The Client Log Contains "AUTH_FAILED"

Applicable Client

Windows OpenVPN Connect

Symptom

A client cannot connect to a P2C VPN gateway, and the log contains the following error information:

AUTH_FAILED

Possible Causes

If a static IP address has been configured for the user, the client can set up only one connection.
The user entered incorrect passwords for five consecutive times, and the user account is locked.
The username and password did not match.
The certificate and private key in the client configuration file do not match the client CA certificate imported on the Server tab page of the VPN gateway.

Procedure

If password authentication is used, perform the following operations:
1. Check whether a static IP address is configured for the user.
  1. Log in to the management console.
  2. Click in the upper left corner and select the desired region and project.
  3. Click in the upper left corner, and choose Networking > Virtual Private Network.
  4. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
  5. Click the P2C VPN Gateways tab, locate the target VPN gateway, and click View Server in the Operation column.
  6. Choose User Management > Users, and check whether a static IP address is configured for the user.
    - If no static IP address is configured, go to step 2.
    - If a static IP address is configured but it is occupied by another user, disconnect the client and reconnect it.
2. Check whether the user account is locked due to multiple incorrect password attempts.
  If not, go to step 3.
  
  If so, log in to the client again 5 minutes later.
3. Check whether the username and password for logging in to the client match.
  If not, reset the password as follows, and use the new password for login:
  1. Log in to the management console.
  2. Click in the upper left corner and select the desired region and project.
  3. Click in the upper left corner, and choose Networking > Virtual Private Network.
  4. In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
  5. Click the P2C VPN Gateways tab, locate the target VPN gateway, and click View Server in the Operation column.
  6. Choose User Management > Users, and click Reset Password in the Operation column of the target user.
  7. Set a new password and click OK.

If certificate authentication is used, perform the following operations:

Check whether the imported client CA certificate is correct.

Log in to the management console.
Click in the upper left corner and select the desired region and project.
Click in the upper left corner, and choose Networking > Virtual Private Network.
In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
Click the P2C VPN Gateways tab. In the P2C VPN gateway list, locate the target P2C VPN gateway, and click View Server in the Operation column.
On the Server tab page, view the issuer information of the client CA certificate.

Double-click the target client CA certificate, click the Details tab, and view the issuer information.

If the issuer information on the client is consistent with that on the server, go to step 2.

If the issuer information on the client is inconsistent with that on the server, perform the following operations to import the client CA certificate again:

On the Server tab page, choose Certificate authentication from the Client Authentication Mode drop-down list box, and click Upload CA Certificate.

Set parameters as prompted.

**Table 1** Parameters for uploading a CA certificate
Parameter	Description	Example Value
Name	This parameter can be modified.	ca-cert-xxxx
Content	Use a text editor (for example, Notepad++) to open the signature certificate file in PEM format, and copy the certificate content to this text box. NOTE: It is recommended to use a certificate with a strong cryptographic algorithm, such as RSA-3072 or RSA-4096. Certificates using the RSA-2048 encryption algorithm have risks. Exercise caution when using such certificates.	-----BEGIN CERTIFICATE----- Certificate content -----END CERTIFICATE-----

Click OK.
Click Delete in the Operation column of the incorrect client CA certificate.
In the Delete CA Certificate dialog box, click OK.
Download the new client configuration file.
The downloaded client configuration file is client_config.zip.
Decompress client_config.zip to a specified directory, for example, D:\.
After the decompression, the client_config.ovpn and client_config.conf files are generated.
Open the client_config.ovpn file using Notepad or Notepad++.

Add the client certificate and private key to the file.

Enter the client certificate content and the corresponding private key in between <cert></cert> and <key></key> tags, respectively.

<cert>
-----BEGIN CERTIFICATE-----
Client certificate content
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
Client private key
-----END PRIVATE KEY-----
</key>

Save the .ovpn configuration file.
Start the OpenVPN client.
Import the new client configuration file.
Use the client to reconnect to the VPN gateway.

Check whether the client certificate and private key in the configuration file match.
If not, copy the correct client certificate and private key to the client configuration file as follows:
1. Open the client_config.ovpn file, client certificate, and client private key using Notepad or Notepad++.
2. Copy the client certificate and private key to the client_config.ovpn file.
  Enter the client certificate content and the corresponding private key in between <cert></cert> and <key></key> tags, respectively. An example is as follows:
```
<cert>
-----BEGIN CERTIFICATE-----
Client certificate content
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
Client private key
-----END PRIVATE KEY-----
</key>
```
3. Save the .ovpn configuration file.
4. Start the OpenVPN client.
5. Import the new client configuration file.
6. Use the client to reconnect to the VPN gateway.