SMA1000: Connect Tunnel - 'Access denied. The required system capabilities are not present, enabled, or current.'
Description
When a user attempts to connect using the Connect Tunnel client, the connection fails with the error message: "Access denied. The required system capabilities are not present, enabled, or current." This error occurs specifically with Connect Tunnel connections and does not affect On Demand Tunnel, WorkPlace, or Mobile Connect access methods.
This error occurs when the Access Control rule for the built-in Connect Tunnel resource is set to Deny or has been deleted from the Appliance Management Console (AMC). The SMA1000 ships with a default Permit rule for Connect Tunnel, but this rule can be removed or overridden in the following scenarios:
1. An administrator manually deleted or modified the default Connect Tunnel access rule.
2. A configuration import or CMS push replaced the running configuration without the default rule.
3. A new appliance was deployed and the default Access Control rules were not preserved during setup.
Resolution
Create or re-enable a Permit rule for the Connect Tunnel resource in the AMC Access Control settings:
- Log in to the Appliance Management Console (AMC).
- Navigate to Security Administration > Access Control.
- Click the + (Add) button to create a new Access Control rule.
- Set the Action field to Permit.
- In the To field, click Edit and select the built-in Connect Tunnel resource from the resource list.
- In the From field, specify the user or group that should have Connect Tunnel access (e.g., ALL USERS or a specific group).
- Click Save to add the rule.
- Click Pending Changes in the upper-right corner and apply the configuration.
Important: Access Control rules are evaluated top-to-bottom on a first-match-wins basis. Ensure the Permit rule for Connect Tunnel is positioned above any broader Deny rules that could override it.
