The following sections list out the error codes or messages for the VMware Tunnel Proxy component. You can use these error codes and message to better monitor your AirWatch deployment.

Code Name Meaning
0 UNKNOWN Unknown error. A runtime exception while processing the request
1 MISSING_HEADER

Headers are missing. This can include headers such as "Proxy-Authorization".

Possible Cause: The request was stripped in transit or a bad request was sent from the app.

Possible Solution: Check all hops between the device and VMware Tunnel to see if another network component (e.g. proxy, VPN) stripped the header.

2 WRONG_ENCODING

Proxy-Authorization header value is not Base64 encoded.

Possible Cause: The request was stripped in transit or a bad request was sent from the app.

Possible Solution: Check all hops between the device and VMware Tunnel to see if another network component (e.g. proxy, VPN) stripped the header.

3 TOKENS_DONT_MATCH

Client identification tokens in Proxy-Authorization header do not follow alg:%s;uid:%s;bundleid:%s format. ID_FORMAT should contain encryption algorithm, uid and bundleID in a specific format. One or more of these is not present.

Possible Cause: The request was stripped in transit or a bad request was sent from the app.

Possible Solution: Check all hops between the device and VMware Tunnel.

4 INVALID_ALGO The algorithm in the Proxy-Authorization token is not supported
5 EMPTY_CERT_CHAIN

There is no certificate present in the digital signature passed in the Proxy-Authorization header

Possible Solution: Check all hops for a stripped certificate.

6 SINGLE_SIGNER

Error thrown if there are multiple signers found in the certificate chain. The request is expected to be signed by only one entity.

Possible Cause: A bad certificate.

Possible Solution: Create another certificate with a single signer.

7 SINGLE_SIGNER_CERT

Error thrown if there are multiple certificates for signers. The VMware Tunnel expects only one signer. The request signer should sign it with only one certificate.

Possible Cause: A bad certificate.

Possible Solution: Create another certificate with a single signer.

8 INVALID_SIGN

The signer information could not be verified.

Possible Solution: Import the signer into the trusted certificate store on the server.

9 UNTRUSTED_ISSUER

The certificate used for signing wasn't issued by Device-Root of the given OG.

Possible Cause: AirWatch device root is different for enrolled OG and the OG on which VMware Tunnel is configured.

Possible Solutions: (1) Override the AirWatch device root certificate and regenerate the VMware Tunnel certificate. (2) Export the AirWatch certificate from the Console or reinstall the VMware Tunnel.

10 MISSING_SIGN_TIME

The signing time attribute which is used to determine potential replay attack is missing in the signature

Possible Cause: A bad certificate.

Possible Solution: Determine which certificate is bad in a request log. Create a correct certificate (if the cert is not an AirWatch certificate). Re-run the VMware Tunnel installer.

11 POTENTIAL_REPLAY There is more than a 15 minute interval between signature creation by the requester (AW Browser, Wrapping, etc) and verification by VMware Tunnel
12 INVALID_SIGN_DATA

There is discrepancy in the data that was signed by the requester (AW Browser, Wrapping, etc) and what was expected to be signed by VMware Tunnel. Any method other than the "CONNECT" request is sent to the VMware Tunnel and is rejected.

Possible Cause: An invalid request.

Possible Solution: Check all hops for what changed with the request at each hop.

13 DATA_UNAVAILABLE

The requester’s (AW Browser, Wrapping, etc) related data is not available with VMware Tunnel even after making an API call. No data available for Udid: #####, BundleId: ####.

Possible Cause: VMware Tunnel does not have device details.

Possible Solutions: Check the VMware Tunnel to API connection. Restart the VMware Tunnel service.

14 INVALID_THUMBPRINT

The thumbprint of the certificate used by the requester (AW Browser, Wrapping, etc) for signing and the one expected by VMware Tunnel is different. Invalid SHA-1 thumbprint. Udid: ####, BundleId: ####. VMware Tunnel expected: XYZ, Found:ABC

Possible Cause: Occurs only when device is re-enrolled.

Possible Solutions: Re-install the Client (AWB, Wrapped App). Check the VMware Tunnel to AWCM connection. Restart VMware Tunnel Service.

15 NOT_COMPLIANT

The device making the request is not compliant (Must be in compliance states of ‘Compliant’ or ‘Not Available’).

Possible Cause: VMware Tunnel expected: X,Y, Found: Z

Possible Solution: Check the compliance status in the Device Dashboard.

16 NOT_MANAGED

The device is not managed by AirWatch.

Possible Cause: The device is not enrolled.

Possible Solution: Enroll the device.

17 INVALID_CERT

The certificate used by the requester (AW Browser, Wrapping, etc) for signing is not valid (ex. signing time does not fall in the certificate lifetime).

Possible Solution: Identify the invalid certificate.

18 NEED_CHUNK_AGGREGATION Chunk aggregation is not enabled in MAG.properties file
19 HOST_DISCREPANCY Host name in the URI does not match the one in the host header, deemed as a potential replay attack