Hi team,
I’ve encountered an issue where client reconnect is not working when Device Authentication is enabled in our setup.
After enabling Device Authentication, the client reconnect functionality seems to be broken. Before the authentication was enabled, clients were able to reconnect without any issue. However, once Device Authentication was turned on, the clients are unable to reconnect, causing disruption to the user experience.
I would appreciate any guidance or suggestions from the community on how to resolve this issue. If you’ve experienced a similar problem or have knowledge about potential solutions, please share them in the comments below.
Thank you in advance for your help and support.
zach
September 23, 2023, 1:36am
2
Verify that Enable Client Reconnect is enabled in the top right settings. Also verify that both User Inactive Timeout and User Session Timeout are blank in the server settings. These options are required for reconnection.
Check all the logs by clicking logs in the client top right menu and using the selection to switch between log types. Also check the logs in the top right menu of the Pritunl web console for errors.
Hi @zach , thanks for your prompt reply.
Verify that Enable Client Reconnect is enabled in the top right settings. Also verify that both User Inactive Timeout and User Session Timeout are blank in the server settings → I have checked that all these setting are valid.
Giving some logs from client side when it try to reconnect
[2023-09-23 10:51:22][WARN] ▶ watch: Wakeup restarting...
[2023-09-23 10:51:22][INFO] ▶ profile: Disconnecting ◆ profile_id="<redacted>"
[2023-09-23 10:51:23][INFO] ▶ utils: Restore DNS
[2023-09-23 10:51:23][INFO] ▶ utils: DNS not active ◆ restore_key="<redacted>" ◆ service_key="<redacted>"
[2023-09-23 10:51:23][INFO] ▶ profile: Disconnected ◆ profile_id="<redacted>"
[2023-09-23 10:51:25][INFO] ▶ utils: Restore DNS
[2023-09-23 10:51:25][INFO] ▶ utils: DNS not active ◆ restore_key="<redacted>" ◆ service_key="<redacted>"
[2023-09-23 10:51:27][INFO] ▶ profile: Connecting ◆ device_auth=true ◆ disable_gateway=false ◆ dynamic_firewall=false ◆ force_dns=false ◆ mode="ovpn" ◆ profile_id="<redacted>" ◆ reconnect=true ◆ sso_auth=false
[2023-09-23 10:51:30][INFO] ▶ utils: Restore DNS
[2023-09-23 10:51:30][INFO] ▶ utils: DNS not active ◆ restore_key="<redacted>" ◆ service_key="<redacted>"
[2023-09-23 10:51:31][WARN] ▶ profile: Request ovpn connection error
tpm: Client TPM error Tpm: Secure enclave exec code error caller_id=N7Jg2vJbJ5izvIHI exit_code=null output=Swift/ErrorType.swift:200: Fatal error: Error raised at top level: Error Domain=NSOSStatusErrorDomain Code=-25308 "<sepk:p256(u) kid=aa6dd4b38c11f3f6>: unable to sign digest" UserInfo={NSDebugDescription=<sepk:p256(u) kid=aa6dd4b38c11f3f6>: unable to sign digest, AKSError=-536870174}
ORIGINAL STACK TRACE:
github.com/pritunl/pritunl-client-electron/service/tpm.(*Remote).Sign
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/tpm/remote.go:114 +0x1013aa514
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).reqOvpn
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:2186 +0x1013ba273
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).openOvpn
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1903 +0x1013b8d47
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).startOvpn
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1310 +0x1013b577b
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).Start
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1293 +0x1013b5427
github.com/pritunl/pritunl-client-electron/service/profile.RestartProfiles
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/utils.go:368 +0x1013c601b
github.com/pritunl/pritunl-client-electron/service/watch.wakeWatch
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/watch/watch.go:125 +0x1013d0fd7
runtime.goexit
/opt/homebrew/Cellar/go/1.20.1/libexec/src/runtime/asm_arm64.s:1172 +0x100ed47a3
[2023-09-23 10:51:33][WARN] ▶ profile: Request ovpn connection error
tpm: Client TPM error Tpm: Secure enclave exec code error caller_id=O1mrUWAOMGbyIkP0 exit_code=null output=Swift/ErrorType.swift:200: Fatal error: Error raised at top level: Error Domain=NSOSStatusErrorDomain Code=-25308 "<sepk:p256(u) kid=aa6dd4b38c11f3f6>: unable to sign digest" UserInfo={NSDebugDescription=<sepk:p256(u) kid=aa6dd4b38c11f3f6>: unable to sign digest, AKSError=-536870174}
ORIGINAL STACK TRACE:
github.com/pritunl/pritunl-client-electron/service/tpm.(*Remote).Sign
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/tpm/remote.go:114 +0x1013aa514
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).reqOvpn
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:2186 +0x1013ba273
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).openOvpn
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1903 +0x1013b8d47
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).startOvpn
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1310 +0x1013b577b
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).Start
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1293 +0x1013b5427
github.com/pritunl/pritunl-client-electron/service/profile.RestartProfiles
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/utils.go:368 +0x1013c601b
github.com/pritunl/pritunl-client-electron/service/watch.wakeWatch
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/watch/watch.go:125 +0x1013d0fd7
runtime.goexit
/opt/homebrew/Cellar/go/1.20.1/libexec/src/runtime/asm_arm64.s:1172 +0x100ed47a3
[2023-09-23 10:51:37][WARN] ▶ profile: Request ovpn connection error
tpm: Client TPM error Tpm: Secure enclave exec code error caller_id=wYSF92FAO9y5ZLcO exit_code=null output=Swift/ErrorType.swift:200: Fatal error: Error raised at top level: Error Domain=NSOSStatusErrorDomain Code=-25308 "<sepk:p256(u) kid=aa6dd4b38c11f3f6>: unable to sign digest" UserInfo={NSDebugDescription=<sepk:p256(u) kid=aa6dd4b38c11f3f6>: unable to sign digest, AKSError=-536870174}
ORIGINAL STACK TRACE:
github.com/pritunl/pritunl-client-electron/service/tpm.(*Remote).Sign
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/tpm/remote.go:114 +0x1013aa514
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).reqOvpn
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:2186 +0x1013ba273
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).openOvpn
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1922 +0x1013b8f33
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).startOvpn
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1310 +0x1013b577b
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).Start
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1293 +0x1013b5427
github.com/pritunl/pritunl-client-electron/service/profile.RestartProfiles
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/utils.go:368 +0x1013c601b
github.com/pritunl/pritunl-client-electron/service/watch.wakeWatch
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/watch/watch.go:125 +0x1013d0fd7
runtime.goexit
/opt/homebrew/Cellar/go/1.20.1/libexec/src/runtime/asm_arm64.s:1172 +0x100ed47a3
[2023-09-23 10:51:39][WARN] ▶ profile: Request ovpn connection error
tpm: Client TPM error Tpm: Secure enclave exec code error caller_id=wiS4O0dRm0OyCTyJ exit_code=null output=Swift/ErrorType.swift:200: Fatal error: Error raised at top level: Error Domain=NSOSStatusErrorDomain Code=-25308 "<sepk:p256(u) kid=aa6dd4b38c11f3f6>: unable to sign digest" UserInfo={NSDebugDescription=<sepk:p256(u) kid=aa6dd4b38c11f3f6>: unable to sign digest, AKSError=-536870174}
ORIGINAL STACK TRACE:
github.com/pritunl/pritunl-client-electron/service/tpm.(*Remote).Sign
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/tpm/remote.go:114 +0x1013aa514
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).reqOvpn
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:2186 +0x1013ba273
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).openOvpn
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1922 +0x1013b8f33
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).startOvpn
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1310 +0x1013b577b
github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).Start
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1293 +0x1013b5427
github.com/pritunl/pritunl-client-electron/service/profile.RestartProfiles
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/utils.go:368 +0x1013c601b
github.com/pritunl/pritunl-client-electron/service/watch.wakeWatch
/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/watch/watch.go:125 +0x1013d0fd7
runtime.goexit
/opt/homebrew/Cellar/go/1.20.1/libexec/src/runtime/asm_arm64.s:1172 +0x100ed47a3
[2023-09-23 10:51:42][INFO] ▶ profile: Disconnecting ◆ profile_id="<redacted>"
[2023-09-23 10:51:42][INFO] ▶ profile: Disconnected ◆ profile_id="<redacted>"
zach
September 29, 2023, 2:49pm
4
This is most likely caused by attempting to use the Secure Enclave before it is unlocked. I will look into adding a retry.
Thank you very much @zach