Skip to main content

Tips for Solving Subscription License Key Issues

Abstract

Troubleshoot issues with an Access Server subscription license key | OpenVPN guide.

This troubleshooting guide is for users who have purchased a subscription license for Access Server. If you're facing issues with your subscription, this guide will help you verify your setup, activate your subscription, remove it if necessary, and troubleshoot common problems. Please note that this guide is specific to the subscription licensing model introduced in Access Server version 2.8.1 and above.

Before proceeding, ensure that you are using the correct licensing model. A subscription license is a long, flexible activation key that can be shared across multiple servers and requires an internet connection. It is distinct from other licensing models, such as a fixed license.

Example subscription license:

ThisIsAnExampleKeyVGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUga2V5IGFuZCBpcyB0b3RhbGx5IGZha2UuIElmIHlvdSdyZSByZWFkaW5nIHRoaXMsIHlvdSd2ZSBqdXN0IGZvdW5kIGFuIGVhc3RlciBlZ2cgb24gdGhlIG9wZW52cG4ubmV0IHdlYnNpdGUsIGNvbmdyYXR1bGF0aW9ucy4gSSdtIHNvcnJ5LCBidXQgdGhlcmUgaXMgbm8gcHJpemUgYXR0YWNoZWQuIEhhdmUgYSBuaWNlIGRheS4=

Key Details:

  • Works with Access Server 2.8.1 and above.

  • Can be used across multiple servers.

  • Supports monthly or yearly subscription models.

  • Requires an active internet connection.

If your license key appears different, consult Troubleshooting Tips to determine which license key you're using.

To activate your subscription license from the command line:

  1. Connect to the console and get root privileges.

  2. Load your subscription by pasting it into this command:

    ./sacli -v "InsertTheSubscriptionActivationKeyHere" LoadSubscription
  3. Verify activation:

    ./sacli SubscriptionStatus

Important

  • Ensure Access Server is version 2.8.1 or higher.

  • The subscription model overrides other licensing modes.

  • Only one subscription can be active on a single Access Server.

To remove a subscription license from Access Server:

Using the Admin Web UI

  1. Sign in to the Admin Web UI.

  2. Click Configuration > Activation.

  3. Click Deactivate.

From the command line

  1. Connect to the console and get root privileges.

  2. Run this command to remove the subscription:

    ./sacli DeactivateSubscription

You can view information about the Access Servers activated with a specific subscription when you sign in to your Access Server Portal. Click Server Information and Email Settings. A hostname displays for the server, which you can change if desired:

Issue: Activation fails.

Resolution: This could be caused by an Access Server console that can't access the activation server or an invalid key format:

Activation server access

Ensure connectivity to the activation server (asb.sts.openvpn.net on TCP 443). You can check the connectivity and SSL certificate:

  1. Connect to your console and get root privileges.

  2. Run this command to verify connectivity and check SSL:

    echo quit | openssl s_client -showcerts -connect asb.sts.openvpn.net:443 -servername asb.sts.openvpn.net | grep "OpenVPN Inc"
    
    • A successful connection and valid SSL certificate would give you an output similar to this:

      depth=0 C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = *.sts.openvpn.net
      verify error:num=20:unable to get local issuer certificate
      verify return:1
      depth=0 C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = *.sts.openvpn.net
      verify error:num=21:unable to verify the first certificate
      verify return:1
       0 s:C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = *.sts.openvpn.net
         i:C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = STS Master CA
      subject=C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = *.sts.openvpn.net
      issuer=C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = STS Master CA
      DONE
    • If you have a different output, specifically with different values for ST, L, O, and CN, check for a firewall or proxy server blocking access. Ensure you add the activation server added to an allowlist.

    • If you see a connection timeout, connection failure, or connection refused, check for a firewall preventing access.

Invalid key format

  1. Ensure Access Server version 2.8.1 or higher.

  2. If the issue persists, verify the activation key was copied correctly.

Our support team uses debug flags as a helpful troubleshooting step.

  1. Enable the debug flag with DEBUG_SUBSCRIPTION=2 to start logging subscription information to openvpnas.log. This can help with more detailed troubleshooting.

  2. Refer to this tutorial for more: How To Use Debug Flags.