VPN Gateway:Troubleshoot SSL-VPN connection issues

Operating system

Default directory of the log file for the SSL-VPN client

Linux client with OpenVPN installed

/var/log/openvpn.log

Windows client with OpenVPN installed

By default, the log file is stored in the log folder of the directory in which OpenVPN is installed.

Example: C:\Users\User\OpenVPN\log.

macOS client with Tunnelblick installed

/Library/Application Support/Tunnelblick/Logs

macOS client with OpenVPN installed

/Library/Application Support/OpenVPN/log/connection_name.log

Category

Cause

Keyword

Troubleshooting method

Network connection failure

The network communication is abnormal.

• network is unreachable

• TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

• TLS Error: TLS handshake failed

1. Run the ping or mtr command on your client to access the public IP address of the VPN gateway and check the quality of the Internet connection.

   • If the Internet connection is poor due to reasons such as high network latency or high packet loss, contact the Internet service provider (ISP) to help troubleshoot the issue.

   • If the network connectivity is normal, check whether the connection information about the client can be found in the logs of the SSL server.

     If the connection information about the client cannot be found, change the port used by the SSL server, redownload the SSL client certificate, and then install the certificate on the client.

2. Change the protocol used by the SSL server to TCP for higher reliability.

   If you use the SSL-VPN connection for long-distance communication, such as communication between US (Silicon Valley) and Singapore, and the connectivity issue persists after you change the protocol used by the SSL server to TCP, we recommend that you use Cloud Enterprise Network (CEN) and Smart Access Gateway to connect your client to the virtual private cloud (VPC).

3. If multiple VPN applications are installed on your client, we recommend that you use only one VPN application to create SSL-VPN connections.

4. Restart the client or reinstall the VPN application on the client.

Protocol or port number mismatch

The client and SSL-VPN server use different protocols or ports.

• MANAGEMENT: >STATE:1676379239,TCP_CONNECT,,,,,,

• TCP: connect to [AF_INET]*.*.*.*:1194 failed: Unknown error

Change the protocol and port of the SSL server, redownload the SSL client certificate, and then install the certificate on the client.

Excessive connections

The number of SSL-VPN connections exceeds the upper limit.

MANAGEMENT: >STATE:1676370715,WAIT,,,,,

1. Check whether the number of SSL clients that connect to the VPN gateway exceeds the upper limit.

   • If the upper limit is exceeded, increase the maximum number of connections supported by the VPN gateway.

   • If the upper limit is exceeded but you do not want to increase the connection upper limit, we recommend that you disconnect the clients that you no longer need. Resources will be released 5 minutes after you disconnect the clients.

2. Change the protocol of the SSL server to TCP, redownload the SSL client certificate, and then install the certificate on the client.

   This prevents unreliable UDP connections from occupying the connection quota. In addition, TCP connections are more reliable.

Certificate expiration

The SSL client certificate has expired.

VERIFY ERROR: certificate has expired

1. Check the validity period of the SSL client certificate.

   The default validity period of the SSL client certificate is three years.

2. Delete the current SSL client certificate and all configurations, redownload the certificate, and then install the certificate on the client.

   You must redownload and install the SSL client certificate after you enable or disable two-factor authentication or modify the configurations of the SSL server.

Certificate configuration error

The certificate configuration is invalid.

• Options error: --ca fails with 'ca.crt': No such file or directory (errno=2)

• Options error: --cert fails with 'vsc-****.crt': No such file or directory (errno=2)

• WARNING: cannot stat file 'vsc-****.key': No such file or directory (errno=2)

• Options error: --key fails with 'vsc-****.key'

• Options error: Please correct these errors.

Delete the current SSL client certificate and all configurations, redownload the certificate, and then install the certificate on the client.

Incompatible VPN application versions

The version of the VPN application installed on the client is incompatible with the Alibaba Cloud SSL server.

• Data Channel Offload doesn't support DATA_V1 packets

• Upgrade your server to

• suggesting an upgrade to the server version

Delete the existing VPN application that is installed on the client and download the VPN application that is compatible with the SSL server. For more information, see the "Step 4: Configure the client" section of the Connect a client to a VPC topic.

Insufficient IP addresses

The client CIDR block configured on the SSL server cannot provide sufficient IP addresses.

OpenVPN needs a gateway parameter for a -- route option and no default was specified by either --route-gateway or --ifconfig options

Make sure that the number of IP addresses in the client CIDR block is at least four times the maximum number of SSL-VPN connections supported by the VPN gateway. For more information, see Create an SSL server.

For example, if you specify 192.168.0.0/24 as the client CIDR block, the system first divides a subnet CIDR block with a subnet mask of 30 from 192.168.0.0/24, such as 192.168.0.4/30. This subnet provides up to four IP addresses. Then, the system allocates an IP address from 192.168.0.4/30 to the client and uses the other three IP addresses to ensure network communication. In this case, one client consumes four IP addresses. Therefore, to ensure that an IP address can be allocated to your client, you must make sure that the number of IP addresses in the client CIDR block is at least four times the maximum number of SSL-VPN connections supported by the associated VPN gateway.

Encryption algorithm mismatch

The SSL server and client use different TLS cipher suites and no matching encryption algorithm can be found.

• TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.

• OpenSSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

Install the VPN application recommended by VPN Gateway on your client. For more information, see the "Step 4: Configure the client" section of the Connect a client to a VPC topic.

Inconsistent encryption algorithms

The configurations of encryption algorithms in the SSL server and client are inconsistent.

Authenticate/Decrypt packet error: cipher final failed

Check whether the encryption algorithm of the SSL client certificate installed on the client is consistent with that of the SSL server.

If the encryption algorithms are inconsistent, delete the current SSL client certificate and all configurations, redownload the certificate, and then install the certificate on the client.

• The encryption algorithm of the SSL client certificate is specified by the cipher field in the config.ovpn file.

• To view the encryption algorithm of the SSL server, perform the following operations: Go to the SSL Servers page in the VPN Gateway console. Find the SSL server that you want to manage. Click Details in the Actions column. On the details page of the SSL server, view the encryption algorithm.

Packet ID conflict

The network connection is unstable or the encryption algorithm of the SSL server is set to none.

Authenticate/Decrypt packet error: bad packet ID (may be a replay)

1. Change the protocol used by the SSL server to TCP for higher reliability.

2. Check whether the Encryption Algorithm of the SSL server is set to none. If the encryption algorithm of the SSL server is set to none, we recommend that you set the Encryption Algorithm parameter to AES-128-CBC, AES-192-CBC, or AES-256-CBC.

3. After you modify the configuration of the SSL server, delete the current SSL client certificate and all configurations, redownload the certificate, and then install the certificate on the client.

Time synchronization issue

SSL verification fails or the time difference between the client and SSL server is longer than 10 minutes.

• OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

• TLS_ERROR: BIO read tls_read_plaintext error

• TLS Error: TLS object -> incoming plaintext read error

• TLS Error: TLS handshake failed

1. The time difference between the client and SSL server cannot be longer than 10 minutes. We recommend that you set the client time to the standard time.

2. Check the validity period of the SSL client certificate.

   The default validity period of the SSL client certificate is three years.

Certificate verification failure

The SSL certificate verification fails.

No server certificate verification method has been enabled

1. Check the validity period of the SSL client certificate.

   The default validity period of the SSL client certificate is three years.

2. Delete the current SSL client certificate and all configurations, redownload the certificate, and then install the certificate on the client.

   You must redownload and install the SSL client certificate after you enable or disable two-factor authentication or modify the configurations of the SSL server.

Two-factor authentication failure

The two-factor authentication fails.

• AUTH: Received control message: AUTH_FAILED

• TCP/UDP: Closing socket

• SIGUSR1[soft,auth-failure] received, process restarting

• MANAGEMENT: >STATE:1676381342,RECONNECTING,auth-failure,,,,,

1. Check whether the username and password that you enter are valid.

2. Check whether the account is configured on the Identity as a Service (IDaaS) instance, the account is disabled by the IDaaS instance, and the IDaaS instance has expired. For more information, see What is IDaaS?

   If the issue is not caused by the IDaaS instance, use another account to connect to the service.

3. Delete the current SSL client certificate and all configurations, redownload the certificate, and then install the certificate on the client.

   You must redownload and install the SSL client certificate after you enable or disable two-factor authentication or modify the configurations of the SSL server.

Test access port (TAP) missing

The client does not have a TAP virtual Ethernet adapter.

• There are no TAP-Windows adapters on this system. You should be able to create a TAP

• CreateFile failed on TAP device

• All TAP-Win32 adapters on this system are currently in use

1. Check whether you select TAP Virtual Ethernet Adapter when you install OpenVPN.

   If you did not select the option when you install OpenVPN, you need to create a TAP virtual Ethernet adapter or reinstall OpenVPN.

2. Close OpenVPN. Then, run OpenVPN as an administrator.

Disabled ovpnagent program

The ovpnagent program on a macOS client is not running.

Transport Error: socket_protect error

1. Run the following command by using the CLI of the client to start the ovpnagent program:

   /Library/Frameworks/OpenVPNConnect.framework/Versions/Current/usr/sbin/ovpnagent

2. We recommend that you use Tunnelblick to create SSL-VPN connections if you use a macOS client.

Frequent client reconnection

The client automatically reconnects to the server.

• Connection reset, restarting [-1]SIGUSR1[soft,connection-reset] received, client-instance restarting

• TCP/UDP: Closing socket

1. Check whether the client restarts or reconnects at the point in time displayed in the logs.

2. Check the validity period of the SSL client certificate.

   The default validity period of the SSL client certificate is three years.

3. Check the system time of the client.

   The time difference between the client and SSL server cannot be longer than 10 minutes. We recommend that you set the client time to the standard time.