Troubleshooting guide for Access Server AWS tiered instance licensing
We provide tips here for troubleshooting issues with AWS-tiered instances of Access Server. You launch these AMIs through the AWS Marketplace, pre-licensed with a set number of connections. They use AWS licenses, and you pay for the connections with your AWS billing.
Confirm you're using AWS tiered instances
This guide is for troubleshooting Access Server licensing issues using an AWS license. You purchase this licensing model on Amazon AWS.
We offer several Access Server offerings pre-licensed upon launch on the AWS marketplace. So if you pick an instance that includes ten connections and launch it on Amazon AWS, it will have ten connections available immediately. The instance requires internet access for this automatic licensing. You don't purchase any activation keys.
For other Access Server licenses — subscription license, fixed license, or unlicensed — refer to our software licensing troubleshooting page to determine which activation method you're using.
Purchased instance only allows two connections
If you purchase a set number of connections using the Amazon AWS tiered instance licensing model, but it only allows two connections, the subsections below address possible reasons and how to resolve the issues.
Fix security group issue
Review your security groups. A likely issue is that you have a security group on your instance blocking access to the licensing servers, which blocks Access Server from checking to see if you're licensed. When blocked, Access Server falls back to its automatic, built-in demonstration mode, which allows all functionality without a time limit, with only two concurrent connections at a time.
To resolve this, release access to the metadata system mentioned below and at least one of the two static IP addresses of awspc3 or awspc4. Access Server's licensing system tries a specific licensing server first, then checks the next if that fails, and so on. Thus, if you unblock awspc4, for example, it may be a few minutes before it picks up the license after the server restarts. The order Access Server tries is awspc3, then 2, then 4, then 1.
- IP address 169.254.169.254, port 80: http://169.254.169.254/latest/meta-data/
- These DNS names with wide dynamic IP ranges on port TCP 443:
- These DNS names with static IP addresses on port TCP 443:
awspc3.openvpn.net, IP address: 220.127.116.11
awspc4.openvpn.net, IP address: 18.104.22.168
Once you've granted access, the issue resolves when your server successfully contacts the licensing system and verifies the state of your tiered instance.
Check IPtables firewalls and security groups
If you have unblocked the above addresses and continue to experience problems, try temporarily unblocking everything on your particular system. To put it simply: turn off anything that might block any type of connection.
Check both iptables firewalls and security groups in Amazon; both can block traffic. And, of course, reboot the system to be sure any transient issues are resolved. If you still encounter problems, contact us with as many details as you can provide so we can help investigate.
Check for possible DNS issues
DNS can be a problem if you block it. But you can resolve that by manually entering the names awspc3.openvpn.net and awspc4.openvpn.net with the IP address information shown above into the local hosts file so it resolves those names locally. Or you can allow DNS requests to go out normally to your DNS server.
If you see this reported in the logs, it means your DNS settings have a problem:
2018-08-28 16:33:39+0000 [twisted.names.dns.DNSDatagramProtocol (UDP)] AWS INFO: error in product code validation, will retry in 30 seconds: <twisted.names.dns. Message instance at 0x7fed9370e950>: aws/info:202 (twisted.names.error.DNSServer Error)
Activate an AWS debug flag
To further investigate problems with an AWS license for Access Server, it can help to activate a special debug flag. By adding the flag, Access Server will log AWS-licensing information to the /var/log/openvpnas.log file, and any errors mentioned there may aid in understanding and fixing what is wrong. This information also helps us if you reach out to support.
To enable debugging follow the steps below.
- Open as.conf in nano text editor:
- Go to the bottom of the file and add this line:
- Save changes (Ctrl+o, Enter, Ctrl+x if you use nano).
- Restart the Access Server service so that the changes can take effect:
service openvpnas restart
- After reboot, run this command to filter for the words "AWS INFO" in the log file:
cat /var/log/openvpnas.log | grep -i "AWS INFO"
You should be seeing a fair amount of debug information.
If you see lines like these in /var/log/openvpnas.log, the metadata server was unreachable:
2017-10-04 19:32:30+0200 [Uninitialized] AWS INFO: error getting instance info 'doc': : An error occurred while connecting: 113: No route to host. (twisted.internet.error.ConnectError) 2017-10-04 19:32:30+0200 [Uninitialized] AWS INFO: error getting instance info 'sig': : An error occurred while connecting: 113: No route to host. (twisted.internet.error.ConnectError) 2017-10-04 19:32:30+0200 [Uninitialized] AWS INFO: error getting instance info 'pc': : An error occurred while connecting: 113: No route to host. (twisted.internet.error.ConnectError) 2017-10-04 19:32:30+0200 [Uninitialized] AWS not detected 2017-10-04 19:32:33+0200 [-] AWS INFO: error getting instance ID: 'NoneType' object has no attribute '__getitem__': aws/info:271 (exceptions.TypeError) 2017-10-04 19:32:33+0200 [-] AWS INFO: error getting instance ID: 'NoneType' object has no attribute '__getitem__': aws/info:271 (exceptions.TypeError)
TLS error messages
If you encounter error messages about
tlsv1 alert protocol version and
ssl handshake failure, this is due to licensing APIs no longer supporting TLS 1.0 and TLS 1.1 connections. This relates to our security advisory: Important update for our Amazon AWS customers.
Refer to our detailed support article on steps to check whether this affects your AMI and then upgrade your Access Server to 2.7.3 or newer to resolve the security issue.
If you see different errors, you can attempt to make sense of them yourself or send them to us on the support ticket system so we can analyze it for you.
Switching to a different license
Suppose you have a mandatory company policy that disallows any external contact with the above licensing addresses. In that case, the tiered instances are not suitable because they require access to at least the metadata server and a licensing server. You may need to switch to a different license type.
Refer to our FAQ; Which licensing models are available for Access Server?