Common causes and solutions for SSL-VPN client connection failures, traffic forwarding issues, and encryption behavior.
Connection failures
Why does my SSL-VPN client fail to connect?
Invalid SSL server or client configuration
Verify that the VPC CIDR block the client needs to reach is listed in the Local Network parameter of the SSL server. Then confirm the VPN application on the client is configured correctly.
Expired or invalid SSL client certificate
SSL client certificates are valid for three years by default. If the certificate has expired, delete it along with all its configuration, then re-download and install it. Also re-download the certificate after:
Enabling or disabling two-factor authentication
Modifying the SSL server configuration
See Download an SSL client certificate.
Too many concurrent connections
The number of connected clients may exceed the VPN Gateway limit.
To raise the limit, see Modify the maximum number of concurrent SSL connections.
To free up connections, disconnect idle clients. Resources are released 5 minutes after disconnection. See View the information about an SSL client.
Switch the SSL server Protocol to TCP, then re-download and install the client certificate. TCP connections are more reliable than UDP and prevent unreliable connections from consuming quota. See Modify an SSL server.
IP address conflicts
If the VPC CIDR block conflicts with the client's local IP address, modify the Local Network (VPC or vSwitch CIDR block) or the Client CIDR Block parameter of the SSL server to eliminate the overlap. See Modify an SSL server.
Insufficient client CIDR block addresses
Each SSL-VPN connection consumes four IP addresses. The system carves a /30 subnet from the Client CIDR Block -- for example, 192.168.0.4/30 out of 192.168.0.0/24. One address goes to the client; the other three support network communication. The Client CIDR Block must provide at least four times the maximum number of SSL-VPN connections on the VPN Gateway.
See Create and manage an SSL server.
VPN application conflicts
If multiple VPN applications are installed on the client, use only one to create SSL-VPN connections. Restart the client or reinstall the VPN application. See Configure the client.
Other causes
Check the SSL-VPN connection logs for specific errors. See Troubleshoot SSL-VPN connection issues.
Connection stability
Why does my client periodically disconnect from the SSL server?
Unstable internet connection
Run ping or mtr against the VPN Gateway public IP address from the client to check link quality. If latency is high or packets are dropping, contact your internet service provider (ISP).
For long-distance connections -- for example, between the US (Silicon Valley) and Singapore -- intermittent disconnections are common over UDP. Switch the SSL server Protocol to TCP for better reliability. See Modify an SSL server.
If the issue persists after switching to TCP, consider Cloud Enterprise Network (CEN) and Smart Access Gateway (SAG) to connect the client to the VPC.
SSL server configuration changes
Modifying the SSL server configuration disconnects all clients. Reconnect after the changes are applied.
Why can only some of my clients connect?
Long-distance or unstable connections
Clients connecting over long distances (for example, US Silicon Valley to Singapore) are more likely to disconnect when using UDP. Switch the SSL server Protocol to TCP. If the issue persists, consider CEN and SAG.
Connection limit exceeded
If the VPN Gateway has reached its concurrent connection limit, additional clients are rejected. Either increase the limit or disconnect idle clients. Resources are released 5 minutes after disconnection.
Switching the Protocol to TCP and re-downloading the client certificate replaces unreliable UDP connections with reliable TCP connections, freeing quota. See Modify an SSL server and Download an SSL client certificate.
Client application issues
The VPN application on the failing client may have crashed or become misconfigured. Restart the client or reinstall and reconfigure the VPN application. See Configure the client.
Clock skew
SSL verification fails if the time difference between the client and the SSL server exceeds 10 minutes. Synchronize the client to a Network Time Protocol (NTP) server.
On Linux:
yum install -y ntp # Install the NTP service.
ntpdate pool.ntp.org # Synchronize the time.
date # Verify the system time.On other operating systems, open the system date and time settings and enable automatic time synchronization.
Connectivity issues
My client is connected, but the VPC cannot ping it
The client's firewall or access control policy is likely blocking ICMP. By default, the Windows firewall blocks inbound ping requests. Modify the Windows inbound firewall rules to allow ICMPv4-In. On other operating systems, check whether the client's access control policy permits ICMP traffic.
My client is connected, but ping works in only one direction
The client can ping the VPC, but the VPC cannot ping the client
The client's firewall or access control policy is blocking inbound ICMP. On Windows, enable the ICMPv4-In inbound rule. On other systems, check the client's access control policy.
The VPC can ping the client, but the client cannot ping the VPC
The forward and return paths may differ. Check these two causes:
If you use CEN, verify the route configuration at each node between the client and the VPC. Both directions must follow the same path.
Check whether the target resource in the VPC (for example, an ECS instance) has a public IP address. If both the resource and the client have public IPs, the VPC may route traffic over the internet instead of the VPN tunnel.
My client is connected, but it cannot resolve domain names or access an application
The client likely has no route to the DNS server.
Add the DNS server CIDR block to the Local Network parameter of the SSL server. For example, if you use Alibaba Cloud DNS PrivateZone, add
100.100.2.136/32and100.100.2.138/32to Local Network.Run
pingormtrfrom the client to the destination application. If the application is reachable by IP, the SSL-VPN tunnel is working and the issue is DNS-only.
See Modify an SSL server.
My client is connected, but it cannot access cloud resources
Missing or incorrect Local Network configuration
Verify that the CIDR blocks the client needs to reach are listed in the Local Network parameter of the SSL server. Then confirm the client has learned the corresponding routes.
On Windows:
ipconfig REM View the IP address assigned to the client.
route print REM Check whether the client received routes for the Local Network.On Linux:
ifconfig # View the IP address assigned to the client.
ip route show all # Check whether the client received routes for the Local Network.See Modify an SSL server.
Overlapping Local Network and Client CIDR Block
If the CIDR blocks in the Local Network parameter overlap with the Client CIDR Block parameter, traffic cannot be routed correctly. Adjust either parameter to remove the overlap.
IPsec-VPN route conflict
If an IPsec-VPN connection on the same VPN Gateway has a route whose destination CIDR block overlaps with the Client CIDR Block of the SSL server, traffic is misrouted. Either change the IPsec-VPN route to a more specific route, or change the Client CIDR Block to a non-overlapping range.
Security group or network ACL blocking traffic
Check the security group rules of the target resource (for example, an ECS instance) in the VPC. The rules must allow traffic from the client CIDR block. Also check the network ACL on the client side.
OpenVPN version compatibility
Outdated or very recent OpenVPN versions can cause compatibility issues. For example, OpenVPN 2.6.6 on Windows may prevent the client from pinging cloud resources. Use the OpenVPN versions recommended in the VPN Gateway documentation. See Configure the client.
Performance issues
My client is connected, but packet loss occurs
VPN Gateway bandwidth exceeded
A sudden traffic spike may exceed the VPN Gateway bandwidth. Check the traffic monitoring data in the VPN Gateway console. If bandwidth is consistently maxed out, upgrade the VPN Gateway. See Upgrade or downgrade a VPN gateway.
UDP protocol unreliability
UDP does not guarantee delivery. Switch the SSL server Protocol to TCP for reliable transport, then re-download and install the SSL client certificate.
Unstable internet connection
Run ping or mtr from the client to the VPN Gateway public IP address. If the link is unstable, contact your ISP.
My client is connected, but latency is high
VPN Gateway bandwidth exceeded
Check the VPN Gateway console traffic monitoring data. If traffic spikes exceed the gateway bandwidth, upgrade the VPN Gateway. See Upgrade or downgrade a VPN gateway.
Older VPN Gateway version
VPN Gateways created before April 1, 2021 have lower forwarding performance. Latency increases under heavy traffic. Upgrade to a newer version with improved SSL-VPN performance. See Upgrade a VPN gateway for SSL-VPN.
Encryption and security
Why does my SSL-VPN connection use a different encryption algorithm than the one I specified?
This is expected when Negotiable Crypto Parameters (NCP) mode is active.
Both Alibaba Cloud SSL servers and OpenVPN 2.4.0 or later enable NCP by default. During connection setup, the client and server negotiate the most secure algorithm from the ncp_ciphers list, ignoring the algorithm you manually specified for the SSL server.
For OpenVPN 2.4.0 and later, the default ncp_ciphers list includes AES-256-GCM and AES-128-GCM. Confirm the negotiated algorithm in the connection logs:
Data Channel: using negotiated cipher 'AES-256-GCM'If the client runs OpenVPN earlier than 2.4.0 and does not support NCP, the SSL server falls back to the algorithm you specified.
Recommendation: Use OpenVPN 2.4.0 or later so the server can dynamically negotiate the strongest available cipher.
If the client uses Tunnelblick, the SSL server always negotiates the encryption algorithm dynamically. The algorithm you specified for the SSL server does not take effect.
Can I use an IDaaS instance from another Alibaba Cloud account for two-factor authentication?
No. The IDaaS instance must belong to your own Alibaba Cloud account.