TSL Handshake Errors After Months of No Errors



  • We have an XG-7100 with OpenVPN. It is setup and working. We have been using it for 3-4 months with zero issues. We recently started having remote staff start having issues connecting and when there is an issues, its always the same error.

    TLS Key Negotiation Failed to Occur in 60 Seconds (Check Network Connectivity)
    TLS Handshake Failed.

    We are using local accounts on the XG-7100 for OpenVPN authentication.

    This error occurs in a house that 2 remote people live in and one person in the house will get the error and the other person will not. Both people in the house are using the same internet connection.

    Any help/suggestion would be nice


  • Rebel Alliance Developer Netgate

    That is a generic error basically meaning the client cannot connect to the server.

    Unless the remote site's router is doing something odd with NAT (like both clients use a static source port and their home firewall uses static port outbound NAT for everything), it shouldn't matter if more than one OpenVPN client is at the same remote location.

    Do any other errors show up in the server side OpenVPN logs? Anything unexpected blocked in the firewall log?



  • are you having issue with ALL your VPN users? or only those two users you mentioned?

    I got similar case as well due to COVID-19 our MY office force to shutdown only to find out our OpenVPN is not working at ALL which affects all users.

    I got this error..
    https://forum.netgate.com/topic/151245/openvpn-read-udp-connection-resert-by-peer-wsaeconnreset-code-10054/6

    After i did all the re-configuration and no luck, i was force to switch to another ISP which fixed the issue.

    I assumed our ISP is blocking the VPN traffic.



  • It doesn't affect every user. The house that has the 2 remote users has the most issues. Its totally random. The user can get the error wait 20-30 mins try again and it works just fine. Most days we don't get these errors. I even got the error once while testing using our backup business ISP which is different than the house ISP and our primary business ISP.


  • Rebel Alliance Developer Netgate

    What errors, if any, appear on the server side when they fail to connect?

    The way it comes and goes sounds more like a client-side ISP issue than a server problem.



  • @jimp

    The log file overwrites so quick because there are so many. When it happens again ill make sure to jump in there right away. I can see 2000 rows. but that fills up quick. as of 1:00pm today i could see back to 9:15am today.


  • Rebel Alliance Developer Netgate

    If you connect via SSH you can monitor the log directly and, if you set a large scroll back buffer in the client, can capture more logs. From the shell, run clog -f /var/log/openvpn.log

    Or setup a syslog server and export the logs there for more/long term storage.


Log in to reply