Issue with Pritunl + Entra ID authentication during node failover

Pritunl Pritunl VPN
1

Hello,

I am experiencing an issue with Pritunl authentication (Entra ID / Azure SSO) when using two hosts and performing a failover between nodes.

Setup
Two nodes: VM1 and VM2 (same priority)
Both nodes are attached to the same Pritunl server listening on TCP 8443
Both nodes are fully functional

Pritunl version : Server v1.32.4567.52 36a664 - Client : v1.3.4566.62

Behavior
Authentication via Entra ID works perfectly:

  • When both nodes are active
  • When only one node is active

However, when I stop the Pritunl service on the node where the client is currently connected (Or if I reboot the node) : sudo systemctl stop pritunl

  • On the client side: The connection times out and disconnects

  • On the server side, in logs:
    The client attempts to connect to the second node
    Server logs example

    [VM1][2026-06-23 07:59:03,832][INFO] Authenticating user
user_name = “my_mail@org.com”
factors   = [“azure”]

[VM1][2026-06-23 07:59:03,837][INFO] Client authentication with sso token
user_name   = “my_mail@org.com”
org_name    = “Org”
server_name = “Org_srv”

[VM1][2026-06-23 07:59:04,920][INFO] Storing authentication cache token

sudo systemctl stop pritunl on VM1

[VM2][2026-06-23 07:59:27,859][INFO] Authenticating user
user_name = “my_mail@org.com”
factors   = [“azure”]

A tcpdump on the client shows:

  • Clean disconnection from VM1
  • New TCP connection to VM2 on port 8443
  • Immediately followed by pritunl client disconnection

Using a local proxy (Burp Suite):

  • I do not see any Entra ID reauthentication during failover, it seems expected (since SSO token reuse should occur)
  • Full authentication is visible only during initial login

Question
Is there a way to achieve seamless failover between Pritunl nodes?

When a node is stopped or restarted, we would like the client to automatically reconnect to the other node without requiring the user to click “Connect” again or reauthenticate.
Is this behavior expected with Pritunl + Entra ID, or is there a configuration (session sharing, token synchronization, HA setup, etc.) that allows automatic reconnection?

Thanks in advance for your help.

2

This might be the nil pointer dereference that occurred on reconnection. The service would crash and auto restart so the logs won’t indicate any errors. It was fixed in the recent Pritunl Client v1.3.4655.98 release.

If the issue still occurs use the commands below to run the client background service in a terminal to check for errors. This is only possible on macOS and Linux.

macOS

sudo launchctl unload /Library/LaunchDaemons/com.pritunl.service.plist
sudo /Applications/Pritunl.app/Contents/Resources/pritunl-server

Linux

sudo systemctl stop pritunl-client
sudo pritunl-client-service