SMA (Secure Mobile Access) Appliance Management Console Troubleshooting: Part 3
03/26/2020
8
16407
DESCRIPTION:
SMA (Secure Mobile Access) Appliance Management Console Troubleshooting: Part 3
This provides general troubleshooting instructions and discusses the troubleshooting tools available in the Appliance Management Console (AMC). Failure in core networking services (such as DHCP, DNS, or WINS) will cause unpredictable failures.
The User Sessions page in AMC can be used to monitor, troubleshoot or terminate sessions on your appliance or HA pair of appliances. You can sort through the summary of session details and, if needed, display details on how a device was classified, and why. About 24 hours worth of data is kept; even items that have been deleted or modified are displayed. See Viewing User Access and Policy Details in the SMA 11.3 Administration Guide.
SMA (Secure Mobile Access) Appliance Management Console Troubleshooting: Part 3
Topics in Part 3 will cover:
- Installation Troubleshooting
- Connectivity Troubleshooting
- General OnDemand Issues
- Specific OnDemand Issues
- Window Client Troubleshooting
- Macintosh and Linux Tunnel Client Troubleshooting
RESOLUTION:
Installation Troubleshooting
Issue | Troubleshooting Tips |
Connect Tunnel client does not install | The provisioned client is delivered to client computers as an installation package. If the installation procedure fails, the following may explain the issue or offer a solution: - System is not supported: Ensure that the client computer’s system software is
supported by the Connect Tunnel client. - Client software doesn’t match system requirements: If users can access WorkPlace, install the client that is available in WorkPlace.
- User does not have local administrator rights: Users must have administrator rights to install the Connect Tunnel client.
- The Connect Tunnel client installation log file (ngsetup.log) may contain information that can help troubleshoot installation issues. On Windows Vista, the file is located in the ProgramData folder, which is hidden by default:
[drive:]ProgramDataAventailngsetup.log |
OnDemand Tunnel agent does not install | The OnDemand Tunnel client is automatically installed and activated when a user browses to WorkPlace after authenticating in an appropriately configured realm. Typically, the OnDemand Tunnel agent operates without user intervention, providing secure, tunneled access to configured resources as long as WorkPlace is running. If the OnDemand Tunnel agent fails to install or activate, the following may explain the issue or offer a solution: - Installing OnDemand Tunnel requires administrator rights.
- OnDemand Tunnel not enabled for this Workplace realm: On the main navigation menu in AMC, click Realms. The Realms page displays a list of all realms defined for the appliance. To review the settings affecting the network tunnel service for a particular realm, click the realm name. On the Communities tab of the Configure Realm page, click Edit in the Access Methods area. Ensure that the Network tunnel client check box is selected.
- System is not supported: Ensure that the client computer’s system software is supported by the OnDemand Tunnel agent.
- Browser is not supported: Ensure that the user is running a Web browser that is supported by the OnDemand Tunnel agent. In the Administration Guide, go to System Requirements and see Client Components
|
Connectivity Troubleshooting
Issue | Troubleshooting Tips |
Client does not connect | The OnDemand Tunnel agent starts automatically after users successfully authenticate to WorkPlace, if the community supports the OnDemand Tunnel agent. The provisioned Connect Tunnel client requires you to activate it each time you want to begin a tunnel session. Tunnel sessions can remain active for many hours. Interrupting network connectivity for periods of more than a few seconds causes the tunnel session to end. Interruptions occur, for example, when a network cable is disconnected, a laptop is set to sleep, or the network link is so busy that it has high latencies and packet drop rates. The following describes common failures that can prevent a Connect Tunnel client or OnDemand Tunnel agent connection from succeeding: - Appliance is unreachable: In the Connect Tunnel login dialog box, click Properties. In the Properties dialog box, under Login group, click Change. If the appliance is reachable over the network, the Select or enter your login box will be populated with a list of available realms. If the appliance is not reachable, after a few moments you will see an error message that reads “The remote network connection has timed out.”
- Incorrect appliance address specified: In the Connect login dialog box, click Properties. In the Properties dialog box, ensure that the Host name or IP address of your VPN is correct. If a host name is entered instead of an IP address, ensure that the client can resolve the host name, and that the host name corresponds to the IP address of the appliance’s external interface.
- Appliance is not running: Ensure that the appliance is running.
- Invalid realm for user name: Ensure that a valid realm is configured for the user.
- Authentication failure: Ensure that the user has specified the correct authentication credentials.
- Client service failure: Retrieve the client log (ngsetup.log), and send the log file to for analysis along with a description of the situation.
- Personal firewall is not permitting tunnel traffic: Ensure that the user’s firewall is configured to allow connections to the appliance’s FQDN or IP address.
|
Client connects, but cannot access a resource | When a tunnel is established, an icon representing that tunnel appears in the taskbar notification area. At this point the client computer has access to all configured resources the appliance can reach and for which the user is authorized. If the client cannot reach a resource, the following may explain the issue or offer a solution: - Resource not defined: Ensure that the correct resource is defined in AMC.
- User not authorized to access resource: In AMC, review access control rules, and realm and community assignments, to ensure that the user is allowed to access the resource.
- Appliance routing cannot reach resource: Ensure that there isn’t a general networking problem between the appliance and back-end resources.
- Server software failure: Note the time of the failure, determine whether the network tunnel service is functioning properly, and gather further troubleshooting information if necessary.
|
Client connects, but disconnects unexpectedly | Once connected, a Connect Tunnel or OnDemand Tunnel connection should remain active for many hours. However, the tunnel can end prematurely for several reasons. If a tunnel connection disconnects unexpectedly, the following may explain the issue or offer a solution: - Tunnel that was left idle timed out: To conserve appliance resources, idle tunnels can disconnect after an extended period of time.
- Administrator stopped or restarted the network tunnel service: Normal configuration operations using AMC should not affect established tunnels; they continue to operate under the configuration that was in effect when they were established. However, configuration changes that affect basic appliance
networking will cause existing tunnels to drop or hang, possibly requiring a disconnect at the client to recover. - With the network tunnel service logs set to Info level or higher, the message “Reset Internal Interface and Addressing Information” appears in the log any time the network tunnel service is stopped; in addition, the message “Internal Interface eth0 Address n.n.n.n Netmask n.n.n.n BCastAddr n.n.n.n Subnet
n.n.n.n” (with appropriate IP addressing values) appears any time the service is started from a stopped condition. In the ngutil log, the text “The server is shutting down” identifies this situation. - Internetwork carrying tunnel became unresponsive or unreliable: When traffic fills the available bandwidth on any hop between the client and the appliance, packets wait on queues in the end-point TCP stack or in intermediate routers. When queues fill, packets are dropped.
- The network tunnel service carries traffic over a TCP SSL connection. TCP is designed to accept network unreliability by delivering traffic only when it is in sequence, it can be verified, and it is available. TCP implementations can drop connections when ACK responses are not returned soon enough; this is true of the Windows TCP implementation. After the connection drops, the tunnel client’s normal behavior is to attempt to resume the connection transparently for 20 seconds. If congestion caused the drop, resumption is likely to fail, and the user sees the tunnel terminate.
- Cluster Failover occurred, and client’s resumption failed: In a cluster configuration, when an active node fails over to the standby node, client connections are preserved by the client tunnel resumption mechanism. Clients will continue tunnel resumption attempts for 20 seconds, and then give up; if the Failover is not complete within this time the tunnel connection is dropped. On orderly termination the client does not attempt resumption, so all tunnel connections are dropped.
- In addition, a new client connection initiated after Failover, but during the period in which tunnel clients are attempting resumption, might be assigned an address that an existing client is trying to resume using. Several characteristics of address assignment make this case unlikely, but if it occurs the resuming client’s tunnel is dropped.
- Client service failure: Failure of the client service software can cause the tunnel to drop, and an error dialog box to appear. Retrieve the client log, send the log file to for analysis along with a description of the situation, and then restart the service.
- Server software failure: Failure of the appliance tunnel software generally causes a spontaneous reboot of the appliance, or possibly an indefinite hang.
- In the reboot case, a crash dump appears in a numbered directory in /var/log/dump; retrieve and analyze this information.
- If the appliance hangs without rebooting, the crash dump may have succeeded before the hang; reboot the appliance and check /var/log/dump for a new crash dump, and then retrieve and analyze this information. You may need to reproduce the circumstances that led to the crash.
|
General server problems | Tunnel problems typically show up at the client first. Many possible problems can be identified only by an administrator in AMC or, sometimes, at an SSH console or the system serial console. For more information, see General Networking Issues in the Administration Guide. |
Network tunnel service is not running | At the serial console or in an SSH session, type: uscat /var/avt/vpn/status If the network tunnel service is configured and running, client virtual address range information will appear. Otherwise, nothing will appear except another shell prompt. The following items can help you determine why the network tunnel service is not running. - License invalid or expired: If your appliance license is invalid, AMC displays a license warning at the top- right corner of every AMC page after login. You may need to contact to resolve licensing issues.
- Stopped in AMC or from console prompt: In the Network Tunnel Service area of the AMC Services page, you can stop the network tunnel service indefinitely, and you can view information that indicates whether the service has been stopped.
- Service unconfigured, or incorrectly configured: The network tunnel service must be configured with virtual addresses and related information for assignment to clients. If tunnel service configuration is incomplete, the service will not run.
- Server software failure: A failure of a userspace network tunnel service component will generally cause the failed component to restart. There may be helpful information in the log or in a corefile in /var/log/core. Serious failure of a kernel component will likely result in a crash dump.
- Cluster issues: Clustered appliances must be able to communicate over their cluster interfaces. If they cannot communicate reliably, both nodes in the pair may attempt to provide service, resulting in failures, or both nodes may be on standby, so that neither is providing service.
|
General OnDemand Issues
Testing OnDemand
Test OnDemand by connecting to the appropriate URLs to start the applet, and then running the supported applications.
When testing, make sure that:
- OnDemand can communicate with required network access services.
- Web proxy service authentication and access control are working.
- OnDemand automatically redirects connections properly.
- OnDemand creates connections for each configured application.
- OnDemand starts any thin-client applications that are configured to start automatically.
Viewing OnDemand Log Files
For users running Windows, OnDemand creates a log file when it starts that contains troubleshooting messages.
The log files are saved here:
- %SystemRoot%Documents and SettingsAllUsersApplication DataAventailLogfiles
- %SystemRoot%Documents and SettingsApplication DataAventailLogfiles
Detecting the JRE Version
If OnDemand is not working properly, ensure that the user is running a version of the Java Runtime Environment (JRE) that is supported by OnDemand; see Client Components on page 21 for system requirements. In addition, make sure the user has enabled Java in the browser; see Enabling Java in the Browser in the Administration Guide.
To detect the JRE version running on a client computer
- Internet Explorer for Windows: Open the browser’s Java Console to view information about your JRE; see Viewing the Java Console in the Administration Guide.
- Browsers for Mac OS X: In the Applications folder, open the Utilities folder, and then open the Java folder. Run the Java Plugin Settings program, and then click About in the menu to see information about the version you are running.
NOTE:Some versions of Windows may not include a JRE; in this case, you see an error message (“jview.exe must exist in path or you need to set JAVA_HOME”). If you see this message but you know that you have a JRE on your Windows computer, set the path to the JRE directory as JAVA_HOME in the Environment Variables dialog box; see Windows Help for information. Otherwise, you must either install
a JRE on your Windows computer or use a different computer.
Enabling Java in the Browser
- Java must be enabled in the user’s browser for the OnDemand applet to run. In Internet Explorer, Java is enabled by default. If OnDemand doesn’t run, and you suspect the defaults have been changed, enable them as described in the browser’s documentation.
Viewing the Java Console
If the OnDemand applet doesn’t start, the Java Console might offer an explanation. Have your user follow the steps appropriate for his or her machine:
Viewing the Java console: Windows—Sun JRE users
- Users who are running the Sun Java Runtime Environment can access the Java Console by right-clicking the Sun Java icon in the taskbar notification area.
- Click Open Console.
Viewing the Java console: Internet Explorer for Windows
- Click Tools > Internet Options, and then click the Advanced tab.
- Under Microsoft VM, select the Java Console enabled and Java logging enabled check boxes, and then click OK.
- Close the browser and then reopen it.
- Click Java Console on the View menu.
Viewing the Java console: Mac OS X
- In the Applications folder, open the Utilities folder.
- In the Java folder, run the Java Plugin Settings program.
- In the Java Plug-in Control Panel, click Use Java console on the General page.
Troubleshooting specific OnDemand issues
Issue | Troubleshooting Tips |
OnDemand does not start | On the computer you are trying to start OnDemand, verify that Java or JavaScript is enabled in the Web browser. If Java is enabled in the browser, also verify that the browser is using a version of the Java Runtime Environment (JRE) that is supported by OnDemand; go to Administration Guide and see Client Components for system requirements. If both of these options are enabled, and OnDemand still doesn’t start, open the Java Console on the user’s computer to see Java messages. If the problem requires a call to Technical Support, you’ll be asked about these messages; see Viewing the Java Console in the Administration Guide. |
An application does not run correctly over OnDemand | Have the user check the OnDemand Details page and verify whether the application name is active or inactive. Problems can occur when more than one application is configured to use the same local IP address and port. To see more details about the problem, ask the user to copy the log messages from the OnDemand Details page and email them to you. |
OnDemand is installed but not activated | If both ActiveX and UAC (User Account Control) are disabled on a client computer running Vista SP1, OnDemand can be installed but fails to activate unless Java is configured to keep a cache of temporary files on the local computer. To select the cache setting, go to the Control Panel and open the Java Control panel. In the Temporary Internet Files area, click Settings, and then select Keep temporary files on my computer. |
The server-certificate Accept button is unavailable | Under some circumstances, OnDemand may present the user with a server certificate that he or she cannot accept. If the Accept button on the certificate page is unavailable, OnDemand detects a problem with the server certificate. The most common causes of this problem are: - Date/time mismatches between client computer and server. Verify that the client computer and the Web proxy service have the correct date and time.
- The certificate has expired or is not yet valid.
- The certificate information does not match the server information.
- The certificate chain is invalid.
|
Client Troubleshooting
Windows Client Troubleshooting {Resetting Browser and Java Settings}
- Follow these steps to reset browser and Java settings. Where applicable, the instructions for Internet Explorer, Google Chrome, and Firefox Mozilla are given.
Clear Cookies and Cache
To clear browser cookies and cache in Internet Explorer
- Navigate to Tools |Internet Options.
- Click Delete Files and Delete Cookies.
To clear browser cookies and cache in Mozilla Firefox
- Navigate to Tools | Clear Private Data.
- Select at least these three check boxes.
- Cache
- Cookies
- Authenticated Sessions
- Click Clear Private Data Now.
To clear browser cookies and cache in Google Chrome
- Navigate to Tools | Clear browsing data.
- Select at least these check boxes:
- Delete cookies and other site and plug-in data
- Empty the cache
- Click Clear browsing data.
To reset the security level for all Web content zones in Internet Explorer
- Navigate to Tools | Internet Options | Security tab.
- Highlight a Web content zone (for example, Internet), and then click the Default Level button. Do this for each zone.
To reset advanced Internet Explorer settings
- Navigate to Tools | Internet Options |Advanced tab.
- Click the Restore Defaults button.
To reset Internet Explorer privacy settings
- Navigate to Tools |Internet Options | Privacy tab.
- Click the Default button.
To clear the Java Cache on your Windows system:
- In the Control Panel, double-click Java.
- Click the Delete Files button.
- Make sure that all three types of temporary files are selected for deletion, and then click OK.
Enable your Java Cache
By default, Java is configured to keep a cache of temporary files on the local computer. If you are using Java for remote access through an SMA appliance, make sure that this cache is enabled
- In the Windows Control Panel, open Java.
- In the Java control panel, click Settings in the Temporary Internet Files area.
- Select Keep temporary files on my computer.
To uninstall all Secure Mobile Access files
- Reboot your computer. This ensures that no files are loaded in memory and makes the uninstall easier.
- Remove all Secure Mobile Access components:
- In Windows Explorer, browse to %WINDIR%Downloaded Program Files.
- Right-click the Secure Mobile Access Installer file, and select Remove.
- Uninstall the Secure Mobile Access VPN Software. You are prompted to reboot your computer, but you don’t need to do so until the final step in this procedure.
- In the Control Panel, open Add/Remove Programs.
- Remove each Secure Mobile Access component.
- The Secure Mobile Access software may have been installed using either ActiveX or Java (if you’re not sure, follow both sets of instructions):
The Secure Mobile Access software may have been installed using either ActiveX or Java (if you’re not
sure, follow both sets of instructions):
ActiveX
If you have already removed Secure Mobile Access Installer file. you can skip to the steps for Java.
- In Windows Explorer, browse to %WINDIR%Downloaded Program Files.
- Right-click on the Secure Mobile Access Installer file, select Remove, and then click OK.
- Uninstall the Secure Mobile Access VPN Software. You are prompted to reboot your computer, but you don’t need to do so until the final step in this procedure.
Java
- In Windows Explorer, browse to %HOMEPATH%Application DataAventailEP.
- Double-click uninstall_ep.exe.
- Uninstall the Secure Mobile Access VPN Software. You are prompted to reboot your computer, but you don’t need to do so until the final step in this procedure.
In Windows Explorer, browse to %HOMEPATH%Application Data, right-click on the Aventail folder, and then select Delete.Reboot the computer.
Logging Back In to WorkPlace
- Log back in to WorkPlace, install Secure Endpoint Manager, and let the Secure Mobile Access components load.
- If something goes wrong during client or agent installation, the error is recorded in a client installation log. This log is automatically uploaded to the appliance and listed in AMC if Secure Endpoint Manager is installed. Users who do not have Access Manager are prompted to upload the log file to the appliance when an installation error occurs.
To obtain additional log files
- Browse to %HOMEPATH%Application Data.
- You should see a folder named Aventail: zip the folder contents up, and email it to Technical Support.
- Browse to %ALLUSERSPROFILE%Application Data.
- You should see a folder named Aventail: zip the folder contents up, and email it to Technical Support.
- Open a DOS box (click Start > Run, type cmd, and then press Enter).
- In the command prompt window, type ngutil -all > ngutil.txt.
- Email the ngutil.txt file to Technical Support.
- Click Start > Run, type msinfo32, and then press Enter.
- Highlight System Summary, and then select File > Export. Email the exported file to Technical Support.
Macintosh system and application information
System information | How to find it |
Operating system | Select About this Mac from the Apple menu. |
Hostfino command | Open the Terminal application (in the Applications > Utilities folder) and type hostfino. This displays processor and kernel information, along with the amount of available memory. |
OpenSSL | Open the Terminal application (in the Applications > Utilities folder) and type the following to display information about OpenSSL: openssl version |
Safari browser | Select About Safari from the Safari menu. |
Java Virtual Machine (JVM) | In the Applications folder, open the Utilities folder. In the Java folder, run the Java Plugin Settings program. In the Java Plug-in Control Panel, click Use Java console on the General page. |
System Profiler | Select About this Mac from the Apple menu. Click More Info to open the System Profiler. The profiler displays detailed information about the computer’s hardware and installed software. The complete report (if you choose to print it) can easily be over 100 pages long. |
When you start Connect Tunnel, make sure that the log files /var/log/AvConnect.log and /var/log/AvConnectUI.log are set to collect debugging information. You can enable debug mode in the Connect client itself, or go to a command prompt and type the following:
/Applications/AventailConnect.app/Contents/MacOS/startct.sh -d
Linux System and Application Information
- Have your users enable debug logging and clear the current set of logs before attempting to reproduce an issue. Once the issue is reproduced, export the logs to Support.
- Use the Enable Debug Logging check box, Clear Logs button, and Export Logs button on the General tab to perform these functions.

See also: