Hi everyone,
I’m running into a very strange networking/TLS issue on my Proxmox host and getting extremely infuriated - I’m looking for suggestions on what to test next.
The main symptom is that large HTTPS downloads fail with TLS/decryption errors such as:
GnuTLS: A TLS fatal alert has been received.
GnuTLS: received alert [20]: Bad record MAC
Unable to establish SSL connection.
Example on the Proxmox host:
wget -4 https://proof.ovh.net/files/1Gb.dat -O /tmp/1Gb.dat
This usually fails randomly after some amount of data has transferred (Sometimes if I get very lucky it will complete):
Read error at byte XXXXX/1073741824 (Decryption has failed.). Retrying.<br>GnuTLS: received alert [20]: Bad record MAC<br>
The same type of issue also happens inside a Fedora VM on the same Proxmox host. In the VM, I’ve seen similar errors from wget, curl, and Java/Fabric Minecraft server downloads:
curl: (56) OpenSSL SSL_read: OpenSSL/3.5.5: error:1C800066rovider routines::cipher operation failed<br>javax.net.ssl.SSLException: bad_record_mac<br>javax.crypto.AEADBadTagException: Tag mismatch<br>
This seems to happen specifically with sustained encrypted transfers. Smaller requests, ping, SSH, and basic connectivity generally work.
System details:
Proxmox VE host
Kernel: Linux 7.0.2-3-pve
Hardware: Dell Optiplex 5060
CPU: Intel i7-8700
RAM: 16GB DDR4
NIC: Intel Corporation Ethernet Connection (7) I219-V - Driver: e1000e - Interface: nic0 bridged to vmbr0
NIC details:
Speed: 1000Mb/s - Duplex: Full - Auto-negotiation: on - Link detected: yes - Flow Control: Rx/Tx
Interface counters look clean:
rx_errors: 0<br>tx_errors: 0<br>rx_crc_errors: 0<br>rx_frame_errors: 0<br>rx_missed_errors: 0<br>tx_timeout_count: 0<br>rx_csum_offload_errors: 0<br>
MTU is normal:
nic0 mtu 1500<br>vmbr0 mtu 1500<br>
Things I have tested so far:
This makes me suspect the issue is local to the Proxmox host/server NIC rather than the router/cable path.
This may have improved things temporarily on the host, but the issue has not been consistently resolved.
I also checked for obvious MCE/EDAC/hardware errors and did not see anything clearly pointing to RAM failure.
Relevant commands/results:
ethtool -S nic0 | grep -Ei "err|drop|crc|timeout|miss|coll|fault|reset"<br>
Shows all zero for the obvious error counters.
dmesg | grep -iE "nic0|enp0s31f6|i219|e1000e|reset|link|error|crc|timeout"<br>
Shows normal e1000e initialization and link up at 1000 Mbps full duplex.
Current theory:
At this point, I suspect the onboard Intel I219-V NIC, the e1000e driver path, EEE/flow-control/offload behaviour, or some host-side networking issue. The fact that another laptop works on the same Ethernet path makes me think it is probably not the router anymore.
Things I plan to try next:
Has anyone seen an Intel I219-V / e1000e NIC on Proxmox cause TLS corruption / Bad Record MAC errors during sustained HTTPS downloads, even while NIC error counters remain clean?
Any suggestions for additional tests, driver/kernel parameters, ethtool settings, or Proxmox networking checks would be appreciated.
I’m running into a very strange networking/TLS issue on my Proxmox host and getting extremely infuriated - I’m looking for suggestions on what to test next.
The main symptom is that large HTTPS downloads fail with TLS/decryption errors such as:
GnuTLS: A TLS fatal alert has been received.
GnuTLS: received alert [20]: Bad record MAC
Unable to establish SSL connection.
Example on the Proxmox host:
wget -4 https://proof.ovh.net/files/1Gb.dat -O /tmp/1Gb.dat
This usually fails randomly after some amount of data has transferred (Sometimes if I get very lucky it will complete):
Read error at byte XXXXX/1073741824 (Decryption has failed.). Retrying.<br>GnuTLS: received alert [20]: Bad record MAC<br>
The same type of issue also happens inside a Fedora VM on the same Proxmox host. In the VM, I’ve seen similar errors from wget, curl, and Java/Fabric Minecraft server downloads:
curl: (56) OpenSSL SSL_read: OpenSSL/3.5.5: error:1C800066rovider routines::cipher operation failed<br>javax.net.ssl.SSLException: bad_record_mac<br>javax.crypto.AEADBadTagException: Tag mismatch<br>
This seems to happen specifically with sustained encrypted transfers. Smaller requests, ping, SSH, and basic connectivity generally work.
System details:
Proxmox VE host
Kernel: Linux 7.0.2-3-pve
Hardware: Dell Optiplex 5060
CPU: Intel i7-8700
RAM: 16GB DDR4
NIC: Intel Corporation Ethernet Connection (7) I219-V - Driver: e1000e - Interface: nic0 bridged to vmbr0
NIC details:
Speed: 1000Mb/s - Duplex: Full - Auto-negotiation: on - Link detected: yes - Flow Control: Rx/Tx
Interface counters look clean:
rx_errors: 0<br>tx_errors: 0<br>rx_crc_errors: 0<br>rx_frame_errors: 0<br>rx_missed_errors: 0<br>tx_timeout_count: 0<br>rx_csum_offload_errors: 0<br>
MTU is normal:
nic0 mtu 1500<br>vmbr0 mtu 1500<br>
Things I have tested so far:
- Replaced the router
I was originally using an old Netgear R6400. I replaced it with an ASUS RT-AX1800S. The issue still happens on the Proxmox host. - Tested another device on the same Ethernet path
A Windows laptop connected to the same Ethernet setup was able to download the same 1GB test file successfully using:
This makes me suspect the issue is local to the Proxmox host/server NIC rather than the router/cable path.
- Tested Proxmox host directly
The issue happens on the Proxmox host itself, not only inside VMs.
- Tested inside Fedora VM
The Fedora VM also fails with similar TLS errors, which makes sense if the host networking path is already affected.
- Disabled Proxmox VM firewall
I disabled the Proxmox firewall checkbox on the VM NIC to remove the fwbr/fwpr/fwln firewall bridge path. This did not resolve the issue.
- Tried different VM NIC models
I tested Intel E1000 and VirtIO in the VM. The issue still appeared, although the Proxmox host itself failing suggests the VM NIC model is not the root cause.
- Checked MTU
MTU is 1500 on the Proxmox physical NIC, vmbr0, and client machines.
- Checked dmesg
I don’t see obvious NIC reset spam or CRC errors. The NIC comes up normally:
- Tested EEE
I tried disabling Energy Efficient Ethernet:
This may have improved things temporarily on the host, but the issue has not been consistently resolved.
- Try disabling flow control:
- Considered RAM instability
RAM is running at 2666 MT/s, not XMP/overclocked:
I also checked for obvious MCE/EDAC/hardware errors and did not see anything clearly pointing to RAM failure.
Relevant commands/results:
ethtool -S nic0 | grep -Ei "err|drop|crc|timeout|miss|coll|fault|reset"<br>
Shows all zero for the obvious error counters.
dmesg | grep -iE "nic0|enp0s31f6|i219|e1000e|reset|link|error|crc|timeout"<br>
Shows normal e1000e initialization and link up at 1000 Mbps full duplex.
Current theory:
At this point, I suspect the onboard Intel I219-V NIC, the e1000e driver path, EEE/flow-control/offload behaviour, or some host-side networking issue. The fact that another laptop works on the same Ethernet path makes me think it is probably not the router anymore.
Things I plan to try next:
- Test with a USB 3.0 gigabit Ethernet adapter to bypass the onboard Intel I219-V NIC entirely
- If the USB NIC works, move the Proxmox bridge from the onboard NIC to the USB NIC.
- If the USB NIC does not work, run a longer memory test and investigate host/kernel issues further.
Has anyone seen an Intel I219-V / e1000e NIC on Proxmox cause TLS corruption / Bad Record MAC errors during sustained HTTPS downloads, even while NIC error counters remain clean?
Any suggestions for additional tests, driver/kernel parameters, ethtool settings, or Proxmox networking checks would be appreciated.
