VPN Gateway:Troubleshooting

Client

Default path of the SSL-VPN connection log file

Linux client (OpenVPN software)

/var/log/openvpn.log

Windows client (OpenVPN software)

By default, the log information is stored in the log folder under the OpenVPN software installation directory.

For example, C:\Users\User\OpenVPN\log

macOS client (Tunnelblick software)

/Library/Application Support/Tunnelblick/Logs

macOS client (OpenVPN software)

/Library/Application Support/OpenVPN/log/connection_name.log

Error category

Cause

Log keyword

Solution

Network unreachable

A network connectivity issue occurred.

• network is unreachable

• TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

• TLS Error: TLS handshake failed

1. On the client, use the ping or mtr command to test the connection to the public IP address of the VPN Gateway and check the quality of the public network link.

   • If the public network link quality is poor, such as high latency or a high packet loss rate, contact your ISP for assistance.

   • If the connection is normal, check whether the SSL server logs contain connection information from the client.

     If you are unable to locate the client's connection information, change the Port used by the SSL server. Then, download the SSL client certificate again and install it on the client.

2. You can change the Protocol of the SSL server to TCP for better reliability.

   If you are using an SSL-VPN connection for long-distance communication, such as from the US (Silicon Valley) to Singapore, and changing the server Protocol to TCP does not resolve the issue, use Cloud Enterprise Network (CEN) and Smart Access Gateway to connect the client to the VPC.

3. If you have multiple VPN applications on your client, use only one to establish the SSL-VPN connection.

4. Restart the client or reinstall the VPN software on the client.

Protocol or port mismatch

The protocol or port of the client does not match the protocol or port of the SSL server.

• MANAGEMENT: >STATE:1676379239,TCP_CONNECT,,,,,,

• TCP: connect to [AF_INET]*.*.*.*:1194 failed: Unknown error

Change the Protocol and Port for the SSL server. Then, download the SSL client certificate again and install it on the client.

Connection limit exceeded

The number of SSL client connections has reached the maximum limit.

MANAGEMENT: >STATE:1676370715,WAIT,,,,,

1. Check the number of connected clients for the VPN Gateway instance to determine whether the limit is exceeded.

   • If the limit is exceeded, you can increase the maximum number of concurrent connections for the SSL server.

   • If the limit is exceeded and you do not want to increase the connection limit, disconnect unnecessary clients to release resources. After a client disconnects, the system releases the resources in about 5 minutes.

2. Change the Protocol for the SSL server to TCP, and then download and install the SSL client certificate again.

   The UDP protocol can result in unreliable connections that occupy connection resources. Using the TCP protocol can prevent this issue and is more reliable.

Certificate expired

The certificate has expired.

VERIFY ERROR: certificate has expired

1. Check the validity of the SSL client certificate.

   By default, an SSL client certificate is valid for three years.

2. Delete the existing SSL client certificate and all its configurations. Then, download and install the SSL client certificate again.

   You must download and install the SSL client certificate again after you enable or disable two-factor authentication, or modify the SSL server configuration.

Certificate configuration error

The certificate is configured incorrectly.

• Options error: --ca fails with 'ca.crt': No such file or directory (errno=2)

• Options error: --cert fails with 'vsc-****.crt': No such file or directory (errno=2)

• WARNING: cannot stat file 'vsc-****.key': No such file or directory (errno=2)

• Options error: --key fails with 'vsc-****.key'

• Options error: Please correct these errors.

Delete the existing SSL client certificate and its configurations. Then, download and install the SSL client certificate again.

Incompatible VPN software version

The VPN software version on the client is not compatible with the Alibaba Cloud SSL server.

• Data Channel Offload doesn't support DATA_V1 packets

• Upgrade your server to

• suggesting an upgrade to the server version

On the client, delete the existing VPN software. Then, refer to the VPN documentation to download and install the recommended VPN software.

Insufficient IP addresses

The client CIDR block configured for the SSL server is too small, resulting in insufficient IP addresses.

OpenVPN needs a gateway parameter for a -- route option and no default was specified by either --route-gateway or --ifconfig options

Make sure that the number of IP addresses in the client CIDR block is at least four times the maximum number of SSL-VPN connections. For more information, see Create and manage an SSL server.

For example, if the client CIDR block is 192.168.0.0/24, the system first creates a subnet with a /30 subnet mask, such as 192.168.0.4/30, from the 192.168.0.0/24 CIDR block. Then, the system allocates one IP address from 192.168.0.4/30 to the client. The other three IP addresses are reserved by the system to ensure network communication. In this case, each client consumes four IP addresses. Therefore, to ensure that an IP address can be allocated to every client, make sure that the number of IP addresses in the client CIDR block is at least four times the maximum number of SSL-VPN connections.

No common encryption algorithm

The SSL server and the client do not share a common TLS cipher suite.

• TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.

• OpenSSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

Install the VPN software recommended by VPN Gateway on the client. For more information, see Configure a client.

Inconsistent encryption algorithm

The encryption algorithm of the SSL server does not match the encryption algorithm of the client.

Authenticate/Decrypt packet error: cipher final failed

Confirm that the encryption algorithm of the installed SSL client certificate is the same as the encryption algorithm of the SSL server.

If they are not the same, delete the existing SSL client certificate and all its configurations. Then, download the SSL client certificate again and install it on the client.

• The encryption algorithm of the SSL client certificate is the value of the cipher field in the config.ovpn file.

• On the SSL Servers page, find the target SSL server instance. In the Actions column, click Details. On the instance details page, you can view the encryption algorithm of the SSL server.

Packet ID conflict

The network connection is unstable or the encryption algorithm of the SSL server is set to none.

Authenticate/Decrypt packet error: bad packet ID (may be a replay)

1. Change the Protocol of the SSL server to TCP for better reliability.

2. Check if the Encryption Algorithm of the SSL server is set to none. If it is, change the Encryption Algorithm of the SSL server to an AES algorithm, such as AES-128-CBC, AES-192-CBC, or AES-256-CBC.

3. After you modify the SSL server configuration, delete the existing SSL client certificate and all its configurations. Then, download the SSL client certificate again and install it on the client.

Time not synchronized

SSL verification fails, or the time difference between the client and the server is too large.

• OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

• TLS_ERROR: BIO read tls_read_plaintext error

• TLS Error: TLS object -> incoming plaintext read error

• TLS Error: TLS handshake failed

1. The time difference between the client and the SSL server cannot exceed 10 minutes. Adjust the client's time to match the standard time.

2. Check the validity of the SSL client certificate.

   By default, an SSL client certificate is valid for three years.

Certificate verification failed

SSL certificate verification failed.

No server certificate verification method has been enabled

1. Check the validity of the SSL client certificate.

   By default, an SSL client certificate is valid for three years.

2. Delete the existing SSL client certificate and all its configurations. Then, download and install the SSL client certificate again.

   You must download and install the SSL client certificate again after you enable or disable two-factor authentication, or modify the SSL server configuration.

Two-factor authentication failed

Two-factor authentication failed.

• AUTH: Received control message: AUTH_FAILED

• TCP/UDP: Closing socket

• SIGUSR1[soft,auth-failure] received, process restarting

• MANAGEMENT: >STATE:1676381342,RECONNECTING,auth-failure,,,,,

1. Confirm that the username and password you entered are correct.

2. Check the IDaaS instance to determine whether the account is configured correctly, whether the account is disabled, or whether the IDaaS instance has expired. For more information, see What is IDaaS?.

   If the IDaaS instance is configured correctly, try to add a new account and connect again.

3. Delete the existing SSL client certificate and all its configurations. Then, download and install the SSL client certificate again.

   You must download and install the SSL client certificate again after you enable or disable two-factor authentication, or modify the SSL server configuration.

Missing TAP adapter

The client is missing the TAP virtual Ethernet adapter, which must be recreated.

• There are no TAP-Windows adapters on this system. You should be able to create a TAP

• CreateFile failed on TAP device

• All TAP-Win32 adapters on this system are currently in use

1. Confirm that you selected the TAP Virtual Ethernet Adapter option during the OpenVPN installation.

   If you did not select this option during installation, you can manually create the virtual Ethernet adapter or reinstall the OpenVPN software.

2. Exit the OpenVPN software and try to run it again with administrator permissions.

ovpnagent is not running

The ovpnagent program is not running on the macOS client.

Transport Error: socket_protect error

1. On the client's command-line interface, run the following command to manually start the ovpnagent program.

   /Library/Frameworks/OpenVPNConnect.framework/Versions/Current/usr/sbin/ovpnagent

2. For macOS clients, use the Tunnelblick software to establish SSL-VPN connections.

Client reconnects frequently

The client actively or automatically reconnects.

• Connection reset, restarting [-1]SIGUSR1[soft,connection-reset] received, client-instance restarting

• TCP/UDP: Closing socket

1. Check if the client was restarted or reconnected at the time shown in the log.

2. Check the validity of the SSL client certificate.

   By default, an SSL client certificate is valid for three years.

3. Check the time on the client.

   The time difference between the client and the SSL server cannot exceed 10 minutes. Adjust the client's time to match the standard time.