4. OpenVPN sometimes stops working with cipher_ctx_update: EVP_CipherUpdate() failed

OpenVPN sometimes stops working with cipher_ctx_update: EVP_CipherUpdate() failed


  • Hello,

    I have a OpenVPN client from site to site who have been working without any issue in last 2 months, since it was installed, and today from time to time, it stops working, and cannot turn it on again manually, till a restart is made.

    There is no issues with lack of hardware performance/resourses that could be triggering this, the behaviour is the same like it was until I start having this issue.

    Anyone knows what can be?

    This is the error that it gives:

    Aug 17 15:36:41	openvpn	20992	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Aug 17 15:36:41	openvpn	20992	MANAGEMENT: CMD 'state 1'
Aug 17 15:36:41	openvpn	20992	MANAGEMENT: CMD 'status 2'
Aug 17 15:36:41	openvpn	20992	MANAGEMENT: Client disconnected
Aug 17 15:37:21	openvpn	20992	MANAGEMENT: Client connected from /var/etc/openvpn/client1.sock
Aug 17 15:37:21	openvpn	20992	MANAGEMENT: CMD 'state 1'
Aug 17 15:37:21	openvpn	20992	MANAGEMENT: CMD 'status 2'
Aug 17 15:37:21	openvpn	20992	MANAGEMENT: Client disconnected
Aug 17 15:37:24	openvpn	20992	cipher_ctx_update: EVP_CipherUpdate() failed
Aug 17 15:37:24	openvpn	20992	Exiting due to fatal error
Aug 17 15:37:24	openvpn	20992	/sbin/route delete -net 10.0.0.0 10.0.9.1 255.255.255.0
Aug 17 15:37:25	openvpn	20992	Closing TUN/TAP interface
Aug 17 15:37:25	openvpn	20992	/usr/local/sbin/ovpn-linkdown ovpnc1 1500 1575 10.0.9.2 10.0.9.1 init
Aug 17 15:38:00	openvpn	11923	disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Aug 17 15:38:00	openvpn	11923	OpenVPN 2.4.4 armv6-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 16 2018
Aug 17 15:38:00	openvpn	11923	library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
Aug 17 15:38:00	openvpn	12227	MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Aug 17 15:38:00	openvpn	12227	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 17 15:38:00	openvpn	12227	Initializing OpenSSL support for engine 'cryptodev'
Aug 17 15:38:00	openvpn	12227	Outgoing Static Key Encryption: Cipher 'AES-128-CBC' initialized with 128 bit key
Aug 17 15:38:00	openvpn	12227	Outgoing Static Key Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Aug 17 15:38:00	openvpn	12227	Incoming Static Key Encryption: Cipher 'AES-128-CBC' initialized with 128 bit key
Aug 17 15:38:00	openvpn	12227	Incoming Static Key Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Aug 17 15:38:00	openvpn	12227	ROUTE_GATEWAY 192.168.1.254/255.255.255.0 IFACE=mvneta2 HWADDR=00:08:a2:0d:8c:2e
Aug 17 15:38:00	openvpn	12227	TUN/TAP device ovpnc1 exists previously, keep at program end
Aug 17 15:38:00	openvpn	12227	TUN/TAP device /dev/tun1 opened
Aug 17 15:38:00	openvpn	12227	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Aug 17 15:38:00	openvpn	12227	/sbin/ifconfig ovpnc1 10.0.9.2 10.0.9.1 mtu 1500 netmask 255.255.255.255 up
Aug 17 15:38:00	openvpn	12227	/usr/local/sbin/ovpn-linkup ovpnc1 1500 1575 10.0.9.2 10.0.9.1 init
Aug 17 15:38:00	openvpn	12227	/sbin/route add -net 10.0.0.0 10.0.9.1 255.255.255.0
Aug 17 15:38:00	openvpn	12227	TCP/UDP: Preserving recently used remote address: [AF_INET]OPENVPN_SERVER_EXTERNAL_IP:51195
Aug 17 15:38:00	openvpn	12227	Socket Buffers: R=[65228->65228] S=[65228->65228]
Aug 17 15:38:00	openvpn	12227	Attempting to establish TCP connection with [AF_INET]x:51195 [nonblock]
Aug 17 15:38:01	openvpn	12227	TCP connection established with [AF_INET]OPENVPN_SERVER_EXTERNAL_IP:51195
Aug 17 15:38:01	openvpn	12227	TCPv4_CLIENT link local (bound): [AF_INET]192.168.1.147:0
Aug 17 15:38:01	openvpn	12227	TCPv4_CLIENT link remote: [AF_INET]OPENVPN_SERVER_EXTERNAL_IP:51195
Aug 17 15:38:01	openvpn	12227	cipher_ctx_update: EVP_CipherUpdate() failed
Aug 17 15:38:01	openvpn	12227	Exiting due to fatal error
    0
  • U

    Sorry to resurrect an old post, but I'm seeing the same thing. Same log data as above. Seem to just happen after a period of time. Reboot resolves it.

    1

  • I have "solved" this issue in the same way, by just rebooting this system, and since the day that I have started this thread, I didnt had this problem again.

    0

  • Happened to one of my units today—client was a Netgate SG-3100, running 2.4.4-p2
    Nothing I could do from the commandline fixed it, just had to reboot the box.
    Uptime was 89 days previous to that.

    It's a real head scratcher.

    0
    U
     1 Reply
  • U

    @luckman212 Unfortunately disabling hardware crypto on the SG-3100 was the "solution" for me. Everything has been reliably stable since.

    0 2 Replies

  • @useru0284t35 Huh. Ok, well good to know I guess. Pros and Cons.

    0

  • This problem that I had one time, was with that unit too, the SG-3100.

    0

  • @useru0284t35 Actually - sad to say that I checked the settings on my affected unit and Crypto hardware was already set to "None"

    So I guess that isn't actually the cause, and maybe you were just lucky...

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy