Troubleshooting AWS Client VPN connections with Windows-based clients

The following sections contain information about problems that you might have when using Windows-based clients to connect to a Client VPN endpoint.

AWS provided client event logs

The AWS provided client creates event logs and stores them in the following location on your computer.

C:\Users\User\AppData\Roaming\AWSVPNClient\logs

The following types of logs are available:

The AWS provided client uses the Windows service to perform root operations. Windows service logs are stored in the following location on your computer.

C:\Program Files\Amazon\AWS VPN Client\WinServiceLogs\username

Client cannot connect

Problem

The AWS provided client cannot connect to the Client VPN endpoint.

Cause

The cause of this problem might be one of the following:

Solution

Check to see if there are other OpenVPN applications running on your computer. If there are, stop or quit these processes and try connecting to the Client VPN endpoint again. Check the OpenVPN logs for errors, and ask your Client VPN administrator to verify the following information:

Client cannot connect with "no TAP-Windows adapters" log message

Problem

The AWS provided client cannot connect to the Client VPN endpoint and the following error message appears in the application logs: "There are no TAP-Windows adapters on this system. You should be able to create a TAP-Windows adapter by going to Start -> All Programs -> TAP-Windows -> Utilities -> Add a new TAP-Windows virtual ethernet adapter".

Solution

You can remediate this problem by taking one or more of the following actions:

Client is stuck in a reconnecting state

Problem

The AWS provided client is trying to connect to the Client VPN endpoint, but is stuck in a reconnecting state.

Cause

The cause of this problem might be one of the following:

Solution

Verify that your computer is connected to the internet. Ask your Client VPN administrator to verify that the remote directive in the configuration file resolves to a valid IP address. You can also disconnect the VPN session by choosing Disconnect in the AWS VPN Client window, and try connecting again.

VPN connection process quits unexpectedly

Problem

While connecting to a Client VPN endpoint, the client quits unexpectedly.

Cause

TAP-Windows is not installed on your computer. This software is required to run the client.

Solution

Rerun the AWS provided client installer to install all of the required dependencies.

Application fails to launch

Problem

On Windows 7, the AWS provided client does not launch when you try to open it.

Cause

.NET Framework 4.7.2 or higher is not installed on your computer. This is required to run the client.

Solution

Rerun the AWS provided client installer to install all of the required dependencies.

Client cannot create profile

Problem

You get the following error when you try to create a profile using the AWS provided client.

The config should have either cert and key or auth-user-pass specified.

Cause

If the Client VPN endpoint uses mutual authentication, the configuration (.ovpn) file does not contain the client certificate and key.

Solution

Ensure that your Client VPN administrator adds the client certificate and key to the configuration file. For more information, see Export Client Configuration in the AWS Client VPN Administrator Guide.

VPN disconnects with a pop up message

Problem

The VPN disconnects with a pop up message that says: "The VPN connection is being terminated because the address space of the local network your device is connected to has changed. Please establish a new VPN connection."

Cause

TAP-Windows adapter does not contain the required description.

Solution

If the Description field does not match below, first remove the TAP-Windows adapter, then rerun the AWS provided client installer to install all of the required dependencies.

C:\Users\jdoe> ipconfig /all
   
Ethernet adapter Ethernet 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : AWS VPN Client TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-50-ED-5A-DE
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Client crash occurs on Dell PCs using Windows 10 or 11

Problem

On certain Dell PCs (desktop and laptop) that are running Windows 10 or 11, a crash can occur when you're browsing your file system to import a VPN configuration file. If this issue occurs, you'll see messages like the following in the logs of the AWS provided client:

System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
   at System.Data.SQLite.UnsafeNativeMethods.sqlite3_open_interop(Byte[] utf8Filename, Int32 flags, IntPtr& db)
   at System.Data.SQLite.SQLite3.Open(String strFilename, SQLiteConnectionFlags connectionFlags, SQLiteOpenFlagsEnum openFlags, Int32 maxPoolSize, Boolean usePool)
   at System.Data.SQLite.SQLiteConnection.Open()
   at STCommonShellIntegration.DataShellManagement.CreateNewConnection(SQLiteConnection& newConnection)
   at STCommonShellIntegration.DataShellManagement.InitConfiguration(Dictionary`2 targetSettings)
   at DBROverlayIcon.DBRBackupOverlayIcon.initComponent()

Cause

The Dell Backup and Recovery system in Windows 10 and 11 might cause conflicts with the AWS provided client, particularly with the following three DLLs:

Solution

To avoid this problem, first make sure that your client is up to date with the latest version of the AWS provided client. Go to AWS Client VPN download and if a newer version is available, upgrade to the latest version.

OpenVPN GUI

The following troubleshooting information was tested on versions 11.10.0.0 and 11.11.0.0 of the OpenVPN GUI software on Windows 10 Home (64-bit) and Windows Server 2016 (64-bit).

The configuration file is stored in the following location on your computer.

C:\Users\User\OpenVPN\config

The connection logs are stored in the following location on your computer.

C:\Users\User\OpenVPN\log

OpenVPN connect client

The following troubleshooting information was tested on versions 2.6.0.100 and 2.7.1.101 of the OpenVPN Connect Client software on Windows 10 Home (64-bit) and Windows Server 2016 (64-bit).

The configuration file is stored in the following location on your computer.

C:\Users\User\AppData\Roaming\OpenVPN Connect\profile

The connection logs are stored in the following location on your computer.

C:\Users\User\AppData\Roaming\OpenVPN Connect\logs

Unable to resolve DNS

Problem

The connection fails with the following error.

Transport Error: DNS resolve error on 'cvpn-endpoint-xyz123.prod.clientvpn.us-east-1.amazonaws.com (http://cvpn-endpoint-xyz123.prod.clientvpn.us-east-1.amazonaws.com/)' for UDP session: No such host is known.

Cause

The DNS name cannot be resolved. The client must prepend a random string to the DNS name to prevent DNS caching; however, some clients do not do this.

Solution

See the solution for Unable to Resolve Client VPN Endpoint DNS Name in the AWS Client VPN Administrator Guide.

Missing PKI alias

Problem

A connection to a Client VPN endpoint that does not use mutual authentication fails with the following error.

FATAL:CLIENT_EXCEPTION: connect error: Missing External PKI alias

Cause

The OpenVPN Connect Client software has a known issue where it attempts to authenticate using mutual authentication. If the configuration file does not contain a client key and certificate, authentication fails.

Solution

Specify a random client key and certificate in the Client VPN configuration file and import the new configuration into the OpenVPN Connect Client software. Alternatively, use a different client, such as the OpenVPN GUI client (v11.12.0.0) or the Viscosity client (v.1.7.14).