Category
Cause
Keyword
Troubleshooting method
Network connection failure
The network communication is abnormal.
network is unreachable
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
Run the
ping
ormtr
command on your client to access the public IP address of the VPN gateway and check the quality of the Internet connection.If the Internet connection is poor due to reasons such as high network latency or high packet loss, contact the Internet service provider (ISP) to help troubleshoot the issue.
If the network connectivity is normal, check whether the connection information about the client can be found in the logs of the SSL server.
If the connection information about the client cannot be found, change the port used by the SSL server, redownload the SSL client certificate, and then install the certificate on the client.
Change the protocol used by the SSL server to TCP for higher reliability.
If you use the SSL-VPN connection for long-distance communication, such as communication between US (Silicon Valley) and Singapore, and the connectivity issue persists after you change the protocol used by the SSL server to TCP, we recommend that you use Cloud Enterprise Network (CEN) and Smart Access Gateway to connect your client to the virtual private cloud (VPC).
If multiple VPN applications are installed on your client, we recommend that you use only one VPN application to create SSL-VPN connections.
Restart the client or reinstall the VPN application on the client.
Protocol or port number mismatch
The client and SSL-VPN server use different protocols or ports.
MANAGEMENT: >STATE:1676379239,TCP_CONNECT,,,,,,
TCP: connect to [AF_INET]*.*.*.*:1194 failed: Unknown error
Change the protocol and port of the SSL server, redownload the SSL client certificate, and then install the certificate on the client.
Excessive connections
The number of SSL-VPN connections exceeds the upper limit.
MANAGEMENT: >STATE:1676370715,WAIT,,,,,
Check whether the number of SSL clients that connect to the VPN gateway exceeds the upper limit.
If the upper limit is exceeded, increase the maximum number of connections supported by the VPN gateway.
If the upper limit is exceeded but you do not want to increase the connection upper limit, we recommend that you disconnect the clients that you no longer need. Resources will be released 5 minutes after you disconnect the clients.
Change the protocol of the SSL server to TCP, redownload the SSL client certificate, and then install the certificate on the client.
This prevents unreliable UDP connections from occupying the connection quota. In addition, TCP connections are more reliable.
Certificate expiration
The SSL client certificate has expired.
VERIFY ERROR: certificate has expired
Check the validity period of the SSL client certificate.
The default validity period of the SSL client certificate is three years.
Delete the current SSL client certificate and all configurations, redownload the certificate, and then install the certificate on the client.
You must redownload and install the SSL client certificate after you enable or disable two-factor authentication or modify the configurations of the SSL server.
Certificate configuration error
The certificate configuration is invalid.
Options error: --ca fails with 'ca.crt': No such file or directory (errno=2)
Options error: --cert fails with 'vsc-****.crt': No such file or directory (errno=2)
WARNING: cannot stat file 'vsc-****.key': No such file or directory (errno=2)
Options error: --key fails with 'vsc-****.key'
Options error: Please correct these errors.
Delete the current SSL client certificate and all configurations, redownload the certificate, and then install the certificate on the client.
Incompatible VPN application versions
The version of the VPN application installed on the client is incompatible with the Alibaba Cloud SSL server.
Data Channel Offload doesn't support DATA_V1 packets
Upgrade your server to
suggesting an upgrade to the server version
Delete the existing VPN application that is installed on the client and download the VPN application that is compatible with the SSL server. For more information, see the "Step 4: Configure the client" section of the Connect a client to a VPC topic.
Insufficient IP addresses
The client CIDR block configured on the SSL server cannot provide sufficient IP addresses.
OpenVPN needs a gateway parameter for a -- route option and no default was specified by either --route-gateway or --ifconfig options
Make sure that the number of IP addresses in the client CIDR block is at least four times the maximum number of SSL-VPN connections supported by the VPN gateway. For more information, see Create an SSL server.
For example, if you specify 192.168.0.0/24 as the client CIDR block, the system first divides a subnet CIDR block with a subnet mask of 30 from 192.168.0.0/24, such as 192.168.0.4/30. This subnet provides up to four IP addresses. Then, the system allocates an IP address from 192.168.0.4/30 to the client and uses the other three IP addresses to ensure network communication. In this case, one client consumes four IP addresses. Therefore, to ensure that an IP address can be allocated to your client, you must make sure that the number of IP addresses in the client CIDR block is at least four times the maximum number of SSL-VPN connections supported by the associated VPN gateway.
Encryption algorithm mismatch
The SSL server and client use different TLS cipher suites and no matching encryption algorithm can be found.
TLS error: The server has no TLS ciphersuites in common with the client. Your --tls-cipher setting might be too restrictive.
OpenSSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
Install the VPN application recommended by VPN Gateway on your client. For more information, see the "Step 4: Configure the client" section of the Connect a client to a VPC topic.
Inconsistent encryption algorithms
The configurations of encryption algorithms in the SSL server and client are inconsistent.
Authenticate/Decrypt packet error: cipher final failed
Check whether the encryption algorithm of the SSL client certificate installed on the client is consistent with that of the SSL server.
If the encryption algorithms are inconsistent, delete the current SSL client certificate and all configurations, redownload the certificate, and then install the certificate on the client.
The encryption algorithm of the SSL client certificate is specified by the
cipher
field in the config.ovpn file.To view the encryption algorithm of the SSL server, perform the following operations: Go to the SSL Servers page in the VPN Gateway console. Find the SSL server that you want to manage. Click Details in the Actions column. On the details page of the SSL server, view the encryption algorithm.
Packet ID conflict
The network connection is unstable or the encryption algorithm of the SSL server is set to none.
Authenticate/Decrypt packet error: bad packet ID (may be a replay)
Change the protocol used by the SSL server to TCP for higher reliability.
Check whether the Encryption Algorithm of the SSL server is set to none. If the encryption algorithm of the SSL server is set to none, we recommend that you set the Encryption Algorithm parameter to AES-128-CBC, AES-192-CBC, or AES-256-CBC.
After you modify the configuration of the SSL server, delete the current SSL client certificate and all configurations, redownload the certificate, and then install the certificate on the client.
Time synchronization issue
SSL verification fails or the time difference between the client and SSL server is longer than 10 minutes.
OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
The time difference between the client and SSL server cannot be longer than 10 minutes. We recommend that you set the client time to the standard time.
Check the validity period of the SSL client certificate.
The default validity period of the SSL client certificate is three years.
Certificate verification failure
The SSL certificate verification fails.
No server certificate verification method has been enabled
Check the validity period of the SSL client certificate.
The default validity period of the SSL client certificate is three years.
Delete the current SSL client certificate and all configurations, redownload the certificate, and then install the certificate on the client.
You must redownload and install the SSL client certificate after you enable or disable two-factor authentication or modify the configurations of the SSL server.
Two-factor authentication failure
The two-factor authentication fails.
AUTH: Received control message: AUTH_FAILED
TCP/UDP: Closing socket
SIGUSR1[soft,auth-failure] received, process restarting
MANAGEMENT: >STATE:1676381342,RECONNECTING,auth-failure,,,,,
Check whether the username and password that you enter are valid.
Check whether the account is configured on the Identity as a Service (IDaaS) instance, the account is disabled by the IDaaS instance, and the IDaaS instance has expired. For more information, see What is IDaaS?
If the issue is not caused by the IDaaS instance, use another account to connect to the service.
Delete the current SSL client certificate and all configurations, redownload the certificate, and then install the certificate on the client.
You must redownload and install the SSL client certificate after you enable or disable two-factor authentication or modify the configurations of the SSL server.
Test access port (TAP) missing
The client does not have a TAP virtual Ethernet adapter.
There are no TAP-Windows adapters on this system. You should be able to create a TAP
CreateFile failed on TAP device
All TAP-Win32 adapters on this system are currently in use
Check whether you select TAP Virtual Ethernet Adapter when you install OpenVPN.
If you did not select the option when you install OpenVPN, you need to create a TAP virtual Ethernet adapter or reinstall OpenVPN.
Close OpenVPN. Then, run OpenVPN as an administrator.
Disabled ovpnagent program
The ovpnagent program on a macOS client is not running.
Transport Error: socket_protect error
Run the following command by using the CLI of the client to start the ovpnagent program:
/Library/Frameworks/OpenVPNConnect.framework/Versions/Current/usr/sbin/ovpnagent
We recommend that you use Tunnelblick to create SSL-VPN connections if you use a macOS client.
Frequent client reconnection
The client automatically reconnects to the server.
Connection reset, restarting [-1]SIGUSR1[soft,connection-reset] received, client-instance restarting
TCP/UDP: Closing socket
Check whether the client restarts or reconnects at the point in time displayed in the logs.
Check the validity period of the SSL client certificate.
The default validity period of the SSL client certificate is three years.
Check the system time of the client.
The time difference between the client and SSL server cannot be longer than 10 minutes. We recommend that you set the client time to the standard time.