-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
What does this log error mean? ::API::setInterrogationResult:: User is not authorized to access CT
03/26/2020 
4 People found this article helpful
479,382 Views
Description
In the AMC log, the admin user may see errors like this:
::API::setInterrogationResult:: User is not authorized to access CT
Screen shot of the error:
This will coincide with a user not being able to log into the SMA with a tunnel client. This log error is the indication the user was denied access to the Connect Tunnel built in resource that controls user access with tunnel clients and the ability of a web user to download the Connect Tunnel client from Workplace.
To examine this issue the following process can be followed at a minimum:
1. Is there an Access Control rule that the user should match that allows access to the Connect Tunnel resource? If not add one.
2. Is the user logging into the correct realm and matching membership in the correct Community in the realm? Does the user match the correct Active Directory groups?
3. Is tunnel access blocked by the End Point Control Zone the user matches?
Cause
Some reasons this issue might occur:
1. There may be no Access control rule allowing access to the Connect Tunnel resource.
2. The user may not match a REALM, COMMUNITY, or GROUP necessary to match the Access Control rule. This can be related to group membership in the Authentication Server. It can be related to the sequence that Community membership is validated. The Community membership evaluation is done in order top to bottom or left to right depending on the display. See two screen shots below.
3. The End Point Control Zone the user matches may be configured to block Connect Tunnel access.
Graphical Community display, evaluated left to right:
Community listing, evaluated top to bottom:
Resolution
Investigate the reason the user does not match an Access Control rule to the Connect Tunnel resource:
1. When the user tries to login examine that user session in Monitor > User Sessions click on the user name to expand their session data.
Look for the failure to access Connect Tunnel , highlighted in this screen shot:
2. Note the Realm, Community, and EPC zone the user matched, highlighted in this clip from the above screen shot:
3. Examine the Access Control rules that apply to the user, Realm, and Community to confirm there is a rule allowing access.
4. Examine the EPC Zone for Connect Tunnel use prevented. The choice to disable tunnel access is highlighted in the screen shot below:
The resolution of this issue is to ensure the user matches an Access Control rule for the Connect Tunnel built-in resource.
Related Articles
- How to Set Timeout for Inactive Tunnel Connections
- Commands for silent installation of NetExtender via CMD line
- Users on Netextender 10.3.0 version failing to connect with the following error message " Cannot get a response from the server "
Categories
- Secure Mobile Access > SMA 1000 Series
- Secure Mobile Access > SMA 1000 Series > Connect Tunnel Client
- Secure Mobile Access > SMA 1000 Series > Configuration
- Secure Mobile Access > Mobile Connect
- Secure Mobile Access > SMA 1000 Series > User Access
YES
NO