OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: penley on June 10, 2020, 04:36:03 pm

Title: OpenVPN log show Authenticate/Decrypt packet error: bad packet ID may be replay
Post by: penley on June 10, 2020, 04:36:03 pm

Hello,

I enabled netflow for local capture on several OPNsense machines for LAN and WAN interfaces. These machines have a site-to-site VPN setup.
Once netflow was enabled the connection to the LAN for the remote OPNsense machines went down. Each for around 10 to 15 minutes.

I looked at our main firewall these remote sites connect to and the OpenVPN tunnel to each site never showed as down. So it seems only the connection to the LAN went down.

The version of OPNsense we're using is 20.1.6
I did see this message in the VPN log file on the remote OPNsense machines:
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1552650 / time = (1590696725) Thu May 28 16:12:05 2020 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

I've not seen this message before, but it's only in the log of the remote OPNsense machine, not our main firewall these machines connect to. The "authenticate\decrypt packet error" message shows in the VPN log as starting when the connection was lost and ending when the connection came back up.

Has anyone else experienced this before?

Kind regards,
penley

Title: Re: OpenVPN log show Authenticate/Decrypt packet error: bad packet ID may be replay
Post by: penley on June 11, 2020, 02:18:37 pm

The remote OPNsense machines went unavailable again and then connectivity came back after 12 minutes. I looked in their VPN log and see the message again- Authenticate/Decrypt packet error: bad packet ID (may be a replay):  -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings.


Is this message because I do not have the ovpn interface listed in the listening interfaces within the Netflow configuration? These firewalls are using a site to site OpenVPN connection.

Title: Re: OpenVPN log show Authenticate/Decrypt packet error: bad packet ID may be replay
Post by: penley on July 13, 2020, 06:04:48 pm

I'd like to close the loop on this one. I think I've figured out my mistake.
Our primary HA are VMs and their WAN and LAN IP addresses were in the same subnet. This has been changed and ever since then I've not seen the "Authenticate/Decrypt packet error: bad packet ID " message in the OpenVPN log. I still have netflow disabled, but have been trying to change one thing at a time to figure this out.

For anyone else who reads this, do not make my mistake and set the WAN and LAN addresses in the same subnet. It causes issues.

Kind regards,
penley