Due to the incorrect network configuration or usage of an incorrect certificate for the server-client authentication, you might experience a communication failure between the Tunnel Front-End server and the Back-End server.


  1. Ensure that the Front-End server can communicate with the Back-End Tunnel server on the port mentioned in the tunnel configuration.
  2. Run the following command in the Tunnel Front-End server : openssl s_client -connect <dest_fqdn>:<port> -servername <backend_fqdn>.
    Must display the Tunnel Back-End server SSL certificate.
  3. In the server.conf file, verify the following:

    On the Tunnel, front-end server verify if the c_r_t (that is, cascade_root_thumbprint ) has the thumbprint of the Back-End server's SSL certificate.

    1. The c_r_t in the Tunnel front-end server is same as the cascade_back_end_thumbprint in the Back-end server.

    On the Tunnel back-end server c_r_t should have the root CA's thumbprint of the Tunnel front-end server's SSL certificate.

    1. When the AirWatch certificate is used for Server Auth, the c_r_t in the back-end server is always same as the ssl_thumbprint in the Tunnel front-end server.
    2. When a third-party SSL certificate is used for Server Auth, the c_r_t in the back-end server is the third party's root CA's thumbprint.
  4. Verify if there are any firewall or load balancer rules blocking between the Front-End server to Back-End Tunnel Server.
    • SSL Offloading and SSL Bridging are not supported for the Per-App Tunnel configuration.
    • If you are using Public certificate for the server authentication, the certificate must have a Server and Client authentication under Enhanced Key Usage field .