Bobcares

TLS key negotiation failed error in OpenVPN – How to fix

by | Nov 12, 2021

Wondering how to resolve TLS key negotiation failed error in OpenVPN? We can help you.

As part of our Server Management Services, we assist our customers with several OpenVPN queries.

Today, let us see how our Support techs resolve this error.

How to resolve TLS key negotiation failed error in OpenVPN?

First and foremost, to diagnose problems with an OpenVPN server or client, it is helpful to look at the log files.

Locating the server log files

The log files are located in specific areas on your computer systems.

Log files are the place to check whenever you’re having any problems making a connection with an OpenVPN client program to the OpenVPN Access Server.

On the OpenVPN Access Server there is the server side log:

/var/log/openvpnas.log /var/log/openvpnas.node.log (in case of a failover setup)

In the event that you are having problems with starting the Access Server or certain portions of it, for example the web services, then it may be useful to stop the Access Server service.

Then, move the log file aside, then start the Access Server service, and stop it again immediately.

This creates a new clean log file that contains the startup and shutdown sequence of the Access Server and no other extraneous information.

This makes analysis of the log file much easier.

To do so use these commands in order:

service openvpnas stop
mv /var/log/openvpnas.log /var/log/openvpnas.log.old
service openvpnas start
service openvpnas stop

You can then grab the /var/log/openvpnas.log file for analysis and start the Access Server again:

service openvpnas start

Locating the client log files

Log file location for the OpenVPN Connect Client for Windows:

C:\Program Files (x86)\OpenVPN Technologies\OpenVPN Client\etc\log\openvpn_(unique_name).log

The OpenVPN Connect Client for Mac:

/Library/Application Support/OpenVPN/log/openvpn_(unique_name).log

To get to the /Library folder, open Finder and in the menu at the top choose Go followed by Go to folder and then enter the path /Library to get into that directory.

You can then go to the correct folder and look up the log file.

Please also note that the OpenVPN Connect Client for Macintosh will have permissions set on the log file so that you cannot normally open it.

To bypass this, right click the log file and choose the Get info option in the menu.

Then at the bottom, under Sharing & Permissions, you will be able to use the yellow padlock icon to unlock the settings and to give everyone read access.

Then, you will be able to open the log file with a right click and selecting Open with and then choosing something like Text editor to view the contents of the log file.

TLS key negotiation failed error

Typical error will look as shown below:

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

This particular error can have multiple different causes as it is a fairly generic error message.

A possible explanation is that the client program is old and supports only TLS 1.0, but the server is expecting TLS level 1.1 or higher.

To see if this is the case log on to the server and check the server side log file.

The chances are high that your client program is an older version, like version 2.2 or older, and that it doesn’t know how to handle a modern TLS minimum level requirement, when you see messages that look like this on the server side:

OpenSSL: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol’
TLS_ERROR: BIO read tls_read_plaintext error’
TLS Error: TLS object -> incoming plaintext read error’
TLS Error: TLS handshake failed’
SIGUSR1[soft,tls-error] received, client-instance restarting’

The solution to this particular problem is to upgrade the client software to the latest version.

Another possible explanation is that the settings regarding TLS minimum requirement level have been altered but the OpenVPN client is using an older copy of the connection profile which has incorrect instructions.

The settings on the client and the server must match for the connection to be successful.

In this situation installing a new copy of the configuration profile will solve the issue.

A complete uninstall, redownload, and reinstall of the OpenVPN Connect Client should take care of that for you.

And yet another possible explanation is that there is a blockage in place in a firewall or at the Internet service provider that is blocking or interfering with the TLS handshake in some way.

[Stuck in between? We’d be glad to assist you]

Conclusion

In short, today we saw steps followed by our Support Techs to resolve TLS key negotiation failed error in OpenVPN.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

1 Comment

  1. witolino

    It would be good to sniff packets a bit to verify what versions of TLS are in use by the client and the server. In many cases servers do not want to handshake to TLS v 1.0 anymore. The TLS 1.2 or 1.3 is an option to establish the session.

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.