Fatal Error if radius with 2fa doesnt answer for longer time



  • L.S.,

    We experience a fatal error when the radius server is waiting for a 2fa reponse.
    I can reproduce the fatal error, by putting the reneg to a smaller time frame. Radius check the user credentials and sends out the 2fa push to DUO mobile. After not replying for 7 minutes the OpenVPN server crashes completely.

    Log:
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 UDPv4 READ [128] from [AF_INET]83.***.***.79:1194: P_CONTROL_V1 kid=0 sid=e3cee021 abcdefgh tls_hmac=aecabcda 98abcd aabcd 519abcd 8abcd7b a6abcd737 d49600d5 eddb428e 2d75f4ed 8e02e133 0fabcda4 eabcdc1 5abcd0 eabcdd74 dabcd5 45abcd4 pid=[ #14 / time = (1551383018) Thu Feb 28 20:43:38 2019 ] [
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 TLS: control channel, op=P_CONTROL_V1, IP=[AF_INET]83.***.***.79:1194
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 TLS: initial packet test, i=0 state=S_ACTIVE, mysid=082aec1e f54eb2e9, rec-sid=e3cee021 abcdefgh, rec-ip=[AF_INET]83.***.***.79:1194, stored-sid=e3cee021 abcdefgh, stored-ip=[AF_INET]83.***.***.79:1194
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 TLS: found match, session[0], sid=e3cee021 abcdefgh
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 DECRYPT FROM: abcdefgh abcdefgh abcdefgh abcdefgh abcdefgh abcdefgh d49600d5 eddb428[more...]
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 PID_TEST [0] [TLS_WRAP-0] [0022222222222] 1551383018:13 1551383018:14 t=1551383018[0] r=[-2,64,15,0,1] sl=[51,13,64,528]
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 TLS: received control channel packet s#=0 sid=e3cee021 abcdefgh
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 ACK read ID 7 (buf->len=42)
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 ACK RWBS rel->size=8 rel->packet_id=00000007 id=00000007 ret=1
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 ACK mark active incoming ID 7
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 ACK acknowledge ID 7 (ack->len=1)
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 TLS: tls_multi_process: i=0 state=S_ACTIVE, mysid=082aec1e f54eb2e9, stored-sid=e3cee021 abcdefgh, stored-ip=[AF_INET]83.***.***.79:1194
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 TLS: tls_process: chg=0 ks=S_ACTIVE lame=S_UNDEF to_link->len=0 wakeup=604800
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 ACK reliable_can_send active=0 current=0 : [7]
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 BIO write tls_write_ciphertext 42 bytes
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 Incoming Ciphertext -> TLS
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 BIO read tls_read_plaintext 13 bytes
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 TLS -> Incoming Plaintext
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 TLS: tls_process: chg=1 ks=S_ACTIVE lame=S_UNDEF to_link->len=0 wakeup=604800
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 ACK reliable_can_send active=0 current=0 : [7]
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 ACK write ID 7 (ack->len=1, n=1)
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 ENCRYPT HMAC: 2b3a9d92 c4ac4db1 6c47d41e f3f0a0dd 0d041b37 f7986f93 2e4cdbb2 d6e7542[more...]
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 ENCRYPT TO: 2b3a9d92 c4ac4db1 6c47d41e f3f0a0dd 0d041b37 f7986f93 2e4cdbb2 d6e7542[more...]
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 Dedicated ACK -> TCP/UDP
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 ACK reliable_send_timeout 604800 [7]
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 TLS: tls_process: timeout set to 57
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 TLS: tls_multi_process: i=1 state=S_INITIAL, mysid=77e900c0 72746aa5, stored-sid=00000000 00000000, stored-ip=[AF_UNSPEC]
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 TLS: tls_multi_process: i=2 state=S_ERROR, mysid=7c91aba7 e2b69d69, stored-sid=b6506718 838b8ba1, stored-ip=[AF_INET]83.***.***.79:1194
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 PUSH: Received control message: 'PUSH_REQUEST'
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 BIO write tls_write_plaintext_const 217 bytes
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 SENT CONTROL [username]: 'PUSH_REPLY,dhcp-option DNS 10.72.0.10,dhcp-option DNS 10.72.0.1,block-outside-dns,redirect-gateway def1,route 10.50.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.50.0.6 10.50.0.5,peer-id 0,cipher AES-256-CBC' (status=1)
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 100 bytes
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 MTU DYNAMIC mtu=1450, flags=2, 1602 -> 1450
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 Data Channel MTU parms [ L:1602 D:1450 EF:102 EB:406 ET:0 EL:3 ]
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 Assertion failed at ssl.c:1929 (ks->authenticated)
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 Exiting due to fatal error
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 /sbin/route delete -net 10.50.0.0 10.50.0.2 255.255.255.0
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 Closing TUN/TAP interface
    Feb 28 20:43:38 openvpn 1805 username/83.***.***.79:1194 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1622 10.50.0.1 10.50.0.2 init

    Can anyone help with this? To prevent the OpenVPN server from crashing?

    Kind Regards,

    Sander


  • Rebel Alliance Developer Netgate

    Which version of pfSense is this on?

    If it's not current, upgrade.

    Otherwise you might want to report this specific error condition upstream to OpenVPN:

    Feb 28 20:43:38 openvpn 1805 username/83...79:1194 Assertion failed at ssl.c:1929 (ks->authenticated)
    Feb 28 20:43:38 openvpn 1805 username/83...79:1194 Exiting due to fatal error
    

Log in to reply