password retry fails if the first password was wrong

i have chosen certificate as the primary authentication method and plain password file as secondary authentication method but after certificate authentication failure (which is a matter of debate it self) after entering the right user and pass it fails to authenticate the user

the part below is just the failure for certificate authentication i assume :

**systemctl status ocserv**
Jul 17 04:55:01 DE01-Debian ocserv[14333]: GnuTLS error (at worker-vpn.c:795): Error in the pull function.
Jul 17 04:55:01 DE01-Debian ocserv[14311]: main:151.246.62.19:52486 user disconnected (reason: unspecified, rx: 0, tx: 0)
Jul 17 04:55:01 DE01-Debian ocserv[14311]: main:151.246.62.19:11872 user disconnected (reason: unspecified, rx: 0, tx: 0)
Jul 17 04:55:02 DE01-Debian ocserv[14338]: worker:  tlslib.c:488: no certificate was found
Jul 17 04:55:02 DE01-Debian ocserv[14338]: worker: 151.246.62.19 no certificate provided for cookie authentication
Jul 17 04:55:02 DE01-Debian ocserv[14338]: worker: 151.246.62.19 failed cookie authentication attempt
Jul 17 04:55:02 DE01-Debian ocserv[14311]: main:151.246.62.19:25114 user disconnected (reason: unspecified, rx: 0, tx: 0)
Jul 17 04:55:02 DE01-Debian ocserv[14311]: main:151.246.62.19:55246 user disconnected (reason: unspecified, rx: 0, tx: 0)
Jul 17 04:55:04 DE01-Debian ocserv[14339]: GnuTLS error (at worker-vpn.c:795): Error in the pull function.
Jul 17 04:55:04 DE01-Debian ocserv[14311]: main:151.246.62.19:35405 user disconnected (reason: unspecified, rx: 0, tx: 0) 

journalctl -xe

Jul 17 05:06:41 DE01-Debian ocserv[14484]: main: added IP '151.246.62.19' (with score 86) to ban list, will be reset at: Fri Jul 17 05:04:24 2020
Jul 17 05:06:41 DE01-Debian ocserv[14930]: GnuTLS error (at worker-vpn.c:795): Error in the pull function.
Jul 17 05:06:41 DE01-Debian ocserv[14484]: main:151.246.62.19:16456 user disconnected (reason: unspecified, rx: 0, tx: 0)
Jul 17 05:06:43 DE01-Debian ocserv[14484]: main: added IP '151.246.62.19' (with score 87) to ban list, will be reset at: Fri Jul 17 05:04:24 2020
Jul 17 05:06:43 DE01-Debian ocserv[14931]: GnuTLS error (at worker-vpn.c:795): Error in the pull function.
Jul 17 05:06:43 DE01-Debian ocserv[14484]: main:151.246.62.19:57499 user disconnected (reason: unspecified, rx: 0, tx: 0)
Jul 17 05:06:46 DE01-Debian ocserv[14484]: main: added IP '151.246.62.19' (with score 88) to ban list, will be reset at: Fri Jul 17 05:04:24 2020
Jul 17 05:06:46 DE01-Debian ocserv[14932]: GnuTLS error (at worker-vpn.c:795): Error in the pull function.
Jul 17 05:06:46 DE01-Debian ocserv[14484]: main:151.246.62.19:14620 user disconnected (reason: unspecified, rx: 0, tx: 0)
Jul 17 05:06:48 DE01-Debian ocserv[14484]: main: added IP '151.246.62.19' (with score 89) to ban list, will be reset at: Fri Jul 17 05:04:24 2020
Jul 17 05:06:48 DE01-Debian ocserv[14933]: GnuTLS error (at worker-vpn.c:795): Error in the pull function.
Jul 17 05:06:48 DE01-Debian ocserv[14484]: main:151.246.62.19:57099 user disconnected (reason: unspecified, rx: 0, tx: 0)
Jul 17 05:06:51 DE01-Debian ocserv[14484]: main: added IP '151.246.62.19' (with score 90) to ban list, will be reset at: Fri Jul 17 05:04:24 2020
Jul 17 05:06:51 DE01-Debian ocserv[14934]: GnuTLS error (at worker-vpn.c:795): Error in the pull function.
Jul 17 05:06:51 DE01-Debian ocserv[14484]: main:151.246.62.19:15062 user disconnected (reason: unspecified, rx: 0, tx: 0)
Jul 17 05:06:53 DE01-Debian ocserv[14484]: main: added IP '151.246.62.19' (with score 91) to ban list, will be reset at: Fri Jul 17 05:04:24 2020
Jul 17 05:06:53 DE01-Debian ocserv[14936]: GnuTLS error (at worker-vpn.c:795): Error in the pull function.
Jul 17 05:06:53 DE01-Debian ocserv[14484]: main:151.246.62.19:15481 user disconnected (reason: unspecified, rx: 0, tx: 0)
Jul 17 05:06:56 DE01-Debian ocserv[14484]: main: added IP '151.246.62.19' (with score 92) to ban list, will be reset at: Fri Jul 17 05:04:24 2020
Jul 17 05:06:56 DE01-Debian ocserv[14939]: GnuTLS error (at worker-vpn.c:795): Error in the pull function.
Jul 17 05:06:56 DE01-Debian ocserv[14484]: main:151.246.62.19:25868 user disconnected (reason: unspecified, rx: 0, tx: 0)
Jul 17 05:06:57 DE01-Debian kernel: [UFW BLOCK] IN=ens160 OUT= MAC=00:50:56:b5:74:51:00:50:56:b5:6d:9f:08:00 SRC=156.96.61.133 DST=178.63.213.241 LEN=40 TOS=0x00 PREC
Jul 17 05:06:58 DE01-Debian ocserv[14484]: main: added IP '151.246.62.19' (with score 93) to ban list, will be reset at: Fri Jul 17 05:04:24 2020
Jul 17 05:06:58 DE01-Debian ocserv[14940]: GnuTLS error (at worker-vpn.c:795): Error in the pull function.
Jul 17 05:06:58 DE01-Debian ocserv[14484]: main:151.246.62.19:54419 user disconnected (reason: unspecified, rx: 0, tx: 0)
Jul 17 05:07:01 DE01-Debian ocserv[14484]: main: added IP '151.246.62.19' (with score 94) to ban list, will be reset at: Fri Jul 17 05:04:24 2020
Jul 17 05:07:01 DE01-Debian ocserv[14944]: GnuTLS error (at worker-vpn.c:795): Error in the pull function.
Jul 17 05:07:01 DE01-Debian ocserv[14484]: main:151.246.62.19:38984 user disconnected (reason: unspecified, rx: 0, tx: 0)

which all point to certificate authentication failure but nothing about plain password authentication failure.

Edited Jul 26, 2020 by Nikos Mavrogiannopoulos