TLS Error: local/remote TLS keys are out of sync

pilotmike · November 10, 2023, 1:12am

Hello. We have an internal Wifi subnet that requires users to connect to VPN to access certain resources. This has worked fine for ages. Due to a change in the way the network is engineered, I changed the subnet for our local Wifi users. This coincided with migrating our WAPs from an old controller to a newer one. As soon as this cutover was done I tested VPN connection from my laptop which was associated to the new AP and was unable to connect.

The VPN logs for the vtun began showing a lot of “TLS Error: local/remote TLS keys are out of sync errors” from the new IP:

2023-11-08 20:07:17 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.20.24.5:62247 (via [AF_INET]10.39.1.255%bond0) [1]
2023-11-08 20:07:17 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.20.24.5:62247 (via [AF_INET]10.39.1.255%bond0) [1]
2023-11-08 20:07:17 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.20.24.5:62247 (via [AF_INET]10.39.1.255%bond0) [1]
2023-11-08 20:07:17 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.20.24.5:62247 (via [AF_INET]10.39.1.255%bond0) [1]

Also these errors:

2023-11-08 20:07:48 172.20.24.5:60813 SIGUSR1[soft,tls-error] received, client-instance restarting
2023-11-08 20:08:08 172.20.24.5:60622 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2023-11-08 20:08:08 172.20.24.5:60622 TLS Error: TLS handshake failed

Initially I suspected either a firewall or routing issue, but since the vyos is generating errors messages specifically from my new IP address, it would appear neither of those are the case. I ended up having to migrate all our WAPs back to the old controller. Once done, I was connecting on the previous subnet and the VPN connected with no problem.

Can anyone provide the next steps to find the cause of this problem? The old subnet and new subnet were consecutive /22s. Neither the previous nor new client subnets are defined in the vyos config (thought perhaps I had neglected to change/update something there).

Thanks.

ordex · November 10, 2023, 9:00am

Is it possible that you missed to update some firewall or routing rule and now traffic is not allowed to flow both directions?
Especially the second error makes me think that the VPN client and the VPN server are not really able to talk to each other.

a.srividya · November 10, 2023, 2:23pm

Could you please share additional information:
$show version
$show config comm
$sh log ipsec > /tmp/ipsec.log (you can attach the file)