Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    "Local/Remote TLS Keys out of sync" when multiple configs to same host are available

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sreece
      last edited by sreece

      I have pfSense running 4 ovpn servers on udp/1194-1197. The servers listening on 1194, 1195, and 1197 use LDAPS to auth against my domain user as well as certs issued by pfSense linked to my domain account user id. 1196 does not have secondary auth against using LDAPS, but against the internal user DB. The reason for this is so that there can be a VPN for domain-linked hosts, one for BYOD hosts, and a third just for testing firewall rules outside of the two production OpenVPN connections. When I have all 3 LDAPS+Key configs in their specific folders in the config directory (C:\Program Files\OpenVPN\Config) and connect to the main 1194 server, I see the following in the logs:

      Mon Feb 24 21:58:08 2020 TLS Error: local/remote TLS keys are out of sync: [AF_INET]X.X.X.X:1195 [0]
      Mon Feb 24 21:58:08 2020 TLS Error: local/remote TLS keys are out of sync: [AF_INET]X.X.X.X:1197 [0]

      For some reason, I'm getting errors about a TLS key being out of sync on the two ports I'm not actually connected to. If I remove the configs for 1195 and 1197 from the config folder, restart the OpenVPN gui, and connect to 1194, I no longer get those errors. The keys for each connection were issued by different CAs in pfSense, and the certificates for each of my client connections were exported via pfSense. The keys are all different, as is expected.

      This doesn't actually break anything, but I'm just curious at this point of what the cause is. Has anyone run into this before?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.