You type rcon commands and the server answers Bad rcon_password. or simply ignores you. RCON on the Half-Life engine is a challenge/response protocol over the same UDP port as the game, and there are only a handful of things that break it: the password the server actually loaded is not the one you think, you are locked out by too many failures, or your client never sent the right password at all. Work through them in order.
1. Confirm the password the server actually loaded
rcon_password is set in server.cfg, but it can be silently overridden by autoexec.cfg, by a per-map config, or by an amxx admin config. On the server console (local, no RCON needed) run:
rcon_password
It prints the current value. If it is empty, RCON is disabled entirely — the engine refuses all RCON when the password is blank, and that is the single most common cause. Set it and it must be non-empty:
rcon_password "a-long-random-string-no-spaces"
2. Kill the quoting and whitespace traps
A password with a space in it, or a stray character from a copy-paste, is a frequent culprit. In a .cfg file the value must be quoted if it contains anything unusual, and it must not have a trailing space before the newline. A password saved from Windows Notepad can also carry a hidden carriage return. Prefer a plain alphanumeric password with no spaces, quotes, or shell metacharacters while you are debugging — you can harden it later.
3. Set the password on the client the right way
From a CS 1.6 client console you must set rcon_password locally and be pointed at the server:
rcon_password "a-long-random-string-no-spaces" rcon status
If you are not connected to the server, also set the address:
rcon_address YOUR_SERVER_IP:27015
A mismatch between rcon_address and the server you are actually on will send the RCON packet into the void and you will see Bad rcon_password or a timeout even though the password is correct.
4. Check you are not locked out (ReHLDS)
On ReHLDS there are anti-bruteforce cvars, and a few wrong attempts will lock your IP for a window. Look at them on the server:
sv_rcon_maxfailures sv_rcon_minfailures sv_rcon_minfailuretime sv_rcon_banpenalty
The default behaviour bans an IP after sv_rcon_maxfailures bad attempts within sv_rcon_minfailuretime seconds, for sv_rcon_banpenalty minutes. While you are locked out, even the correct password is rejected. Wait out the penalty, or on the server console temporarily raise the limits:
sv_rcon_maxfailures 10 sv_rcon_minfailuretime 5
Set them back to something strict once you are in — RCON brute-forcing is a real attack, not a hypothetical.
5. Make sure RCON traffic reaches the server
Classic HLDS RCON rides UDP on the game port. Some hosts and firewalls treat RCON differently, and some panels expose a separate TCP RCON. If the game connects but RCON never answers, confirm the port is open both ways:
ss -lunp | grep 27015
If you administer through a web panel or a remote tool, that tool has its own address/password fields — a stale entry there produces the same Bad rcon_password while your in-game console works fine.
6. Did server.cfg even execute?
If several settings besides RCON are also not applying, the whole server.cfg may not be running. It executes automatically only for the default map load; a custom map-start sequence, a mapcycle that skips it, or a bad filename (server.cfg.txt from Windows Explorer hiding the real extension) all leave it un-executed. Force it once and re-check:
exec server.cfg rcon_password
If rcon_password is now correct after a manual exec but was empty before it, the file exists and is right — it simply was not being run at startup, and that is the real bug to chase.
Common errors
Bad rcon_password.with a correct password — you are inside a ReHLDS failure lockout, orrcon_addresspoints at the wrong server.Bad rcon server response— the challenge step failed, usually a firewall dropping the return packet or a NAT that rewrites the source port. Open UDP 27015 both directions.- RCON silently does nothing —
rcon_passwordis empty on the server, which disables RCON completely. - Works locally, fails remotely — the value differs because a per-map or
autoexec.cfgreset it afterserver.cfgran. Grep your configs for a secondrcon_passwordline.
Verification
From a client that is connected to the server, set the password and run a harmless privileged command:
rcon_password "a-long-random-string-no-spaces" rcon stats
If rcon stats returns the server's CPU/in/out table, RCON authenticated. As a habit, do not administer day-to-day through raw RCON at all — put real admins in users.ini with AMXX and use an admin menu instead, so the RCON password stays a break-glass secret you rarely type.









