Skip to main content

Offline Fixed License Activation for an Access Server Without Internet Access

If you're running Access Server on an offline system, it requires a different process for activation.

Refer to this tutorial:

If the activation fails, check these scenarios:

  • Verify the activation server can access our activation servers at licensing.openvpn.net or licserv.openvpn.net on port TCP 443. We keep the IP address static, so you can also allow 54.183.149.72 through a firewall if needed.

  • Check if recent maintenance on your production server has changed the hardware/software combination. This can cause the licensing system to believe it’s running on a different server than the one where the license key was activated.

  • If you’re using a virtual platform, moving the virtual machine from one hypervisor platform to another can cause the licensing system to see this hardware change and invalidate the license key.

  • If you replace the network interface card on your server, or perform a clean reinstall of your server operating system, this can cause the license key to become invalid.

  • If your operating system runs out of available memory, reboot the server. When there isn’t available memory, the licensing system is one of the first things to go.

You can use the command-line licensing manager program to view the current state of the licensing system. On the command line as the root user, use the commands below to see which license keys are on your system, which are having problems and why, and how many connections your server currently allows.

  1. View the license key files on your server's file system:

    ls -la /usr/local/openvpn_as/etc/licenses/
  2. Check the license manager tool to see problems and the allowed connections:

    /usr/local/openvpn_as/scripts/liman info

A sample output looks like this:

Manager: exception with license file /usr/local/openvpn_as/etc/licenses/ABCD-1234-EFGH-5678.lic:
machine properties validation failed: verify fail: ABCD-1234-EFGH-5678
[3:0:8]/mac=110/hd=000/cpu=110/pci=110/ino=110/iid=000 (LIC_VPROP)
Manager: exception with license file /usr/local/openvpn_as/etc/licenses/IJKL-0912-MNOP-3456.lic:
license key ID is expired (LIC_KEY_EXP)
Manager: exception with license file /usr/local/openvpn_as/etc/licenses/QRST-7890-UVWX-1234.lic:
signature verification failed (LIC_VERIFY)
INFO {'apc': False, 'concurrent_connections': 20}

In the output above, the license key ABCD-1234-EFGH-5678 fails the machine properties validation. This means the system hardware specifics are no longer the same as when you activated the license. The system then considers this license key invalid and skips it.

The output above shows that the license key IJKL-0912-MNOP-3456 has expired. If you haven't renewed it, you can do so on our website or buy a new one.

In the output above, the last line shows that the server is registered for 20 simultaneous connections.

Error Messages

Resolutions

Fault 9000: "twisted.internet.error.DNSLookupError: DNS lookup failed: address 'licensing.openvpn.net' not found: [Errno -2] Name or service not known."

This error message is a DNS issue. This could be caused by not having DNS servers configured, or the ones configured are internal DNS servers that only handle an internal DNS zone. It could even be a temporary problem with the DNS server.

SESSION ERROR: SESSION: Your session has expired, please reauthenticate (9007)

This error message could be a DNS issue or an internet access issue.

Fault 9000: "OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]"

This error message occurs when the secure connection between your Access Server and our licensing server fails. A firewall or proxy system could intercept the traffic and present its SSL certificate. This won't match the certificate that the Access Server is expecting to see, so the certificate verification fails. Another possibility is that your server's time and date are off quite badly. The certificate we use on our licensing server is valid within specific dates, and if your server has an incorrect date set, verification fails. You must set the date correctly to resolve the problem.