Issue description:
To successfully activate your Access Server subscription license, you must meet the following conditions:
- The Linux machine hosting Access Server can resolve DNS for asb.sts.openvpn.net.
- The Access Server can connect to asb.sts.openvpn.net on TCP port 443.
Sometimes, the DNS servers configured on the Linux machine hosting Access Server are proxy DNS servers such as Cisco Umbrella (OpenDNS). These servers may return an incorrect IP address, causing subscription activation to fail.
Identifying the issue:
You can verify the DNS resolution and associated certificates for asb.sts.openvpn.net with the following command:
echo quit | openssl s_client -showcerts -connect asb.sts.openvpn.net:443 -servername asb.sts.openvpn.net | grep "OpenVPN Inc"
Expected output: The output should look similar to this when DNS resolution is working correctly:
root@openvpn-access-server:~# echo quit | openssl s_client -showcerts -connect asb.sts.openvpn.net:443 -servername asb.sts.openvpn.net | grep "OpenVPN Inc"
depth=0 C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = *.sts.openvpn.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = *.sts.openvpn.net
verify error:num=21:unable to verify the first certificate
verify return:1
0 s:C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = *.sts.openvpn.net
i:C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = STS Master CA
subject=C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = *.sts.openvpn.net
issuer=C = US, ST = California, L = Pleasanton, O = OpenVPN Inc., CN = STS Master CA
DONE
Problematic output: If the DNS server is proxying traffic (e.g., using Cisco Umbrella), the output will resemble this:
root@openvpn-access-server:~# echo quit | openssl s_client -showcerts -connect asb.sts.openvpn.net:443 -servername asb.sts.openvpn.net | grep "OpenVPN Inc"
depth=2 C = US, ST = California, L = San Francisco, O = Cisco, CN = Cisco Umbrella Primary SubCA
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 O = Cisco, CN = Cisco Umbrella Secondary SubCA nyc-SG
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "OpenDNS, Inc.", CN = asb.sts.openvpn.net
verify return:1
DONE
If you see the second output, DNS interception by Cisco Umbrella (or similar) is likely causing subscription activation to fail.
Issue resolution:
After you've determined the DNS servers are proxying traffic, follow these steps to resolve subscription activation issues caused by this:
- Change the DNS servers on your Linux matching hosting Access Server to a reliable option, such as:
- Google DNS: 8.8.8.8
- Cloudflare DNS: 1.1.1.1
- Internal DNS server: Use an internal DNS server that performs correct DNS resolution without interception.
- After updating the DNS servers, confirm that asb.sts.openvpn.net resolves correctly by using the following command:
echo quit | openssl s_client -showcerts -connect asb.sts.openvpn.net:443 -servername asb.sts.openvpn.net | grep "OpenVPN Inc"
- Ensure the output matches the Expected Output section above.
- Attempt to activate your Access Server subscription license again.
- If the issue persists, double-check the DNS configuration and consider switching to another DNS server.
If you have additional questions, please submit a ticket.
Comments
0 comments
Please sign in to leave a comment.