TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
If the ping failed or the Open××× client initialization failed to complete, here is a checklist of common symptoms and their solutions:
- You get the error message: . This error indicates that the client was unable to establish a network connection with the server.
- Make sure the client is using the correct hostname/IP address and port number which will allow it to reach the Open××× server.
- If the Open××× server machine is a single-NIC box inside a protected LAN, make sure you are using a correct port forward rule on the server's gateway firewall. For example, suppose your Open××× box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that says forward UDP port 1194 from my public IP address to 192.168.4.4.
- Open up the server's firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file).
- You get the error message: Initialization Sequence Completed with errors
-- This error can occur on Windows if (a) You don't have the DHCP
client service running, or (b) You are using certain third-party
personal firewalls on XP SP2.
Solution: Start the DHCP client server and make sure that you are using a personal firewall which is known to work correctly on XP SP2.
- You get the Initialization Sequence Completed
message but the ping test fails -- This usually indicates that a
firewall on either server or client is blocking ××× network traffic by
filtering on the TUN/TAP interface.
Solution: Disable the client firewall (if one exists) from filtering the TUN/TAP interface on the client. For example on Windows XP SP2, you can do this by going to Windows Security Center -> Windows Firewall -> Advanced and unchecking the box which corresponds to the TAP-Win32 adapter (disabling the client firewall from filtering the TUN/TAP adapter is generally reasonable from a security perspective, as you are essentially telling the firewall not to block authenticated ××× traffic). Also make sure that the TUN/TAP interface on the server is not being filtered by a firewall (having said that, note that selective firewalling of the TUN/TAP interface on the server side can confer certain security benefits. See the access policies section below).
- The connection stalls on startup when using a proto udp configuration, the server log file shows this line:
TLS: Initial packet from x.x.x.x:x, sid=xxxxxxxx xxxxxxxxhowever the client log does not show an equivalent line.Solution: You have a one-way connection from client to server. The server to client direction is blocked by a firewall, usually on the client side. The firewall can either be (a) a personal software firewall running on the client, or (b) the NAT router gateway for the client. Modify the firewall to allow returning UDP packets from the server to reach the client.
See the FAQ for additional troubleshooting information.