AWS ClientVPN user gets randomly disconnected, plenty of "AEAD Decrypt error" messages in logfile

Question

Hi,

we're currently using AWS ClientVPN with SAML auth and the VPN client provided by AWS.

One of our users gets randomly disconnected from internal services like our phone system. I checked with her and her VPN logs are filled with

`ovpn_aws_vpn_client_20230619.log:2023-06-19 15:19:20.639 +02:00 [DBG] >LOG:1687180760,N,AEAD Decrypt error: bad packet ID (may be a replay): [ #312841 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
`

messages.

Since PMTUD seems to be broken for her, we tested her MTU on connections to the CVPN endpoint manually and found that she can ping only up to a packet size of 1420 bytes. We wanted to try the usual workaround with

`mssfix 1380`

in the config file, but got an error message that the mssfix command isn't supported and needs to be removed.

Does anybody have an idea what else we could try?

Thanks,

Marc

Accepted Answer

Hi Marc, did you try the tun-mtu config option for OpenMTU rather then mssfix.

See https://www.thegeekpub.com/271035/openvpn-mtu-finding-the-correct-settings/

BTW, my understanding is to subtract 69 and not 40 for maximum allowed length: see MTU section in https://www.adamintech.com/how-to-fix-aead-decrypt-error-bad-packet-id-on-openvpn/

Best,

Didier

Answer

I can confirm this works as described by Didier and solved the connection problem.

Answer

Hi Didier,

many thanks for your reply - I didn't think of tun-mtu, but we're trying that now. At least it's not rejected by the VPN client, so that's a good start :)

I have honestly no idea how I arrived at 40 to substract, you are correct of course.

I'll post a summary as soon as I know for sure this works.

Cheers,
Marc

AWS ClientVPN user gets randomly disconnected, plenty of "AEAD Decrypt error" messages in logfile

Relevant content