"authentication failed" message when Mac wakes

Got a problem with Viscosity or need help? Ask here!


Posts: 1
Joined: Sun Dec 24, 2017 1:05 am

Post by andyh » Sun Dec 24, 2017 1:12 am
Ever since I updated to the newest version of Viscosity (1.7.6), I get an "authentication failed" message whenever I wake up my Mac. (I have "reconnect on wake" turned on.) Once I hit OK on that message, Viscosity retries and succeeds.

My Mac is running High Sierra, 10.13.2.

The issue is an inconvenience, not a show-stopper, but I didn't see anyone else reporting it here, so I thought I should mention it. If it's a known issue and there's a workaround, please let me know. Thanks.


User avatar
Posts: 1888
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Jan 03, 2018 6:09 pm
Hi andyh,

The error is being caused by the OpenVPN server rejecting the session token (auth-token) it created for your VPN session/connection. Viscosity 1.7.6 added full support for OpenVPN session tokens.

Session tokens are unique temporary IDs that a server can optionally generate and send to the VPN client to use for authentication instead of a password. They are primarily designed to avoid needing to re-enter your authentication details when you briefly become disconnected from the VPN server: for example if you sleep your laptop when moving between rooms, or a brief Wi-Fi drop out. They are very handy when two-factor authentication is being used, but not so much when you can simply save your username/password to the Keychain.

So basically, the VPN server you are connecting to is assigning your Viscosity connection a session token, but then rejecting it when your computer wakes up and tries to reconnect. It could be that it's expired (most VPN admins will limit a session token to 60 mins since last connected), or it could be the OpenVPN server isn't correctly handling it.

We've had a handful of reports from users about this, all using Private Internet Access as their VPN Service Provider. It appears their servers are setting a session token but never accepting it (we've confirmed this with our own testing). If this is the case for you too I recommend reaching out to them and alerting them to this as it's likely a bug.

We've also released an updated beta version that no longer displays the authentication failed warning when a session token is rejected (instead it will automatically reconnect without using the session token):
https://www.sparklabs.com/support/kb/ar ... -versions/

James Bekkema
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs


Posts: 2
Joined: Sun Apr 12, 2015 12:53 am

Post by memelab » Tue Jan 16, 2018 2:12 pm
thanks, will try the beta... I'm also a PIA customer experiencing the issue
3 posts Page 1 of 1