TLS_ERROR: 1408F119: decryption failed or bad record mac

fchafee · Post by **fchafee** » Wed Sep 02, 2020 5:24 pm

I have a newly installed client (v2.4.2) on a new Windows 10 Pro laptop that is not connecting to VPN server while others in the same network are connecting. I have run test with all client firewall and antivirus systems offline; however, still getting the decryption failed message. Below is the client's configuration and snippets of the server's log from a failed and successful connection.

Client Config

client
dev tun
dev-node OpenVPN_Tap
proto udp
remote vpn.pvaglobal.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert chodges-pc.crt
key chodges-pc.key
ns-cert-type server
comp-lzo
verb 5

Server log snippet for failed connection:

Code: Select all

Aug 31 16:35:32 pva-pdc openvpn[2587]: 97.73.96.98:51129 Re-using SSL/TLS context
Aug 31 16:35:32 pva-pdc openvpn[2587]: 97.73.96.98:51129 LZO compression initialized
Aug 31 16:35:32 pva-pdc openvpn[2587]: 97.73.96.98:51129 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Aug 31 16:35:32 pva-pdc openvpn[2587]: 97.73.96.98:51129 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Aug 31 16:35:32 pva-pdc openvpn[2587]: 97.73.96.98:51129 Local Options hash (VER=V4): '530fdded'
Aug 31 16:35:32 pva-pdc openvpn[2587]: 97.73.96.98:51129 Expected Remote Options hash (VER=V4): '41690919'
Aug 31 16:35:32 pva-pdc openvpn[2587]: 97.73.96.98:51129 TLS: Initial packet from 97.73.96.98:51129, sid=bc25a418 c197c97e
Aug 31 16:35:48 pva-pdc openvpn[2587]: 97.73.96.98:51129 CRL CHECK OK: /C=US/ST=NC/L=Burlington/O=PVA-VPN/OU=PVA/CN=PVA-PDC/emailAddress=admin@pvaglobal.com
Aug 31 16:35:48 pva-pdc openvpn[2587]: 97.73.96.98:51129 VERIFY OK: depth=1, /C=US/ST=NC/L=Burlington/O=PVA-VPN/OU=PVA/CN=PVA-PDC/emailAddress=admin@pvaglobal.com
Aug 31 16:35:48 pva-pdc openvpn[2587]: 97.73.96.98:51129 CRL CHECK OK: /C=US/ST=NC/O=PVA-VPN/OU=PVA/CN=chodges-pc/emailAddress=admin@pvaglobal.com
Aug 31 16:35:48 pva-pdc openvpn[2587]: 97.73.96.98:51129 VERIFY OK: depth=0, /C=US/ST=NC/O=PVA-VPN/OU=PVA/CN=chodges-pc/emailAddress=admin@pvaglobal.com
Aug 31 16:35:51 pva-pdc openvpn[2587]: 97.73.96.98:51129 TLS_ERROR: BIO read tls_read_plaintext error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
Aug 31 16:35:51 pva-pdc openvpn[2587]: 97.73.96.98:51129 TLS Error: TLS object -> incoming plaintext read error
Aug 31 16:35:51 pva-pdc openvpn[2587]: 97.73.96.98:51129 TLS Error: TLS handshake failed
Aug 31 16:35:51 pva-pdc openvpn[2587]: 97.73.96.98:51129 SIGUSR1[soft,tls-error] received, client-instance restarting

Server log snippet of successfull connection:

Code: Select all

Sep  1 13:51:58 pva-pdc openvpn[2588]: 97.73.96.98:51162 Re-using SSL/TLS context
Sep  1 13:51:58 pva-pdc openvpn[2588]: 97.73.96.98:51162 LZO compression initialized
Sep  1 13:51:58 pva-pdc openvpn[2588]: 97.73.96.98:51162 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sep  1 13:51:58 pva-pdc openvpn[2588]: 97.73.96.98:51162 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sep  1 13:51:58 pva-pdc openvpn[2588]: 97.73.96.98:51162 Local Options hash (VER=V4): '530fdded'
Sep  1 13:51:58 pva-pdc openvpn[2588]: 97.73.96.98:51162 Expected Remote Options hash (VER=V4): '41690919'
Sep  1 13:51:58 pva-pdc openvpn[2588]: 97.73.96.98:51162 TLS: Initial packet from 97.73.96.98:51162, sid=79f8bcd7 69e7b4d5
Sep  1 13:52:09 pva-pdc openvpn[2588]: 97.73.96.98:51162 CRL CHECK OK: /C=US/ST=NC/L=Burlington/O=PVA-VPN/OU=PVA/CN=PVA-PDC/emailAddress=admin@pvaglobal.com
Sep  1 13:52:09 pva-pdc openvpn[2588]: 97.73.96.98:51162 VERIFY OK: depth=1, /C=US/ST=NC/L=Burlington/O=PVA-VPN/OU=PVA/CN=PVA-PDC/emailAddress=admin@pvaglobal.com
Sep  1 13:52:09 pva-pdc openvpn[2588]: 97.73.96.98:51162 CRL CHECK OK: /C=US/ST=NC/O=PVA-VPN/CN=frankchafee-pc/emailAddress=admin@pvaglobal.com
Sep  1 13:52:09 pva-pdc openvpn[2588]: 97.73.96.98:51162 VERIFY OK: depth=0, /C=US/ST=NC/O=PVA-VPN/CN=frankchafee-pc/emailAddress=admin@pvaglobal.com
Sep  1 13:52:13 pva-pdc openvpn[2588]: 97.73.96.98:51162 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sep  1 13:52:13 pva-pdc openvpn[2588]: 97.73.96.98:51162 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep  1 13:52:13 pva-pdc openvpn[2588]: 97.73.96.98:51162 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sep  1 13:52:13 pva-pdc openvpn[2588]: 97.73.96.98:51162 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sep  1 13:52:16 pva-pdc openvpn[2588]: 97.73.96.98:51162 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sep  1 13:52:16 pva-pdc openvpn[2588]: 97.73.96.98:51162 [frankchafee-pc] Peer Connection Initiated with 97.73.96.98:51162
Sep  1 13:52:16 pva-pdc openvpn[2588]: frankchafee-pc/97.73.96.98:51162 MULTI: Learn: 10.8.0.14 -> frankchafee-pc/97.73.96.98:51162
Sep  1 13:52:16 pva-pdc openvpn[2588]: frankchafee-pc/97.73.96.98:51162 MULTI: primary virtual IP for frankchafee-pc/97.73.96.98:51162: 10.8.0.14
Sep  1 13:52:17 pva-pdc openvpn[2588]: frankchafee-pc/97.73.96.98:51162 PUSH: Received control message: 'PUSH_REQUEST'
Sep  1 13:52:17 pva-pdc openvpn[2588]: frankchafee-pc/97.73.96.98:51162 SENT CONTROL [frankchafee-pc]: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option DNS 10.8.0.1,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13' (status=1)

Post by **Pippin** » Wed Sep 02, 2020 5:43 pm

Update

(v2.4.2)

first.
2.4.9 is current.

fchafee · Post by **fchafee** » Wed Sep 02, 2020 6:15 pm

Any client past client version 2.4.2 is not compatible with the server. I am not in a position at the moment to upgrade the server. The same install and configuration works on other computers, so what could be happening on this one client that causes it to not connect?

TinCanTech · Post by **TinCanTech** » Wed Sep 02, 2020 6:56 pm

fchafee wrote: ↑
Wed Sep 02, 2020 6:15 pm
Any client past client version 2.4.2 is not compatible with the server

And the server is version .. let us take a guess .. v2.3.2

https://community.openvpn.net/openvpn/w ... edVersions

fchafee · Post by **fchafee** » Wed Sep 02, 2020 9:04 pm

The server was setup in 2008, so probably a v2.0

TinCanTech · Post by **TinCanTech** » Wed Sep 02, 2020 9:29 pm

fchafee wrote: ↑
Wed Sep 02, 2020 9:04 pm
probably a v2.0

IE. You have no idea ..

viewtopic.php?f=30&t=22603#p93575

OxxRaad · Post by **OxxRaad** » Fri Nov 20, 2020 3:02 pm

Hello fchafee,

I have the same problem on my side.
As you said :

fchafee wrote: ↑
Wed Sep 02, 2020 6:15 pm
The same install and configuration works on other computers

Currently, I have multiple computers with the same configuration (same installer (v2.4.1), process to create the key and certificate, and ) and everything works without trouble.
This problem occurs on several computers purchased recently (2 models since September).

I was going to create a new Topic with my logs and additional informations but the logs/problem look like yours ("decryption failed or bad record mac").
Have you been able to correct the problem?

OpenVPN Support Forum

TLS_ERROR: 1408F119: decryption failed or bad record mac

TLS_ERROR: 1408F119: decryption failed or bad record mac

Re: TLS_ERROR: 1408F119: decryption failed or bad record mac

Re: TLS_ERROR: 1408F119: decryption failed or bad record mac

Re: TLS_ERROR: 1408F119: decryption failed or bad record mac

Re: TLS_ERROR: 1408F119: decryption failed or bad record mac

Re: TLS_ERROR: 1408F119: decryption failed or bad record mac

Re: TLS_ERROR: 1408F119: decryption failed or bad record mac