SMA (Secure Mobile Access) Appliance Management Console Troubleshooting: Part 3

The provisioned client is delivered to client computers as an installation package. If the installation procedure fails, the following may explain the issue or offer a solution:

• System is not supported: Ensure that the client computer’s system software is
  supported by the Connect Tunnel client.
• Client software doesn’t match system requirements: If users can access WorkPlace, install the client that is available in WorkPlace.
• User does not have local administrator rights: Users must have administrator rights to install the Connect Tunnel client.
• The Connect Tunnel client installation log file (ngsetup.log) may contain information that can help troubleshoot installation issues. On Windows Vista, the file is located in the ProgramData folder, which is hidden by default:

                                    [drive:]ProgramDataAventailngsetup.log

The OnDemand Tunnel client is automatically installed and activated when a user browses to WorkPlace after authenticating in an appropriately configured realm. Typically, the OnDemand Tunnel agent operates without user intervention, providing secure, tunneled access to configured resources as long as WorkPlace is running. If the OnDemand Tunnel agent fails to install or activate, the following may explain the issue or offer a solution:

• Installing OnDemand Tunnel requires administrator rights.
• OnDemand Tunnel not enabled for this Workplace realm: On the main navigation menu in AMC, click Realms. The Realms page displays a list of all realms defined for the appliance. To review the settings affecting the network tunnel service for a particular realm, click the realm name. On the Communities tab of the Configure Realm page, click Edit in the Access Methods area. Ensure that the Network tunnel client check box is selected.
• System is not supported: Ensure that the client computer’s system software is supported by the OnDemand Tunnel agent.
• Browser is not supported: Ensure that the user is running a Web browser that is supported by the OnDemand Tunnel agent. In the Administration Guide, go to System Requirements and see Client Components

The OnDemand Tunnel agent starts automatically after users successfully authenticate to WorkPlace, if the community supports the OnDemand Tunnel agent. The provisioned Connect Tunnel client requires you to activate it each time you want to begin a tunnel session. Tunnel sessions can remain active for many hours. Interrupting network connectivity for periods of more than a few seconds causes the tunnel session to end. Interruptions occur, for example, when a network cable is disconnected, a laptop is set to sleep, or the network link is so busy that it has high latencies and packet drop rates.

The following describes common failures that can prevent a Connect Tunnel client or OnDemand Tunnel agent connection from succeeding:

• Appliance is unreachable: In the Connect Tunnel login dialog box, click Properties. In the Properties dialog box, under Login group, click Change. If the appliance is reachable over the network, the Select or enter your login box will be populated with a list of available realms. If the appliance is not reachable, after a few moments you will see an error message that reads “The remote network connection has timed out.”
• Incorrect appliance address specified: In the Connect login dialog box, click Properties. In the Properties dialog box, ensure that the Host name or IP address of your VPN is correct. If a host name is entered instead of an IP address, ensure that the client can resolve the host name, and that the host name corresponds to the IP address of the appliance’s external interface.
• Appliance is not running: Ensure that the appliance is running.
• Invalid realm for user name: Ensure that a valid realm is configured for the user.
• Authentication failure: Ensure that the user has specified the correct authentication credentials.
• Client service failure: Retrieve the client log (ngsetup.log), and send the log file to for analysis along with a description of the situation.
• Personal firewall is not permitting tunnel traffic: Ensure that the user’s firewall is configured to allow connections to the appliance’s FQDN or IP address.

When a tunnel is established, an icon representing that tunnel appears in the taskbar notification area. At this point the client computer has access to all configured resources the appliance can reach and for which the user is authorized. If the client cannot reach a resource, the following may explain the issue or offer a solution:

• Resource not defined: Ensure that the correct resource is defined in AMC.
• User not authorized to access resource: In AMC, review access control rules, and realm and community assignments, to ensure that the user is allowed to access the resource.
• Appliance routing cannot reach resource: Ensure that there isn’t a general networking problem between the appliance and back-end resources.
• Server software failure: Note the time of the failure, determine whether the network tunnel service is functioning properly, and gather further troubleshooting information if necessary.

Once connected, a Connect Tunnel or OnDemand Tunnel connection should remain active for many hours. However, the tunnel can end prematurely for several reasons. If a tunnel connection disconnects unexpectedly, the following may explain the issue or offer a solution:

• Tunnel that was left idle timed out: To conserve appliance resources, idle tunnels can disconnect after an extended period of time.
• Administrator stopped or restarted the network tunnel service: Normal configuration operations using AMC should not affect established tunnels; they continue to operate under the configuration that was in effect when they were established. However, configuration changes that affect basic appliance
  networking will cause existing tunnels to drop or hang, possibly requiring a disconnect at the client to recover.
• With the network tunnel service logs set to Info level or higher, the message “Reset Internal Interface and Addressing Information” appears in the log any time the network tunnel service is stopped; in addition, the message “Internal Interface eth0 Address n.n.n.n Netmask n.n.n.n BCastAddr n.n.n.n Subnet
  n.n.n.n” (with appropriate IP addressing values) appears any time the service is started from a stopped condition. In the ngutil log, the text “The server is shutting down” identifies this situation.
• Internetwork carrying tunnel became unresponsive or unreliable: When traffic fills the available bandwidth on any hop between the client and the appliance, packets wait on queues in the end-point TCP stack or in intermediate routers. When queues fill, packets are dropped.
• The network tunnel service carries traffic over a TCP SSL connection. TCP is designed to accept network unreliability by delivering traffic only when it is in sequence, it can be verified, and it is available. TCP implementations can drop connections when ACK responses are not returned soon enough; this is true of the Windows TCP implementation. After the connection drops, the tunnel client’s normal behavior is to attempt to resume the connection transparently for 20 seconds. If congestion caused the drop, resumption is likely to fail, and the user sees the tunnel terminate.
• Cluster Failover occurred, and client’s resumption failed: In a cluster configuration, when an active node fails over to the standby node, client connections are preserved by the client tunnel resumption mechanism. Clients will continue tunnel resumption attempts for 20 seconds, and then give up; if the Failover is not complete within this time the tunnel connection is dropped. On orderly termination the client does not attempt resumption, so all tunnel connections are dropped.
• In addition, a new client connection initiated after Failover, but during the period in which tunnel clients are attempting resumption, might be assigned an address that an existing client is trying to resume using. Several characteristics of address assignment make this case unlikely, but if it occurs the resuming client’s tunnel is dropped.
• Client service failure: Failure of the client service software can cause the tunnel to drop, and an error dialog box to appear. Retrieve the client log, send the log file to for analysis along with a description of the situation, and then restart the service.
• Server software failure: Failure of the appliance tunnel software generally causes a spontaneous reboot of the appliance, or possibly an indefinite hang.
• In the reboot case, a crash dump appears in a numbered directory in /var/log/dump; retrieve and analyze this information.
• If the appliance hangs without rebooting, the crash dump may have succeeded before the hang; reboot the appliance and check /var/log/dump for a new crash dump, and then retrieve and analyze this information. You may need to reproduce the circumstances that led to the crash.

At the serial console or in an SSH session, type:

uscat /var/avt/vpn/status

If the network tunnel service is configured and running, client virtual address range information will appear. Otherwise, nothing will appear except another shell prompt. The following items can help you determine why the network tunnel service is not running.

• License invalid or expired: If your appliance license is invalid, AMC displays a license warning at the top- right corner of every AMC page after login. You may need to contact to resolve licensing issues.
• Stopped in AMC or from console prompt: In the Network Tunnel Service area of the AMC Services page, you can stop the network tunnel service indefinitely, and you can view information that indicates whether the service has been stopped.
• Service unconfigured, or incorrectly configured: The network tunnel service must be configured with virtual addresses and related information for assignment to clients. If tunnel service configuration is incomplete, the service will not run.
• Server software failure: A failure of a userspace network tunnel service component will generally cause the failed component to restart. There may be helpful information in the log or in a corefile in /var/log/core. Serious failure of a kernel component will likely result in a crash dump.
• Cluster issues: Clustered appliances must be able to communicate over their cluster interfaces. If they cannot communicate reliably, both nodes in the pair may attempt to provide service, resulting in failures, or both nodes may be on standby, so that neither is providing service.

On the computer you are trying to start OnDemand, verify that Java or JavaScript is enabled in the Web browser.

If Java is enabled in the browser, also verify that the browser is using a version of the Java Runtime Environment (JRE) that is supported by OnDemand; go to Administration Guide and see Client Components for system requirements.

If both of these options are enabled, and OnDemand still doesn’t start, open the Java Console on the user’s computer to see Java messages. If the problem requires a call to Technical Support, you’ll be asked about these messages; see Viewing the Java Console in the Administration Guide.

Under some circumstances, OnDemand may present the user with a server certificate that he or she cannot accept. If the Accept button on the certificate page is unavailable, OnDemand detects a problem with the server certificate. The most common causes of this problem are:

• Date/time mismatches between client computer and server. Verify that the client computer and the Web proxy service have the correct date and time.
• The certificate has expired or is not yet valid.
• The certificate information does not match the server information.
• The certificate chain is invalid.

Open the Terminal application (in the Applications > Utilities folder) and type the following to display information about OpenSSL:

openssl version

In the Applications folder, open the Utilities folder.

In the Java folder, run the Java Plugin Settings program.

In the Java Plug-in Control Panel, click Use Java console on the General page.

Select About this Mac from the Apple menu.

Click More Info to open the System Profiler. The profiler displays detailed information about the computer’s hardware and installed software. The complete report (if you choose to print it) can easily be over 100 pages long.