Subscription troubleshooting
This document can help you troubleshoot issues with subscriptions. You can also create a support ticket.
Determine the licensing method in use
To resolve an issue with the software licensing, you need to know which licensing method you are using so you can follow the correct procedure for activation and troubleshooting.
To determine your type of key:
Sign into your Admin Web UI.
Click Configuration > Activation.
Take note of your activation key. A subscription key will be long. A fixed license is grouped by four. An AWS tiered license is through AWS. An unlicensed server allows just two connections.
ThisIsAnExampleKeyVGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUga2V5IGFuZCBpcyB0b3RhbGx5IGZha2UuIElmIHlvdSdyZSByZWFkaW5nIHRoaXMsIHlvdSd2ZSBqdXN0IGZvdW5kIGFuIGVhc3RlciBlZ2cgb24gdGhlIG9wZW52cG4ubmV0IHdlYnNpdGUsIGNvbmdyYXR1bGF0aW9ucy4gSSdtIHNvcnJ5LCBidXQgdGhlcmUgaXMgbm8gcHJpemUgYXR0YWNoZWQuIEhhdmUgYSBuaWNlIGRheS4=
#THI-SISA-NEXA-MPLE
Resolving common issues
- 1. Why does subscription fail to activate?
- 2. Why isn’t there an activation key option in the Admin Web UI?
- 3. Why am I still getting billed for a license?
- 4. How do I activate another subscription?
- 5. How can I change the hostname that displays in the subscription portal?
- 6. Why did I get an “invalid key format”?
- 7. Is there a debug flag I can use to log subscription information?
- 8. Why can’t I switch my license key to a new server?
- 9. Why is my fixed license key no longer listed on my Access Server?
- 10. How can I add more connections to my fixed license key?
- 11. How can I remove a fixed license key from my Access Server?
- 12. How can I change the order the VPN clients get connected when we go over our limit?
- 13. What does this log message mean? “Subscription: enforcement_order is not set. Will disconnect newest subscription clients.”
- 14. How can I configure a local connection limit?
1. | Why does subscription fail to activate? |
First, check your Access Server version. Subscription fails if your OpenVPN Access Server is older than version 2.8.1. We introduced the subscription function in version 2.8.1. You must upgrade your Access Server to use subscriptions. Next, ensure your server can access our activation server at asb.sts.openvpn.net. For more information, refer to the detailed troubleshooting section. | |
2. | Why isn’t there an activation key option in the Admin Web UI? |
If you don’t have the option to enter an activation key on the Activation page for your Access Server, it could be that the license is through another software licensing method. Contact support , and we’ll help you determine the best course of action. | |
3. | Why am I still getting billed for a license? |
It’s important to note that an active subscription on your Access Server overrides other licensing models. Other modes are suppressed when a subscription is active. However, that doesn’t mean the billing is suspended. | |
4. | How do I activate another subscription? |
You can only activate one subscription on an Access Server. You can have multiple Access Servers on the same subscription, but you can’t have multiple subscriptions on the same Access Server. | |
5. | How can I change the hostname that displays in the subscription portal? |
Sign into your account on our site to view information about your subscriptions and activated Access Servers. Click on the subscription name, then Access Server information. Refer to the detailed steps in this hostname subsection below. | |
6. | Why did I get an “invalid key format”? |
The most common reason for this error message is when you attempt to activate a subscription on an older version of Access Server. Ensure you have 2.8.1 or newer. If you are on an older version, upgrade your Access Server. | |
7. | Is there a debug flag I can use to log subscription information? |
Our support team uses debug flags as a helpful troubleshooting tool. You can use the debug flag, DEBUG_SUBSCRIPTION=2 to start logging subscription information to openvpnas.log. Refer to the Logging and Debug Flag documentation for more information. CautionAdding a debug flag creates the possibility of increasing the logging data and, therefore, the file size. | |
8. | Why can’t I switch my license key to a new server? |
If you’re using a fixed license, the key is locked to the hardware/software of your system. Trying to activate the license key on another installation can cause the key to no longer function. In that case, contact support for assistance. | |
9. | Why is my fixed license key no longer listed on my Access Server? |
If your fixed license key expires, it may disappear from the overview of licenses on your OpenVPN Access Server. This is normal behavior when a key expires. It no longer unlocked additional connections on your Access Server. | |
10. | How can I add more connections to my fixed license key? |
With a fixed license key, you can’t add or remove connections. This differs from our subscription licenses, in which you can adjust the connections you pay for as needed. To change the connections on an Access Server with a fixed license key, you must purchase another license. Fixed license keys are fixed in size and purchased for the specific number of connections. You can increase the licensed amount on your Access Server by purchasing and adding more fixed license keys. When you activate multiple fixed license keys on your server, they add up to their total amount of allowed connections. | |
11. | How can I remove a fixed license key from my Access Server? |
You can remove a fixed license key from your file system, such as removing an inactive key. The following command removes the license key, “#EXA-MPLE-LICE-NSE#: rm /usr/local/openvpn_as/etc/licenses/#EXA-MPLE-LICE-NSE#.lic ImportantYou can only activate a fixed license key once. You can’t “unactivate” a fixed license key. Removing it from your Access Server doesn’t make it available for another server. If you need to activate a valid license key on another server, contact support for help. | |
12. | How can I change the order the VPN clients get connected when we go over our limit? |
The software subscription licensing model allows more VPN clients connected than your subscription amount. For example, if you activate your subscription on multiple Access Servers, the number of connections across the servers could exceed your limit. When that happens, our licensing system disconnects as many users as necessary to keep your subscription within your purchased limit. On Access Server 2.8.6 and newer, you can disconnect the most recent or the oldest connections first. By default, the most recent or newest connections get disconnected first. You can change this on the command line with these commands (run all commands as root user in the /usr/local/openvpn_as/scripts/ directory):
| |
13. | What does this log message mean? “Subscription: enforcement_order is not set. Will disconnect newest subscription clients.” |
This message means that the subscription.enforcement_order is not explicitly defined, the number of concurrent connections exceeds your subscription limit, and the newest connections are dropped first. The subscription.enforcement_order message is expected behavior, and you can either ignore it or choose to set the subscription enforcement order. You can configure our licensing system to disconnect clients exceeding the limit in two ways: starting with the newest; or the oldest. To do this manually, use one of the sacli commands above and define the subscription.enforcement_order as either “newest” or “oldest”. | |
14. | How can I configure a local connection limit? |
You can share a subscription with multiple Access Servers, and the connections across the servers add up to the limit of your subscription. You can also limit an individual Access Server to a specific amount of allowed VPN connections by introducing a local limit. By default, the local limit is whatever the subscription allows. To specify a lower amount per Access Server, use the command below, replacing NUMBER_OF_CONNECTIONS with the desired maximum connections for the server.
|
Change hostname that displays in subscription portal
The Access Server reports its hostname to our subscription server, which you can view in our billing portal. You can set the display name should you prefer, customizing it to differentiate it from other servers. This is not required but a helpful, “cosmetic” step you may take to identify your servers, as seen in the Access Server Information for your subscription.
Before making these changes, it would be good to answer a few questions:
Is there any other software running on your Linux server that would be negatively affected by a hostname change?
Is there a policy within your company for server naming, where this may affect an already assigned DNS name for the machine? (If yes, verify the local DNS setup on the machine is correct and if Access Server should have picked up the assigned hostname already.)
If you can answer no to both questions, follow these next steps. Not all distributions have the hostnamectl command. For older systems, such as Ubuntu 16, you must edit /etc/hosts and possibly /etc/hostname.
We tested these instructions with Ubuntu 20.
Set the hostname:
hostnamectl set-hostname [put-your-desired-hostname-here]
Ensure the hostname is set up correctly:
hostname
Restart Access Server:
service openvpnas restart
To view the hostname in your billing portal:
Sign into your Access Server account.
In Subscriptions, click on the name of your subscription.
From the Subscription Details page, click on Access Server Information.
The hostname of the servers with this activated subscription is displayed under Hostname.
Activation fails
If the activation fails, ensure access to our activation server at asb.sts.openvpn.net is possible. It uses port TCP 443 to contact that server. If contact isn’t possible because you are behind a proxy server or without internet access, then you can’t use the subscription licensing method. The subscription licensing method specifically doesn’t support working behind a proxy server. It must have a direct connection to asb.sts.openvpn.net on port TCP 443.
You can try to verify connectivity and check the SSL certificate presented:
echo quit | openssl s_client -showcerts -connect asb.sts.openvpn.net:443 -servername asb.sts.openvpn.net | grep "OpenVPN Inc"
If you get an output similar to this, the connection should be okay:
depth=0 C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = *.sts.openvpn.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = *.sts.openvpn.net verify error:num=21:unable to verify the first certificate verify return:1 0 s:C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = *.sts.openvpn.net i:C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = STS Master CA subject=C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = *.sts.openvpn.net issuer=C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = STS Master CA DONE
If the output you see is quite different, with different values for ST, L, O, and CN, then you have some firewall or proxy server in the way, interfering with the traffic to our activation servers. If so, make this address allowed through your firewall systems. If you see connection timeout, connection failure, or connection refused, you should investigate why the connection is not possible at all, as it again will most likely be a firewall on your end.