
 86400In FreeRadius adding this config to the connection vim /etc/raddb/dictionary 
 ATTRIBUTE Max-Daily-Session 36000 integerEven in my openvpn: Server 
 vi /var/etc/openvpn/server1.conf
 reneg-sec 36000Client -> Local file *.ovpn 
 reneg-sec 0I have restarted the service, and configured my vpn. 
 I dont know if the paths where I did the config was right, but seems than yes.Some idea? Thank you!!! 
- 
 Is the OpenVPN server process restarting? Anything in the system log, gateway log, or other logs around the time the error starts showing up? Can you show the whole server configuration (minus any secret keys/names) from /var/etc/openvpn/ ? 
- 
 This is the info I have got: LOGS FROM SERVER Mar 20 20:54:23 openvpn 54240 xxx.xxx.xxx.xxx:52921 TLS Auth Error: Auth Username/Password verification failed for peer 
 Mar 20 20:54:23 openvpn 54240 xxx.xxx.xxx.xxx:52921 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
 Mar 20 20:54:23 openvpn user 'user-openvpn' could not authenticate.
 Mar 20 20:53:26 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 [user-openvpn] Inactivity timeout (–ping-restart), restarting
 Mar 20 20:53:26 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
 Mar 20 20:53:25 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
 Mar 20 20:53:25 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
 Mar 20 20:53:24 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
 Mar 20 20:53:23 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
 Mar 20 20:53:22 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
 Mar 20 20:53:19 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
 Mar 20 20:53:17 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
 Mar 20 20:53:15 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]LOGS FROM CLIENT Mon Mar 13 13:13:59 2017 [off-OpenVPN.domain.com] Inactivity timeout (–ping-restart), restarting 
 Mon Mar 13 13:13:59 2017 SIGUSR1[soft,ping-restart] received, process restarting
 Mon Mar 13 13:14:01 2017 UDPv4 link local (bound): [undef]
 Mon Mar 13 13:14:01 2017 UDPv4 link remote: [AF_INET]62.14.247.61:1194
 Mon Mar 13 13:14:03 2017 [off-OpenVPN.domain.com] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
 Mon Mar 13 13:14:06 2017 AUTH: Received control message: AUTH_FAILED
 Mon Mar 13 13:14:06 2017 /sbin/ip addr del dev tun0 192.168.52.11/24
 Mon Mar 13 13:14:06 2017 SIGTERM[soft,auth-failure] received, process exitingCONFIG FROM SERVER dev ovpns1 
 verb 1
 dev-type tun
 tun-ipv6
 dev-node /dev/tun1
 writepid /var/run/openvpn_server1.pid
 #user nobody
 #group nobody
 script-security 3
 daemon
 reneg-sec 36000
 keepalive 10 6000
 ping-timer-rem
 persist-tun
 persist-key
 proto udp
 cipher AES-128-CBC
 auth SHA1
 up /usr/local/sbin/ovpn-linkup
 down /usr/local/sbin/ovpn-linkdown
 client-connect /usr/local/sbin/openvpn.attributes.sh
 client-disconnect /usr/local/sbin/openvpn.attributes.sh
 local XX.XX.XX.XX
 tls-server
 server 192.168.52.0 255.255.255.0
 client-config-dir /var/etc/openvpn-csc/server1
 username-as-common-name
 auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user SVBB true server1 1194" via-env
 tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'off-OpenVPN.domain.com' 1"
 lport 1194
 management /var/etc/openvpn/server1.sock unix
 push "route 192.168.0.0 255.255.255.0"
 push "route 192.168.50.0 255.255.255.0"
 push "route 192.168.250.0 255.255.255.0"
 push "route 10.10.1.0 255.255.255.0"
 push "route 10.10.3.0 255.255.255.0"
 push "route 172.30.1.0 255.255.255.0"
 push "route 172.30.2.0 255.255.255.0"
 push "route 172.30.3.0 255.255.255.0"
 push "route 172.30.4.0 255.255.255.0"
 push "route 172.30.31.0 255.255.255.0"
 push "route 172.30.35.0 255.255.255.0"
 push "route 172.30.39.0 255.255.255.0"
 push "route 172.29.0.0 255.255.224.0"
 push "route 10.210.0.0 255.255.0.0"
 push "route 10.57.31.0 255.255.255.0"
 push "route 10.57.34.0 255.255.255.0"
 push "route 192.168.100.0 255.255.255.0"
 push "route 93.90.19.0 255.255.255.0"
 push "route 109.70.39.0 255.255.255.0"
 push "route 89.187.117.238 255.255.255.255"
 push "route 77.240.112.0 255.255.240.0"
 push "route 172.30.5.0 255.255.255.0"
 push "route 93.90.20.0 255.255.255.0"
 push "route 192.168.2.0 255.255.255.0"
 push "dhcp-option DOMAIN mad01.domain.local"
 push "dhcp-option DNS 93.90.19.234"
 push "dhcp-option DNS 93.90.19.235"
 push "dhcp-option DNS 8.8.8.8"
 push "dhcp-option DNS 192.168.0.162"
 push "register-dns"
 push "dhcp-option NTP 192.168.0.162"
 push "dhcp-option NTP 192.168.0.163"
 ca /var/etc/openvpn/server1.ca
 cert /var/etc/openvpn/server1.cert
 key /var/etc/openvpn/server1.key
 dh /etc/dh-parameters.1024
 tls-auth /var/etc/openvpn/server1.tls-auth 0
 comp-lzo adaptive
 persist-remote-ip
 float
 topology subnetCONFIG FROM CLIENT dev tun 
 persist-tun
 persist-key
 cipher AES-128-CBC
 auth SHA1
 tls-client
 client
 resolv-retry infinite
 reneg-sec 0
 remote off.domain.com 1194 udp
 lport 0
 verify-x509-name "off-OpenVPN.domain.com" name
 auth-user-pass
 pkcs12 vpns-udp-1194-user-openvpn.p12
 tls-auth vpns-udp-1194-user-openvpn-tls.key 1
 ns-cert-type server
 comp-lzo adaptiveThank you for the interest and the help! Regards 
- 
 FIXED!! https://forum.pfsense.org/index.php?topic=127601.0 Once I put the attributes in the server and in the client, the connection stay stable for the time i decide!!! "reneg-sec 0" in server 
 "reneg-ser 36000" in clientTHANK YOU VERY MUCH 
- 
 "reneg-sec 0" in server 
 "reneg-ser 36000" in clientFWIW I would do it like this: 
 "reneg-sec 0" in client
 "reneg-sec 36000" in serverThat way the server setting is controlling and one change changes the renegotiation policy. 
- 
 Done! thanks 

