If you encounter the problem where an OpenVPN Access Server with x amount of connected devices using the Amazon AWS tiered instance licensing model is showing you that your server is only licensed for 2 connections, while you launched an instance for “xx connected devices”, then the most likely explanation here is that you are using a security group on this instance that is blocking access to the licensing servers. If that happens the OpenVPN Access Server cannot check to see if you are licensed and will fall back to its automatic built-in demonstration mode which allows all functionality without time limit, but allows only 2 simultaneous VPN connections. It’s also possible you’ve launched your instance without a public IP or on a VPC that doesn’t have Internet access, so the instance cannot access the activation servers.
These are the addresses that the licensing system will need contact to for the tiered instances to verify the licensed state and unlock the amount of connections stated on the OpenVPN Access Server AWS tiered instance type:
IP address 169.254.169.254, port 80:
These DNS names with wide dynamic IP ranges, on port TCP 443:
And these DNS names with static IP addresses, on port TCP 443:
awspc3.openvpn.net, IP address: 220.127.116.11
awspc4.openvpn.net, IP address: 18.104.22.168
awspc3.openvpn.net and awspc4.openvpn.net are only supported as of Access Server 2.5. Previous versions only use awspc1 and awspc2. If you are strict on your security permissions, then you need to release access to the metadata system mentioned above, and at least one of the two static IP addresses of awspc3 or awspc4 mentioned above. The licensing system in the Access Server is designed to try a specific licensing server first, and if that fails, move on to the next, and so on, until all 4 addresses have been tried. As a result, if you only unblock for example awspc4 then it may be a minute or two before it picks up the license after the server has just started up, so please be patient.
For those curious, awspc3 will be tried first, then 2, then 4, then 1. If you have unblocked these addresses, and are still experiencing problems, we recommend first temporarily unblocking everything on this particular system. To put it simply, disable anything that can possibly block any type of connection. Be sure to check both iptables firewalls and security groups in Amazon, both of these can block traffic. The first thing to ensure is that neither of these is possibly blocking the traffic. And of course, do a reboot of the system to be sure any transient issues are taken care of.
NOTE: Kindly confirm the metadata currently in used on your instance or if there is a changes on this aspect of the instance itself. We support only metadata version 1 that should be available without any tokens. Because if you use version 2, then it can be the reason of the issue. AS instance must be built with metadata version 1.
You can check this KB article for more information in which those mentioned details above can be found. CLICK HERE.
If you have additional questions please submit a ticket
Please sign in to leave a comment.