Skip to main content

Tips for Solving AWS Tiered License Issues

Abstract

Troubleshoot issues with AWS license for Access Server | OpenVPN guide.

This troubleshooting guide is for users who have purchased an AWS license for Access Server through AWS. If you're facing issues with your AWS license or tiered instance, this guide will help you verify your setup and troubleshoot common problems.

This guide is for troubleshooting Access Server licensing issues using an AWS license. You purchase this licensing model on Amazon AWS.

We offer several Access Server offerings pre-licensed upon launch on the AWS marketplace. So, if you pick an instance with ten connections and launch it on Amazon AWS, it will have ten connections available immediately. The instance requires internet access for this automatic licensing. You don't purchase any license keys.

If you purchase a set number of connections through an AWS license, but it only allows two connections, the subsections below address possible reasons and how to resolve the issues.

Fix security group issues

  1. Review your security groups.

    • A likely issue is that your security group on your instance is blocking access to the licensing servers, which prevents Access Server from checking to see if you're licensed. When blocked, Access Server returns to its automatic, built-in demonstration mode, which allows all functionality without a time limit, with only two concurrent connections at a time.

  2. To resolve this, ensure that your security group allows outbound access to the metadata system mentioned below and at least one of the two static IP addresses of awspc3 or awspc4. Since AWS security groups are stateful, inbound rules for these IPs are unnecessary; only outbound rules are required. Access Server's licensing system attempts to connect to a specific licensing server first and will check the next one if that fails. Thus, if you unblock awspc4, for example, it may be a few minutes before it picks up the license after the server restarts. The order Access Server tries is awspc3, then 2, then 4, then 1.

    • IP address 169.254.169.254, port 80: http://169.254.169.254/latest/meta-data/

    • These DNS names with wide dynamic IP ranges on port TCP 443:

      • awspc1.openvpn.net

      • awspc2.openvpn.net

    • These DNS names with static IP addresses on port TCP 443:

      • awspc3.openvpn.net, IP address: 107.191.99.82

      • awspc4.openvpn.net, IP address: 107.161.19.201

  3. Once you've granted access, the issue will be resolved when your server successfully contacts the licensing system and verifies the state of your tiered instance.

Check IPtables firewalls and security groups

If you have unblocked the above addresses and continue to experience problems, try temporarily unblocking everything on your particular system. To put it simply:

  1. Turn off anything that might block any type of connection.

  2. Check both iptables firewalls and security groups in Amazon.

  3. Reboot the system to ensure any transient issues are resolved.

Check for possible DNS issues

  1. Manually enter the names awspc3.openvpn.net and awspc4.openvpn.net with the IP address shown above into the local hosts files so it resolves those names locally.

  2. Or, allow DNS requests to go out normally to your DNS server.

Tip

If you see this reported in the logs, it means your DNS settings have a problem:

2024-08-28 16:33:39+0000 [twisted.names.dns.DNSDatagramProtocol (UDP)]
AWS INFO: error in product code validation, will retry in 30 seconds:
<twisted.names.dns. Message instance at 0x7fed9370e950>:
aws/info:202 (twisted.names.error.DNSServer Error)

Activate an AWS debug flag

Activating a special debug flag can help us further investigate problems with an AWS license for Access Server. By adding the flag, Access Server will log AWS-licensing information to the /var/log/openvpnas.log file, and any errors mentioned there may help us understand and fix what is wrong. This information also helps us if you reach out for support.

Refer to this tutorial and, specifically, the DEBUG_AWSINFO=1 flag:

Metadata server connection issue

If you've set the debug flag and see lines like these in /var/log/openvpnas.log, the metadata server is unreachable:

2024-10-04 19:32:30+0200 [Uninitialized] AWS INFO: error getting instance info 'doc': : An error occurred while connecting: 113: No route to host. (twisted.internet.error.ConnectError)
2024-10-04 19:32:30+0200 [Uninitialized] AWS INFO: error getting instance info 'sig': : An error occurred while connecting: 113: No route to host. (twisted.internet.error.ConnectError)
2024-10-04 19:32:30+0200 [Uninitialized] AWS INFO: error getting instance info 'pc': : An error occurred while connecting: 113: No route to host. (twisted.internet.error.ConnectError)
2024-10-04 19:32:30+0200 [Uninitialized] AWS not detected
2024-10-04 19:32:33+0200 [-] AWS INFO: error getting instance ID: 'NoneType' object has no attribute '__getitem__': aws/info:271 (exceptions.TypeError)
2024-10-04 19:32:33+0200 [-] AWS INFO: error getting instance ID: 'NoneType' object has no attribute '__getitem__': aws/info:271 (exceptions.TypeError)

TLS error messages

If you encounter error messages about the tlsv1 alert protocol version and the SSL handshake failure, this is because licensing APIs no longer support TLS 1.0 and TLS 1.1 connections. This relates to our security advisory: Important update for our Amazon AWS customers.

Upgrade your Access Server to 2.7.3 or newer to resolve the security issue. You can find more details in our support article: