Tips for Solving Subscription License Key Issues
Troubleshoot issues with an Access Server subscription license key | OpenVPN guide.
This troubleshooting guide is for users who have purchased a subscription license for Access Server. If you're facing issues with your subscription, this guide will help you verify your setup, activate your subscription, remove it if necessary, and troubleshoot common problems. Please note that this guide is specific to the subscription licensing model introduced in Access Server version 2.8.1 and above.
Before proceeding, ensure that you are using the correct licensing model. A subscription license is a long, flexible activation key that can be shared across multiple servers and requires an internet connection. It is distinct from other licensing models, such as a fixed license.
Example subscription license:
ThisIsAnExampleKeyVGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUga2V5IGFuZCBpcyB0b3RhbGx5IGZha2UuIElmIHlvdSdyZSByZWFkaW5nIHRoaXMsIHlvdSd2ZSBqdXN0IGZvdW5kIGFuIGVhc3RlciBlZ2cgb24gdGhlIG9wZW52cG4ubmV0IHdlYnNpdGUsIGNvbmdyYXR1bGF0aW9ucy4gSSdtIHNvcnJ5LCBidXQgdGhlcmUgaXMgbm8gcHJpemUgYXR0YWNoZWQuIEhhdmUgYSBuaWNlIGRheS4=
How to check the subscription status:
Connect to the console and get root privileges.
Verify the subscription:
./sacli SubscriptionStatus
Key Details:
Works with Access Server 2.8.1 and above.
Can be used across multiple servers.
Supports monthly or yearly subscription models.
Requires an active internet connection.
If your license key appears different, consult Troubleshooting Tips to determine which license key you're using.
Prerequisites for troubleshooting
Ensure you have these Linux Package Tools for troubleshooting:
For Ubuntu/Debian:
apt update && apt -y install dnsutils curl netcat
For RHEL:
dnf update && dnf -y install bind-utils curl nmap
Issues when trying to activate a subscription license key via Admin Web UI
This error may be displayed on the Configuration > Activation page in the Admin Web UI:
This error can happen due to the below reasons:
Issue: Access Server is version 2.8.1 or lower, and the subscription license isn't compatible.
Solution: Upgrade your Access Server. Refer to this tutorial: Update Your Access Server Version.
Issue: The Linux machine hosting your Access Server can't resolve DNS for asb.sts.openvpn.net.
Run this command to perform a DNS lookup with the domain name asb.sts.openvpn.net:
nslookup asb.sts.openvpn.net
If your Linux machine can't resolve the DNS for asb.sts.openvpn.net, an error like this displays:
root@ip-192-168-150-83:~# nslookup asb.sts.openvpn.net ;; Got SERVFAIL reply from 127.0.0.53 Server: 127.0.0.53 Address: 127.0.0.53#53 ** server can't find asb.sts.openvpn.net: SERVFAIL
An expected output should look like this:
root@ip-192-168-150-83:~# nslookup asb.sts.openvpn.net Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: asb.sts.openvpn.net Address: 104.16.231.25 Name: asb.sts.openvpn.net Address: 104.16.232.25
Solution: Check the DNS servers configured on your Linux machine and update them if needed. Use a reliable DNS server to ensure proper name resolution:
Google DNS:
8.8.8.8Cloudflare DNS:
1.1.1.1Internal DNS server: Use an internal server that can perform DNS resolution correctly without interception or redirection.
Issue: The Linux machine hosting your Access Server can't communicate with asb.sts.openvpn.net on TCP port 443.
Use Netcat (nc) to check the connectivity to TCP port 443:
nc -z -v -w 5 asb.sts.openvpn.net 443
If your Linux machine can't communicate with asb.sts.openvpn.net on TCP port 443, the message displays that the connection times out:
root@ip-192-168-150-83:~# nc -z -v -w 5 asb.sts.openvpn.net 443 nc: connect to asb.sts.openvpn.net port 443 (tcp) timed out: Operation now in progress nc: connect to asb.sts.openvpn.net port 443 (tcp) timed out: Operation now in progress
An expected output should look like this:
Connection to asb.sts.openvpn.net 443 port [tcp/https] succeeded!
Solution: Check if any security groups, NACLs, route tables, proxy, NAT gateways, ISPs, or external firewalls are blocking or redirecting the traffic to another side/path.
Issue: The SSL/TLS handshake is being blocked when the Linux instance hosting Access Server tries to connect to asb.sts.openvpn.net on TCP port 443.
Diagnose the SSL/TLS issues by checking the HTTPS connection and SSL certificate chain:
curl -vvk https://asb.sts.openvpn.net
echo quit | openssl s_client -showcerts -connect asb.sts.openvpn.net:443 -servername asb.sts.openvpn.net | grep "OpenVPN Inc"
If something's blocking the SSL/TLS handshake when the instance hosting your Access Server is trying to connect to asb.sts.openvpn.net on TCP port 443, one of these errors might display:
root@ip-192-168-150-83:~# curl -vvk https://asb.sts.openvpn.net curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to asb.sts.openvpn.net:443
root@ip-192-168-150-83:~# echo quit | openssl s_client -showcerts -connect asb.sts.openvpn.net:443 -servername asb.sts.openvpn.net | grep "OpenVPN Inc" OpenSSL SSL_connect: Connection reset by peer in connection to asb.sts.openvpn.net:443
Solution: Check if any ISP, router, firewall, proxy, or NAT devices are blocking the SSL/TLS handshake.
Issue: The DNS servers on your Access Server's Linux machine are proxy DNS servers (e.g., Cisco Umbrella/OpenDNS) and may return incorrect IP addresses.
Proxy DNS servers, such as Cisco Umbrella/OpenDNS, may return incorrect IP addresses, causing subscription activation to fail.
Solution: Refer to this knowledge base article: Subscription activation failure due to proxy DNS server.
This error displays on the Configuration > Activation page in the Admin Web UI like this:
This error message may be displayed in two scenarios:
You're trying to apply the subscription license key.
The subscription key is already applied and working, but something happens that causes the subscription to fail.
Issue: The Linux machine hosting your Access Server can't resolve DNS for asb.sts.openvpn.net.
Run this command to perform a DNS lookup with the domain name asb.sts.openvpn.net:
nslookup asb.sts.openvpn.net
If your Linux machine can't resolve the DNS for asb.sts.openvpn.net, an error like this displays:
root@ip-192-168-150-83:~# nslookup asb.sts.openvpn.net ;; Got SERVFAIL reply from 127.0.0.53 Server: 127.0.0.53 Address: 127.0.0.53#53 ** server can't find asb.sts.openvpn.net: SERVFAIL
An expected output should look like this:
root@ip-192-168-150-83:~# nslookup asb.sts.openvpn.net Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: asb.sts.openvpn.net Address: 104.16.231.25 Name: asb.sts.openvpn.net Address: 104.16.232.25
Solution: Check the DNS servers configured on your Linux machine and update them if needed. Use a reliable DNS server to ensure proper name resolution:
Google DNS:
8.8.8.8Cloudflare DNS:
1.1.1.1Internal DNS server: Use an internal server that can perform DNS resolution correctly without interception or redirection.
Issue: The Linux machine hosting your Access Server can't communicate with asb.sts.openvpn.net on TCP port 443.
Use Netcat (nc) to check the connectivity to TCP port 443:
nc -z -v -w 5 asb.sts.openvpn.net 443
If your Linux machine can't communicate with asb.sts.openvpn.net on TCP port 443, the message displays that the connection times out:
root@ip-192-168-150-83:~# nc -z -v -w 5 asb.sts.openvpn.net 443 nc: connect to asb.sts.openvpn.net port 443 (tcp) timed out: Operation now in progress nc: connect to asb.sts.openvpn.net port 443 (tcp) timed out: Operation now in progress
An expected output should look like this:
Connection to asb.sts.openvpn.net 443 port [tcp/https] succeeded!
Solution: Check if any security groups, NACLs, route tables, proxy, NAT gateways, ISPs, or external firewalls are blocking or redirecting the traffic to another side/path.
Issue: The SSL/TLS handshake is being blocked when the Linux instance hosting Access Server tries to connect to asb.sts.openvpn.net on TCP port 443.
Diagnose the SSL/TLS issues by checking the HTTPS connection and SSL certificate chain:
curl -vvk https://asb.sts.openvpn.net
echo quit | openssl s_client -showcerts -connect asb.sts.openvpn.net:443 -servername asb.sts.openvpn.net | grep "OpenVPN Inc"
If something's blocking the SSL/TLS handshake when the instance hosting your Access Server is trying to connect to asb.sts.openvpn.net on TCP port 443, one of these errors might display:
root@ip-192-168-150-83:~# curl -vvk https://asb.sts.openvpn.net curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to asb.sts.openvpn.net:443
root@ip-192-168-150-83:~# echo quit | openssl s_client -showcerts -connect asb.sts.openvpn.net:443 -servername asb.sts.openvpn.net | grep "OpenVPN Inc" OpenSSL SSL_connect: Connection reset by peer in connection to asb.sts.openvpn.net:443
Solution: Check if any security groups, NACLs, route tables, proxy, NAT gateways, ISPs, or external firewalls are blocking or redirecting the traffic to another side/path.
Issue: The DNS servers on your Access Server's Linux machine are proxy DNS servers (e.g., Cisco Umbrella/OpenDNS) and may return incorrect IP addresses.
Proxy DNS servers, such as Cisco Umbrella/OpenDNS, may return incorrect IP addresses, causing subscription activation to fail.
Solution: Refer to this knowledge base article: Subscription activation failure due to proxy DNS server.
This error displays on the Configuration > Activation page in the Admin Web UI like this:
Issue: The Linux machine hosting your Access Server can't resolve DNS for asb.sts.openvpn.net.
Run this command to perform a DNS lookup with the domain name asb.sts.openvpn.net:
nslookup asb.sts.openvpn.net
If your Linux machine can't resolve the DNS for asb.sts.openvpn.net, an error like this displays:
root@ip-192-168-150-83:~# nslookup asb.sts.openvpn.net ;; Got SERVFAIL reply from 127.0.0.53 Server: 127.0.0.53 Address: 127.0.0.53#53 ** server can't find asb.sts.openvpn.net: SERVFAIL
An expected output should look like this:
root@ip-192-168-150-83:~# nslookup asb.sts.openvpn.net Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: asb.sts.openvpn.net Address: 104.16.231.25 Name: asb.sts.openvpn.net Address: 104.16.232.25
Solution: Check the DNS servers configured on your Linux machine and update them if needed. Use a reliable DNS server to ensure proper name resolution:
Google DNS:
8.8.8.8Cloudflare DNS:
1.1.1.1Internal DNS server: Use an internal server that can perform DNS resolution correctly without interception or redirection.
Issues when trying to activate a subscription license key via CLI
Issue: You encounter the error below:
Verifying subscription... Failed: [Failure instance: Traceback (failure with no frames): <class 'pyovpn.util.error.Passthru'>: japicli: E_RESOLVE HTTPCore Asio resolve_callback: Host not found (non-authoritative), try again later
This happens when the Linux machine hosting your Access Server can't resolve DNS for asb.sts.openvpn.net.
Solution:
Verify the DNS resolution with this command:
nslookup asb.sts.openvpn.net
Check the DNS servers configured on your Linux machine and update them if needed. Use a reliable DNS server to ensure proper name resolution:
Google DNS:
8.8.8.8Cloudflare DNS:
1.1.1.1Internal DNS server: Use an internal server that can perform DNS resolution correctly without interception or redirection.
This happens when the Linux machine hosting Access Server can't resolve DNS for asb.sts.openvpn.net OR this happens also when the Linux machine hosting Access Server can't communicate with asb.sts.openvpn.net on TCP port 443.
Verifying subscription... Failed: [Failure instance: Traceback (failure with no frames): <class 'pyovpn.util.error.Passthru'>: japicli: E_GENERAL_TIMEOUT General timeout
Solution: Verify the DNS resolution and TCP 443 connectivity with the below commands:
nslookup asb.sts.openvpn.net nc -z -v -w 5 asb.sts.openvpn.net 443
Depending on the issue, either check/change the DNS servers configured for your Linux machine OR check if any security groups, NACLs, route tables, proxy, NAT gateways, ISPs, or external firewalls are blocking or redirecting the traffic to another side/path.
This happens when the Linux machine hosting Access Server can't communicate with asb.sts.openvpn.net on TCP port 443.
Verifying subscription... Failed: [Failure instance: Traceback (failure with no frames): <class 'pyovpn.util.error.Passthru'>: japicli: E_CONNECT HTTPCore Asio handle_tcp_connect: Connection refused"
Solution: Verify TCP 443 connectivity with the below command:
nc -z -v -w 5 asb.sts.openvpn.net 443
Check if any security groups, NACLs, route tables, proxy, NAT gateways, ISPs, or external firewalls are blocking or redirecting the traffic to another side/path.
This happens when the SSL/TLS handshake is being blocked when the instance hosting Access Server tries to connect to asb.sts.openvpn.net on TCP port 443.
Verifying subscription... Failed: [Failure instance: Traceback (failure with no frames): <class 'pyovpn.util.error.Passthru'>: japicli: E_EXCEPTION HTTPCore Exception tcp_read_handler: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2048 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Solution: Verify the SSL/TLS handshake while the Linux machine hosting Access Server is trying to communicate with asb.sts.openvpn.net on TCP port 443 with the below commands:
curl -vvk https://asb.sts.openvpn.net
echo quit | openssl s_client -showcerts -connect asb.sts.openvpn.net:443 -servername asb.sts.openvpn.net | grep "OpenVPN Inc"
Check if any security groups, NACLs, route tables, proxy, NAT gateways, ISPs, or external firewalls are blocking the SSL/TLS handshake.
This happens when the SSL/TLS handshake is blocked when the instance hosting Access Server tries to connect to asb.sts.openvpn.net on TCP port 443 OR when a proxy DNS server (e.g., Cisco Umbrella/OpenDNS) intercepts the connection with asb.sts.openvpn.net.
Verifying subscription... Failed: [Failure instance: Traceback (failure with no frames): <class 'pyovpn.util.error.Passthru'>: japicli: E_EXCEPTION HTTPCore Exception tcp_read_handler: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2048 status=-1: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
Solution: Verify the SSL/TLS handshake while the Linux machine hosting Access Server is trying to communicate with asb.sts.openvpn.net on TCP port 443 with the below commands:
curl -vvk https://asb.sts.openvpn.net
echo quit | openssl s_client -showcerts -connect asb.sts.openvpn.net:443 -servername asb.sts.openvpn.net | grep "OpenVPN Inc"
Depending on the issue, check if any security groups, NACLs, route tables, proxy, NAT gateways, ISPs, or external firewalls are blocking the SSL/TLS handshake OR if there's a proxy DNS server such as Cisco Umbrella (OpenDNS), refer to this knowledgebase article: Subscription activation failure due to proxy DNS server.
You can view information about the Access Servers activated with a specific subscription when you sign in to your Access Server Portal. Click Server Information and Email Settings. A hostname displays for the server, which you can change if desired:
Additional troubleshooting tips
Our support team uses debug flags as a helpful troubleshooting step.
Enable the debug flag with DEBUG_SUBSCRIPTION=2 to start logging subscription information to openvpnas.log. This can help with more detailed troubleshooting.
Refer to this tutorial for more: How To Use Debug Flags.