- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
What does this log error mean? ::API::setInterrogationResult:: User is not authorized to access CT
03/26/2020 
3 People found this article helpful
37,965 Views
Description
In the AMC log, the admin user may see errors like this:
::API::setInterrogationResult:: User is not authorized to access CT
Screen shot of the error:
This will coincide with a user not being able to log into the SMA with a tunnel client. This log error is the indication the user was denied access to the Connect Tunnel built in resource that controls user access with tunnel clients and the ability of a web user to download the Connect Tunnel client from Workplace.
To examine this issue the following process can be followed at a minimum:
1. Is there an Access Control rule that the user should match that allows access to the Connect Tunnel resource? If not add one.
2. Is the user logging into the correct realm and matching membership in the correct Community in the realm? Does the user match the correct Active Directory groups?
3. Is tunnel access blocked by the End Point Control Zone the user matches?
Cause
Some reasons this issue might occur:
1. There may be no Access control rule allowing access to the Connect Tunnel resource.
2. The user may not match a REALM, COMMUNITY, or GROUP necessary to match the Access Control rule. This can be related to group membership in the Authentication Server. It can be related to the sequence that Community membership is validated. The Community membership evaluation is done in order top to bottom or left to right depending on the display. See two screen shots below.
3. The End Point Control Zone the user matches may be configured to block Connect Tunnel access.
Graphical Community display, evaluated left to right:
Community listing, evaluated top to bottom:
Resolution
Investigate the reason the user does not match an Access Control rule to the Connect Tunnel resource:
1. When the user tries to login examine that user session in Monitor > User Sessions click on the user name to expand their session data.
Look for the failure to access Connect Tunnel , highlighted in this screen shot:
2. Note the Realm, Community, and EPC zone the user matched, highlighted in this clip from the above screen shot:
3. Examine the Access Control rules that apply to the user, Realm, and Community to confirm there is a rule allowing access.
4. Examine the EPC Zone for Connect Tunnel use prevented. The choice to disable tunnel access is highlighted in the screen shot below:
The resolution of this issue is to ensure the user matches an Access Control rule for the Connect Tunnel built-in resource.
Related Articles
- How to secure Virtual Office portal from all external access
- NetExtender users fail to get connected throwing an Error Failed to get vpn protocol on firmware 10.2.1.2 or above due to misconfigured protocol
- Is SRA/SMA appliance vulnerable to CVE-2016-2183 and CVE-2016-5915?
Categories
- Secure Mobile Access > SMA 1000 Series
- Secure Mobile Access > SMA 1000 Series > Connect Tunnel Client
- Secure Mobile Access > SMA 1000 Series > Configuration
- Secure Mobile Access > Mobile Connect
- Secure Mobile Access > SMA 1000 Series > User Access
YES
NO