This spring we moved our Pritunl setup from Ubuntu to Oracle Linux (as this is recommended) and since we have been having problems with sporadic VPN drops. When this happens, the client logs has this error:
2024-08-14 11:26:43 AEAD Decrypt error: bad packet ID (may be a replay): [ #26658 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
And in the server logs, we see similar errors:
2024-08-14 11:26:45 us=465216 AEAD Decrypt error: cipher final failed
This is seen across four servers in different AWS regions and with clients from several continents, so it doesn’t seem like a specific network issue for one client/server.
First, I’m seeking guidance on how to approach debugging this issue.
Secondly, I’m curious whether the move from Ubuntu to Oracle Linux could be related, e.g., the introduction of SELinux as part of this move.
Check the server output when starting the server and verify the OpenVPN version is the updated version from the pritunl-openvpn package. The connection fix documentation has information on installing the package.
It looks like the correct package is already installed:
sudo yum --allowerasing install pritunl-openvpn
Last metadata expiration check: 2:55:31 ago on Fri 23 Aug 2024 02:02:00 PM GMT.
Package pritunl-openvpn-2.6.8-1.el8.oraclelinux.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
I also tried updating all system software (including kernel) to the latest, but i still see the same issue:
2024-08-23 10:25:46 AEAD Decrypt error: bad packet ID (may be a replay): [ #263634 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
For reference, the client version I’m using is Pritunl Client v1.3.3883.60 and it is on macOS 14.6.1