Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Open VPN Errors PID_ERR replay-window backtrack occurred and Authenticate/Decrypt packet error: bad packet ID

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 2.2k Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      khodorb
      last edited by

      HI,

      I have upgraded my SG-4860 to 6100-Max and i am havong a problem with my openvpn connection,

      i am noticing the following errors and behaviour after enabling vernosity on client devices:

      i am seeing those errors at least on 2 clients , client connected on LAN and the other one is connected over wifi , both clients have good internet speed 500D/20U

      also i have got reports from 50 user about having latency and slowness that was not seen when i using SG-4860

      this is a sample of errors i am seeing on the client side .

      -ri Sep 23 09:54:18 2022 PID_ERR replay-window backtrack occurred [61] [SSL-0] [000000000000000000000000000___________0_______________________00] 0:70517 0:70456 t=1663941258[0] r=[-3,64,15,61,1] sl=[11,64,64,528]
      Fri Sep 23 09:54:18 2022 PID_ERR replay-window backtrack occurred [69] [SSL-0] [000000000000000000000000000000000000___________0________________] 0:70526 0:70457 t=1663941258[0] r=[-3,64,15,69,1] sl=[2,64,64,528]
      Fri Sep 23 09:54:18 2022 PID_ERR large diff [69] [SSL-0] [000000000000000000000000000000000000___________0________________] 0:70526 0:70457 t=1663941258[0] r=[-3,64,15,69,1] sl=[2,64,64,528]
      Fri Sep 23 09:54:18 2022 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #70457 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Fri Sep 23 09:54:18 2022 PID_ERR large diff [68] [SSL-0] [000000000000000000000000000000000000___________0________________] 0:70526 0:70458 t=1663941258[0] r=[-3,64,15,69,1] sl=[2,64,64,528]
      Fri Sep 23 09:54:18 2022 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #70458 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Fri Sep 23 09:54:18 2022 PID_ERR replay-window backtrack occurred [73] [SSL-0] [000000000000000000000000000000000000000000___________0__________] 0:70532 0:70459 t=1663941258[0] r=[-3,64,15,73,1] sl=[60,64,64,528]
      Fri Sep 23 09:54:18 2022 PID_ERR large diff [73] [SSL-0] [000000000000000000000000000000000000000000___________0__________] 0:70532 0:70459 t=1663941258[0] r=[-3,64,15,73,1] sl=[60,64,64,528]
      Fri Sep 23 09:54:18 2022 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #70459 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Fri Sep 23 09:54:18 2022 PID_ERR replay-window backtrack occurred [78] [SSL-0] [000000000000000000000000000000000000000000000000___________0____] 0:70538 0:70460 t=1663941258[0] r=[-3,64,15,78,1] sl=[54,64,64,528]
      Fri Sep 23 09:54:18 2022 PID_ERR large diff [78] [SSL-0] [000000000000000000000000000000000000000000000000___________0____] 0:70538 0:70460 t=1663941258[0] r=[-3,64,15,78,1] sl=[54,64,64,528]

      On netgate 4860 i was running pfsense 2.4.5p1 and i migrated my configuration to 6100 running pfsense 22.05 with latest firmware , i also managed to disable flow control the network interfaces .
      on netgate 6100 i am running on a 1Gpbs symetric link,

      in addtion to the error reported above i am having a laggind and latency , as example when having an MS teams call the voice is cutting and when running commands on putty terminal i am noticing a freeze and delay of output response

      This is the openvpn configuration that was on SG-4860

      dev ovpns1
      verb 4
      dev-type tun
      dev-node /dev/tun1
      writepid /var/run/openvpn_server1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      inactive 60
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp4
      cipher AES-256-CBC
      auth SHA256
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      client-connect /usr/local/sbin/openvpn.attributes.sh
      client-disconnect /usr/local/sbin/openvpn.attributes.sh
      local X.X.X.X
      engine cryptodev
      tls-server
      server 192.168.72.0 255.255.255.0
      client-config-dir /var/etc/openvpn-csc/server1
      username-as-common-name
      plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user XXXXXXXXXXXX= true server1 1194
      tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'X.X.X.X' 1"
      lport 1194
      management /var/etc/openvpn/server1.sock unix
      max-clients 100
      push "dhcp-option DOMAIN local"
      push "dhcp-option DNS 192.168.69.5"
      push "dhcp-option DNS 192.168.69.8"
      push "dhcp-option DNS 172.20.20.1"
      push "dhcp-option DNS 185.228.168.112"
      push "block-outside-dns"
      push "register-dns"
      push "redirect-gateway def1"
      client-to-client
      ca /var/etc/openvpn/server1.ca
      cert /var/etc/openvpn/server1.cert
      key /var/etc/openvpn/server1.key
      dh /etc/dh-parameters.2048
      crl-verify /var/etc/openvpn/server1.crl-verify
      tls-auth /var/etc/openvpn/server1.tls-auth 0
      ncp-ciphers AES-128-GCM:AES-256-CBC
      persist-remote-ip
      float
      topology subnet

      and this my configuration on netgate 6100-MAX

      dev ovpns1
      disable-dco
      verb 3
      dev-type tun
      dev-node /dev/tun1
      writepid /var/run/openvpn_server1.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp4
      auth SHA256
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      client-connect /usr/local/sbin/openvpn.attributes.sh
      client-disconnect /usr/local/sbin/openvpn.attributes.sh
      local X.X.X.X
      tls-server
      server 192.168.72.0 255.255.255.0
      client-config-dir /var/etc/openvpn/server1/csc
      username-as-common-name
      plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user XXXXXXXXXX= true server1 1194
      tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'X.X.X.X' 1"
      lport 1194
      management /var/etc/openvpn/server1/sock unix
      max-clients 100
      push "dhcp-option DOMAIN local"
      push "dhcp-option DNS 192.168.69.5"
      push "dhcp-option DNS 192.168.69.8"
      push "dhcp-option DNS 172.20.20.1"
      push "dhcp-option DNS 185.228.168.112"
      push "block-outside-dns"
      push "register-dns"
      push "redirect-gateway def1"
      client-to-client
      capath /var/etc/openvpn/server1/ca
      cert /var/etc/openvpn/server1/cert
      key /var/etc/openvpn/server1/key
      dh /etc/dh-parameters.2048
      tls-auth /var/etc/openvpn/server1/tls-auth 0
      data-ciphers AES-128-GCM:AES-256-CBC
      data-ciphers-fallback AES-256-CBC
      allow-compression asym
      passtos
      persist-remote-ip
      float
      topology subnet
      inactive 60

      i masked my gateway above just for privacy.

      6e4c96ae-eb22-4034-82d6-3ac45d2768db-image.png

      533ba160-f02e-4106-a72e-67cd9b511dfc-image.png

      cf25fc2e-acb1-451d-9d78-99b220f2677a-image.png

      35f06159-68e8-49c3-b6e9-3315f2f1225b-image.png

      f37c6f8b-3cd1-423f-909d-86f15c042f99-image.png

      9a7ef647-ffdf-4563-bded-3d91aab8cf4f-image.png

      4aeaeb63-68ba-4623-99a3-31fc07409591-image.png

      177ff5f6-5ce6-42f7-8c0b-0b17e184ea25-image.png

      Any help would be highly appreciated

      @stephenw10 @jimp @johnpoz i know you guys have better experience than i , so i hope you can check my config and recommend any changes.

      K 1 Reply Last reply Reply Quote 0
      • K Offline
        khodorb @khodorb
        last edited by

        This is my client config

        dev tun
        persist-tun
        persist-key
        data-ciphers AES-128-GCM:AES-256-CBC
        data-ciphers-fallback AES-256-CBC
        auth SHA256
        tls-client
        client
        resolv-retry infinite
        remote X.X.X.X 1194 udp4
        nobind
        verify-x509-name "X.X.X.X" name
        auth-user-pass
        pkcs12 pfsense-UDP4-1194-khodorb.p12
        tls-auth pfsense-UDP4-1194-khodorb-tls.key 1
        remote-cert-tls server
        explicit-exit-notify
        verb 4

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.