ECONNRESET over VPN After WAN Failover

C

ccolotti

Member
Feb 22, 2025
34
7
8
Hey all...So I am testing a failover WAN with VPN connectivity to my remote site. Everything works "except" some connectivity to PBS for sync jobs and monitoring API calls. Oddly I see the same on PVE but there is more information on teh PBS side.

When the WAN failed over, the VPN's came up as expected. I can ping PBS, I can get the web UI port 8007, log in etc. All that is verifyable.

What is strange is a sync job fails with just this message:
Code: 
2026-04-09T08:27:44-04:00: Starting datastore sync job 'PBS-VA:LOCAL:QNAP::s-ad005baa-b7be'
2026-04-09T08:27:44-04:00: sync datastore 'QNAP' to 'PBS-VA/LOCAL'
2026-04-09T08:27:54-04:00: queued notification (id=5640f5a5-ea83-4d9b-a57f-3fb0ac185293)
2026-04-09T08:27:54-04:00: TASK ERROR: client error (Connect)

and a monitoring job has this which appears to be more information

Code: 
API Error: Client network socket disconnected before secure TLS connection was established
URL: https://172.16.100.4:8007/api2/json/nodes/localhost/tasks?errors=true&limit=100&since=1774445616707
Raw Error:
{
    "code": "ECONNRESET",
    "path": null,
    "host": "172.16.100.4",
    "port": 8007
}

Between the two I cannot tell what would be different after WAN failover when all the VPN routes remain the same before and after. The fact I can access the remote side on all aspects to manage it also has me puzzled. The second one seems to indicate the connection is just being killed out of the gate, but the source IP of the local PBS is unchanged after WAN failover and the traffic inside the site to site VPN should be the same regardless of the WAN making the remote connection.

this is the only issue after WAN failover I need to sort out but I am really puzzled...

Both local and remote are on PBS 4.1.6 as well and I also rebooted them both for good measure.
 
Last edited:
I failed back to the promary WAN on Comcast and sync jobs execute fine....fail back to verizon WAN and they fail with the client error...i'm going a little mad seeing as the VPN tunnel is the same under the WAN connections.
 
okay this is even more odd. The PBS server has a valid cert from letsencrypt on it as well...

I am stumped why there can't be a handshake on the same VPN tunnel with just a different WAN port making the VPN termination.

on WAN2 this is a basic curl response:
Code: 
root@PBS-TN:~# curl -v https://pbs.ovh.stitchtek.net:8007
* Host pbs.ovh.stitchtek.net:8007 was resolved.
* IPv6: (none)
* IPv4: 172.16.100.4
*   Trying 172.16.100.4:8007...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS alert, decode error (562):
* TLS connect error: error:0A000126:SSL routines::unexpected eof while reading
* closing connection #0
curl: (35) TLS connect error: error:0A000126:SSL routines::unexpected eof while reading

but this is the reply on WAN1..
Code: 
root@PBS-TN:~# curl -v https://pbs.ovh.stitchtek.net:8007
* Host pbs.ovh.stitchtek.net:8007 was resolved.
* IPv6: (none)
* IPv4: 172.16.100.4
*   Trying 172.16.100.4:8007...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / RSASSA-PSS
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=pbs.ovh.stitchtek.net
*  start date: Apr  9 17:56:12 2026 GMT
*  expire date: Jul  8 17:56:11 2026 GMT
*  subjectAltName: host "pbs.ovh.stitchtek.net" matched cert's "pbs.ovh.stitchtek.net"
*  issuer: C=US; O=Let's Encrypt; CN=R13
*  SSL certificate verify ok.
*   Certificate level 0: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to pbs.ovh.stitchtek.net (172.16.100.4) port 8007
* using HTTP/1.x
> GET / HTTP/1.1
> Host: pbs.ovh.stitchtek.net:8007
> User-Agent: curl/8.14.1
> Accept: */*
>
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
< content-type: text/html
< content-length: 2202
< date: Thu, 09 Apr 2026 19:51:17 GMT
<
<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no">
    <title>PBS-VA - Proxmox Backup Server</title>
    <link rel="icon" sizes="128x128" href="/images/logo-128.png" />
    <link rel="apple-touch-icon" sizes="128x128" href="/pve2/images/logo-128.png" />
    <link rel="stylesheet" type="text/css" href="/extjs/theme-crisp/resources/theme-crisp-all.css" />
    <link rel="stylesheet" type="text/css" href="/extjs/crisp/resources/charts-all.css" />
    <link rel="stylesheet" type="text/css" href="/fontawesome/css/font-awesome.css" />
    <link rel="stylesheet" type="text/css" href="/widgettoolkit/css/ext6-pmx.css" />
    <link rel="stylesheet" type="text/css" href="/css/ext6-pbs.css" />    <link rel="stylesheet" type="text/css" media="(prefers-color-scheme: dark)" href="/widgettoolkit/themes/theme-proxmox-dark.css" />    <script type='text/javascript'>
        function gettext(message) { return message; }
        function ngettext(singular, plural, count) { return count === 1 ? singular : plural; }
    </script>
    <script type="text/javascript" src="/extjs/ext-all.js"></script>
    <script type="text/javascript" src="/extjs/charts.js"></script>
    <script type="text/javascript">
    Proxmox = {
        Setup: { auth_cookie_name: 'PBSAuthCookie' },
        NodeName: "PBS-VA",
        UserName: "",
        defaultLang: "",
        CSRFPreventionToken: "",
        consentText: "",
    };
    </script>
    <script type="text/javascript" src="/widgettoolkit/proxmoxlib.js"></script>
    <script type="text/javascript" src="/extjs/locale/locale-en.js"></script>
    <script type="text/javascript">
      Ext.History.fieldid = 'x-history-field';
    </script>
    <script type="text/javascript" src="/qrcodejs/qrcode.min.js"></script>
    <script type="text/javascript" src="/js/proxmox-backup-gui.js"></script>
  </head>
  <body>
    <!-- Fields required for history management -->
    <form id="history-form" class="x-hidden">
      <input type="hidden" id="x-history-field"/>
    </form>
  </body>
</html>
 
You must log in or register to reply here.
Top Bottom
Back