OpenVPN sometimes stops working with cipher_ctx_update: EVP_CipherUpdate() failed



  • Hello,

    I have a OpenVPN client from site to site who have been working without any issue in last 2 months, since it was installed, and today from time to time, it stops working, and cannot turn it on again manually, till a restart is made.

    There is no issues with lack of hardware performance/resourses that could be triggering this, the behaviour is the same like it was until I start having this issue.

    Anyone knows what can be?

    This is the error that it gives:

    Aug 17 15:36:41	openvpn	20992	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Aug 17 15:36:41	openvpn	20992	MANAGEMENT: CMD 'state 1'
    Aug 17 15:36:41	openvpn	20992	MANAGEMENT: CMD 'status 2'
    Aug 17 15:36:41	openvpn	20992	MANAGEMENT: Client disconnected
    Aug 17 15:37:21	openvpn	20992	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
    Aug 17 15:37:21	openvpn	20992	MANAGEMENT: CMD 'state 1'
    Aug 17 15:37:21	openvpn	20992	MANAGEMENT: CMD 'status 2'
    Aug 17 15:37:21	openvpn	20992	MANAGEMENT: Client disconnected
    Aug 17 15:37:24	openvpn	20992	cipher_ctx_update: EVP_CipherUpdate() failed
    Aug 17 15:37:24	openvpn	20992	Exiting due to fatal error
    Aug 17 15:37:24	openvpn	20992	/sbin/route delete -net 10.0.0.0 10.0.9.1 255.255.255.0
    Aug 17 15:37:25	openvpn	20992	Closing TUN/TAP interface
    Aug 17 15:37:25	openvpn	20992	/usr/local/sbin/ovpn-linkdown ovpnc1 1500 1575 10.0.9.2 10.0.9.1 init
    Aug 17 15:38:00	openvpn	11923	disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
    Aug 17 15:38:00	openvpn	11923	OpenVPN 2.4.4 armv6-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 16 2018
    Aug 17 15:38:00	openvpn	11923	library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
    Aug 17 15:38:00	openvpn	12227	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
    Aug 17 15:38:00	openvpn	12227	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Aug 17 15:38:00	openvpn	12227	Initializing OpenSSL support for engine 'cryptodev'
    Aug 17 15:38:00	openvpn	12227	Outgoing Static Key Encryption: Cipher 'AES-128-CBC' initialized with 128 bit key
    Aug 17 15:38:00	openvpn	12227	Outgoing Static Key Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
    Aug 17 15:38:00	openvpn	12227	Incoming Static Key Encryption: Cipher 'AES-128-CBC' initialized with 128 bit key
    Aug 17 15:38:00	openvpn	12227	Incoming Static Key Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
    Aug 17 15:38:00	openvpn	12227	ROUTE_GATEWAY 192.168.1.254/255.255.255.0 IFACE=mvneta2 HWADDR=00:08:a2:0d:8c:2e
    Aug 17 15:38:00	openvpn	12227	TUN/TAP device ovpnc1 exists previously, keep at program end
    Aug 17 15:38:00	openvpn	12227	TUN/TAP device /dev/tun1 opened
    Aug 17 15:38:00	openvpn	12227	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Aug 17 15:38:00	openvpn	12227	/sbin/ifconfig ovpnc1 10.0.9.2 10.0.9.1 mtu 1500 netmask 255.255.255.255 up
    Aug 17 15:38:00	openvpn	12227	/usr/local/sbin/ovpn-linkup ovpnc1 1500 1575 10.0.9.2 10.0.9.1 init
    Aug 17 15:38:00	openvpn	12227	/sbin/route add -net 10.0.0.0 10.0.9.1 255.255.255.0
    Aug 17 15:38:00	openvpn	12227	TCP/UDP: Preserving recently used remote address: [AF_INET]OPENVPN_SERVER_EXTERNAL_IP:51195
    Aug 17 15:38:00	openvpn	12227	Socket Buffers: R=[65228->65228] S=[65228->65228]
    Aug 17 15:38:00	openvpn	12227	Attempting to establish TCP connection with [AF_INET]x:51195 [nonblock]
    Aug 17 15:38:01	openvpn	12227	TCP connection established with [AF_INET]OPENVPN_SERVER_EXTERNAL_IP:51195
    Aug 17 15:38:01	openvpn	12227	TCPv4_CLIENT link local (bound): [AF_INET]192.168.1.147:0
    Aug 17 15:38:01	openvpn	12227	TCPv4_CLIENT link remote: [AF_INET]OPENVPN_SERVER_EXTERNAL_IP:51195
    Aug 17 15:38:01	openvpn	12227	cipher_ctx_update: EVP_CipherUpdate() failed
    Aug 17 15:38:01	openvpn	12227	Exiting due to fatal error
    


  • Sorry to resurrect an old post, but I'm seeing the same thing. Same log data as above. Seem to just happen after a period of time. Reboot resolves it.



  • I have "solved" this issue in the same way, by just rebooting this system, and since the day that I have started this thread, I didnt had this problem again.



  • Happened to one of my units today—client was a Netgate SG-3100, running 2.4.4-p2
    Nothing I could do from the commandline fixed it, just had to reboot the box.
    Uptime was 89 days previous to that.

    It's a real head scratcher.



  • @luckman212 Unfortunately disabling hardware crypto on the SG-3100 was the "solution" for me. Everything has been reliably stable since.



  • @useru0284t35 Huh. Ok, well good to know I guess. Pros and Cons.



  • This problem that I had one time, was with that unit too, the SG-3100.



  • @useru0284t35 Actually - sad to say that I checked the settings on my affected unit and Crypto hardware was already set to "None"

    So I guess that isn't actually the cause, and maybe you were just lucky...


Log in to reply