nRF54LM20 MbedTLS: Failed to connect: -113

Ashlin · January 21, 2026, 10:38pm

Description

To get the nrf54LM20 runing there are two Kconfig settings you need to add:

CONFIG_MBEDTLS_LEGACY_CRYPTO_C=y
CONFIG_MBEDTLS_HEAP_SIZE=49152 # Should this be larger?

Expected Behavior

The default value for CONFIG_MBEDTLS_HEAP_SIZE is 10240, this is evidently not enough heap space. This will give these unhelpful errors:

<err> net_sock_tls: TLS handshake error: -0x5180
<err> golioth_coap_client_zephyr: Failed to connect to socket: -113
<err> golioth_coap_client_zephyr: Failed to connect: -113
<wrn> golioth_coap_client_zephyr: Failed to connect: -113

(May also get)
<err> golioth_coap_client_zephyr: Failed to connect to socket: -12
<err> golioth_coap_client_zephyr: Failed to connect: -12
<wrn> golioth_coap_client_zephyr: Failed to connect: -12

CONFIG_MBEDTLS_HEAP_SIZE=49152 resolved these errors.
Note: I don’t know how close this is to the edge of not working. It may be prudent to allocate even more. Checking the nrf Kconfigs it it set to 15k if CONFIG_OPENTHREAD_NRF_SECURITYis set.

Actual Behavior

One would hope that MbedTLS would be able to detect heap exhaustion. It will if you try set CONFIG_MBEDTLS_HEAP_SIZE=256. But it’s having issues in this case.

Environment

Linux
Nrf SDK 3.2.1
Toolchain 3.2.0
Golioth: v0.22.0

Logs and Console Output

For more debug info you can enable these settings:

# --- Logging ---
CONFIG_LOG=y
CONFIG_LOG_BLOCK_IN_THREAD=y
CONFIG_LOG_BUFFER_SIZE=65536
CONFIG_NET_LOG=y
CONFIG_NET_PKT_LOG_LEVEL_WRN=y
CONFIG_MBEDTLS_LOG_LEVEL_DBG=y
CONFIG_TLS_CREDENTIALS_LOG_LEVEL_DBG=y
CONFIG_NET_SOCKETS_LOG_LEVEL_INF=y
CONFIG_DNS_RESOLVER_LOG_LEVEL_INF=y
CONFIG_COAP_LOG_LEVEL_INF=y
CONFIG_NET_L2_PPP_LOG_LEVEL_INF=y
CONFIG_NET_BUF_LOG_LEVEL_INF=y
CONFIG_NET_UDP_LOG_LEVEL_INF=y
CONFIG_GOLIOTH_LOG_LEVEL_INF=y
CONFIG_MBEDTLS_DEBUG=y
CONFIG_MBEDTLS_DEBUG_C=y
CONFIG_MBEDTLS_SSL_DEBUG_ALL=y
CONFIG_MBEDTLS_DEBUG_LEVEL=4

marko · January 22, 2026, 12:34pm

Hey @Ashlin,

Thanks for writing this up, the logs match what we typically see when MbedTLS runs out of heap during the handshake (the -0x5180 / -113 combo is especially opaque).

Re: CONFIG_MBEDTLS_HEAP_SIZE: 10k is definitely on the low side for a full TLS handshake. If 49,152 is stable for you, that’s a great data point. Whether it needs to be larger depends on what else is enabled. Also, depending on how allocations fail and how the error propagates through the socket/TLS layers, you don’t always get a clean “out of memory” signal, it often surfaces as a generic handshake error, which is what you’re seeing here.

I’d treat ~50 KB as a reasonable starting point to get the connection up reliably on this platform, then trim it down in steps until it fails and keep some safety margin. It’s worth validating both debug and release configs, since extensive MbedTLS debug can change memory behavior.