- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
11-20-2012 10:56 AM
Hi
sorry for the "bad" title, bat that's whats actually happening.
I have a NAT rule translating the external interface IP to an internal server from Port 443 to 8443 (for OpenVPN) and to the same server for ssh (no port translation)
When I connect with OpenVPN to the VPN Server, it connects fine, but as soon as I have a certain amount of traffic (i.e. opening a webpage), the client drops the connection with:
----cut---
Nov 20 19:38:21: Authenticate/Decrypt packet error: packet HMAC authentication failed
Nov 20 19:38:21: Fatal decryption error (process_incoming_link), restarting
Nov 20 19:38:21: SIGUSR1[soft,decryption-error] received, process restarting
---cut---
I first assumed a problem on the VPN Server, but connecting to it bypassing the PA works perfectly fine.
I also tried configuring "Disable server response" in the security policy with no effect.
The above mentioned does not only kill my openvpn connections, but also does the same for a SSH connection to the same server (Error Message: HMAC Error, connection reset) as soon as there is some traffic on the connection (e.g. less a bigger log file)
Can anyone give me a hint where to dig deeper in order to find the problem?
Thanks
Andre
05-02-2013 05:44 AM
do you have specific application policies other than the nat rule ? I would try to do some logging on the security policies and some packet caputure to see if and how the traffic passes through the pan..
05-02-2013 04:58 PM
Auth failures could imply fragmented encrypted traffic with some missing fragments. PCAPs should help determine if this is the case. Also ensure that you do not have any zone protection profiles which block frags.
-Richard
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!