Package: openvpn Version: 2.4.0-6+deb9u2 Severity: normal Dear Maintainer,
2 servers are connected in tun mode, both running stable version. After a kernel upgrade we reboot the master server, 1/2 hour or more after the client one when the master already rebooted and the client correctly reopened the VPN link. Here raise the problem. To solve the problem we have to restart master openvpn daemon. On the client side we have in logs: Sat Oct 13 17:17:17 2018 Initialization Sequence Completed Sat Oct 13 17:17:21 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed Sat Oct 13 17:17:22 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed Sat Oct 13 17:17:23 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed Sat Oct 13 17:17:24 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed Sat Oct 13 17:17:25 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed Sat Oct 13 17:17:25 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed Sat Oct 13 17:17:26 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed Sat Oct 13 17:17:31 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed Sat Oct 13 17:17:35 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed Sat Oct 13 17:17:36 2018 Authenticate/Decrypt packet error: packet HMAC authentication failed Sat Oct 13 17:17:37 2018 NOTE: --mute triggered... On the server side: Sat Oct 13 17:17:17 2018 kumquat/xx.xx.xx.138:1194 PUSH: Received control message: 'PUSH_REQUEST' Sat Oct 13 17:17:17 2018 kumquat/xx.xx.xx.138:1194 PUSH: client wants to negotiate cipher (NCP), but server has already generated data channel keys, ignoring client request Sat Oct 13 17:17:17 2018 kumquat/xx.xx.xx.138:1194 SENT CONTROL [kumquat]: 'PUSH_REPLY,route 10.0.70.0 255.255.255.0,route 10.2.70.0 255.255.255.0,route 192.168.10.0 255.255.255.0,route 192.168.12.0 255.255.255.0,topology p2p,ping 10,ping-restart 120,ifconfig 10.99.0.54 10.99.0.49,peer-id 0' (status=1) Sat Oct 13 17:17:18 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher final failed Sat Oct 13 17:17:19 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher final failed Sat Oct 13 17:17:29 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher final failed Sat Oct 13 17:17:29 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher final failed Sat Oct 13 17:17:30 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher final failed Sat Oct 13 17:17:31 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher final failed Sat Oct 13 17:17:32 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher final failed Sat Oct 13 17:17:33 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher final failed Sat Oct 13 17:17:43 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher final failed Sat Oct 13 17:17:43 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher final failed Sat Oct 13 17:17:44 2018 kumquat/xx.xx.xx.138:1194 NOTE: --mute triggered... -- System Information: Debian Release: 9.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openvpn depends on: ii debconf [debconf-2.0] 1.5.61 ii init-system-helpers 1.48 ii iproute2 4.9.0-1+deb9u1 ii libc6 2.24-11+deb9u3 ii liblz4-1 0.0~r131-2+b1 ii liblzo2-2 2.08-1.2+b2 ii libpam0g 1.1.8-3.6 ii libpkcs11-helper1 1.21-1 ii libssl1.0.2 1.0.2l-2+deb9u3 ii libsystemd0 232-25+deb9u4 ii lsb-base 9.20161125 Versions of packages openvpn recommends: ii easy-rsa 2.2.2-2 Versions of packages openvpn suggests: ii openssl 1.1.0f-3+deb9u2 pn resolvconf <none> -- Configuration Files: /etc/default/openvpn changed: AUTOSTART="mango" OPTARGS="" OMIT_SENDSIGS=0 /etc/openvpn/update-resolv-conf changed: [ -x /sbin/resolvconf ] || exit 0 case $script_type in up) for optionname in ${!foreign_option_*} ; do option="${!optionname}" echo $option part1=$(echo "$option" | cut -d " " -f 1) if [ "$part1" == "dhcp-option" ] ; then part2=$(echo "$option" | cut -d " " -f 2) part3=$(echo "$option" | cut -d " " -f 3) if [ "$part2" == "DNS" ] ; then IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3" fi if [ "$part2" == "DOMAIN" ] ; then IF_DNS_SEARCH="$IF_DNS_SEARCH $part3" fi fi done R="" for SS in $IF_DNS_SEARCH ; do R="${R}search $SS " done for NS in $IF_DNS_NAMESERVERS ; do R="${R}nameserver $NS " done echo -n "$R" | /sbin/resolvconf -a "${dev}.inet" ;; down) /sbin/resolvconf -d "${dev}.inet" ;; esac -- debconf information: openvpn/create_tun: false