AUTH: Received control message: AUTH_FAILED,Invalid username or password about aws-vpn-client HOT 9 CLOSED

We've been testing this out for a small number (under 5) of linux clients we would need to connect to the vpn. We're experiencing the same issue. Here is a snip of the logs from where it fails (note: the peer connection was to the exact same IP both times):

Unsuccessful:
Mon Apr 5 14:27:31 2021 VERIFY EKU OK Mon Apr 5 14:27:31 2021 VERIFY OK: depth=0, CN=<redacted>.com Mon Apr 5 14:27:31 2021 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Mon Apr 5 14:27:31 2021 [<redacted>.com] Peer Connection Initiated with [AF_INET]52.54.xxx.yyy:1194 Mon Apr 5 14:27:32 2021 SENT CONTROL [<redacted>.com]: 'PUSH_REQUEST' (status=1) Mon Apr 5 14:27:32 2021 AUTH: Received control message: AUTH_FAILED,Invalid username or password Mon Apr 5 14:27:32 2021 SIGTERM[soft,auth-failure] received, process exiting

Successful:
Mon Apr 5 14:28:17 2021 VERIFY EKU OK Mon Apr 5 14:28:17 2021 VERIFY OK: depth=0, CN=<redacted>.com Mon Apr 5 14:28:17 2021 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Mon Apr 5 14:28:17 2021 [<redacted>.com] Peer Connection Initiated with [AF_INET]52.54.xxx.yyy:1194 Mon Apr 5 14:28:18 2021 SENT CONTROL [<redacted>.com]: 'PUSH_REQUEST' (status=1) Mon Apr 5 14:28:18 2021 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,route-gateway 10.17.0.33,topology subnet,ping 1,ping-restart 20,ifconfig 10.17.0.34 255.255.255.224,peer-id 0,cipher AES-256-GCM'

from aws-vpn-client.

@samm-git Actually, after a reboot it now works! I'm successfully able to connect. Thank you for this awesome patch.

from aws-vpn-client.

I recently updated patch and documentation. Please let me know if changes fixing your issue.

from aws-vpn-client.

Using the 2.5.1 patch, I'm getting the same error as above.
I see the browser open, get the "Got SAMLResponse field, it's safe to close this window" page.
The aws_connect.sh exits with this:
2021-04-19 13:36:20 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2021-04-19 13:36:20 VERIFY EKU OK 2021-04-19 13:36:20 VERIFY OK: depth=0, CN=*.com 2021-04-19 13:36:20 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA 2021-04-19 13:36:20 [*.com] Peer Connection Initiated with [AF_INET]35.81.112.236:443 2021-04-19 13:36:21 SENT CONTROL [*.com]: 'PUSH_REQUEST' (status=1) 2021-04-19 13:36:21 AUTH: Received control message: AUTH_FAILED,Invalid username or password 2021-04-19 13:36:21 SIGTERM[soft,auth-failure] received, process exiting

To avoid any problems I've used our vpn.conf and followed your instructions to remove unsupported fields.
`client
dev tun
proto tcp
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
verb 3

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

auth-nocache
reneg-sec 0
`

I had to change the port in aws_connect from 1194 to 443 to get it to work at all.
When I connect using the AWS VPN Client on Windows, the message I get in browser is "Authentication details received, processing details. You may close this window at any time.". When connecting through your solution, the message I get in browser is "Got SAMLResponse field". Not sure if that makes a difference.

from aws-vpn-client.

@andrei-ivanov-pie different text does not matter, its expected. Which IDP do you use? Does it work fine on native client?

from aws-vpn-client.

We use Okta. The AWS VPN client works fine on Windows with the vpn config file above (minus the fields that were removed per your instructions)

from aws-vpn-client.

@andrei-ivanov-pie this is very strange, i use okta as well. If you can make me some "guest" testing account i can test. As i cant reproduce it on my side otherwise.

from aws-vpn-client.

I'm experiencing very random results with connecting. We're authenticating using okta. Sometimes it connects after 2-3 tries, sometimes it takes 10 or more. It just says that auth failed. Any pointers on how i could debug what's going on?

from aws-vpn-client.

@furai, we were also experiencing authentication issues while using Okta. However, after the discussions in #2, we stabilized our auth attemps, by removing the following fields from the VPN configuration file: https://github.com/samm-git/aws-vpn-client/blob/0f206a7985c7feb24a27b97ea6920796f2007322/README.md#additional-steps

from aws-vpn-client.