This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Authenticate/Decrypt packet error: packet HMAC authentication failed

We have same problem with only one client like written in:
https://community.sophos.com/utm-firewall/f/general-discussion/130081/authenticate-decrypt-packet-error-packet-hmac-authentication-failed

All other colleagues work the whole day without any problem. First we used SSL VPN Client and now Sophos Conncet - nothing changed. I tried it with same ovpn-file like the affected user at my notebook and it works good.

In the other thread I do not understand the last post from  because the Cryptographic Settings in Advanced Tab are the same for all users:


What could be the problem?



This thread was automatically locked due to age.
Parents
  • If what I said in the other forum post doesn't apply to you, then it isn't your issue, hence why I stated that's 'usually' the issue. Cipher mismatch is the most common occurrence for that specific error.

    Can you post the log entries from the UTM showing when the connect error occurs here (not the log from a client)?

    Have you tried deleting the certificate on the client and downloading an updated file?  I would do this before anything else.

    Is the client a Windows machine or Linux?

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Reply
  • If what I said in the other forum post doesn't apply to you, then it isn't your issue, hence why I stated that's 'usually' the issue. Cipher mismatch is the most common occurrence for that specific error.

    Can you post the log entries from the UTM showing when the connect error occurs here (not the log from a client)?

    Have you tried deleting the certificate on the client and downloading an updated file?  I would do this before anything else.

    Is the client a Windows machine or Linux?

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Children
  • We started with SSL VPN Client and new SSL Profile for 2 users. After problems began we tried to re-install client and ovpn-file, but the error occured again. So we de-install SSL-Client, install Sophos Connect an import ovpn-file from old directory (it wasn´t delete during de-install). After the error persistet, we import new ovpn-file from utm, but the error remains.
    Both are Win10 client.

    Client:
    Thu Jan 06 09:00:28 2022 Authenticate/Decrypt packet error: packet HMAC authentication failed
    Thu Jan 06 09:00:28 2022 Fatal decryption error (process_incoming_link), restarting
    Thu Jan 06 09:00:28 2022 SIGUSR1[soft,decryption-error] received, process restarting
    Thu Jan 06 09:00:28 2022 MANAGEMENT: >STATE:1641456028,RECONNECTING,decryption-error,,,,,
    Thu Jan 06 09:00:28 2022 Restart pause, 5 second(s)

    UTM:
    2022:01:06-09:00:28 srv90076-2 openvpn[31290]: username/client-ip-address:62202 Connection reset, restarting [-1]
    2022:01:06-09:00:28 srv90076-2 openvpn[31290]: username/client-ip-address:62202 SIGUSR1[soft,connection-reset] received, client-instance restarting
    2022:01:06-09:00:28 srv90076-2 openvpn[31290]: id="2202" severity="info" sys="SecureNet" sub="vpn" event="Connection terminated" username="username" variant="ssl" srcip="client-ip-address" virtual_ip="10.242.2.6" rx="24184975" tx="82467787"
    2022:01:06-09:00:28 srv90076-2 openvpn[31290]: PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-utm.so/PLUGIN_CLIENT_DISCONNECT status=0
    2022:01:06-09:00:45 srv90076-2 openvpn[31290]: TCP connection established with [AF_INET]client-ip-address:55428 (via [AF_INET]ip-address-utm:443)

  • Hello,

    I think you need a "new" ovpn" configuration, not a new client-software.

    Maybe you changed something to the global parameters of your SSL-setup. Then you need to download the new ovpn definition for all users.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Philipp,

    thanks al lot for your support.

    Nothing was changed on global ssl parameters.
    More than 50 other vpn connections work with no error  Only two notebooks from a partner have this problem, so I think, the problem is to be found there. They tested from company LAN and "free" internet-connection (DSL home). The opvn configuration from affected users work good at my private notebook.

  • Hello,

    this seems to be a different issue, then. Looks like a cipher or a config mismatch, like Amodin suggested aleready.

    Are you sure, that your partner did not modify his client environment?

    For this setup to connect successfully, "tls-crypt" is needed to be enabled, not only "tls-auth".

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Connection are possible but chrashes after undefiened time: sometime 10 min, than 30 min, than 20 min and so on.

    For this setup to connect successfully, "tls-crypt" is needed to be enabled, not only "tls-auth"
    Where can I find these options?

  • I think it could be sufficient to have "tls-client" in the partner's client .ovpn configuration file.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • BTW: did you turn on "compression" in your server configuration?

    Can you turn this OFF for a test, please?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Compression is activated.
    But now I have no more client for testing because we configured site-to-site vpn - sorry.
    I see it´s not a simply problem....

    Many thanks to all for support