VMware Tunnel Troubleshooting and support section helps you resolve some of the VMware Tunnel deployment issues.
Troubleshooting VMware Tunnel using the Tunnel_snap Utility
The tunnel_snap utility collects all the necessary diagnostic data that might be required for troubleshooting your VMware Tunnel deployment. This utility helps troubleshooting by reducing the back and forth communication with support and saves time.
The utility captures data from the following files:
Use this utility while troubleshooting any issue related to the VMware Tunnel. You must run the utility on each VMware Tunnel server separately.
- awcm.dat
- ca.pem
- device.xml
- dh2048.pem
- server.conf
- tunnel_init.log
- tunnel.log
- tunnel.log.1
- version.info
- vpn.dat
/opt/vmware/tunnel
Use the following command to run the utility:
sudo ./tunnel_snap.sh
The utility collects the diagnostic data in:
_/opt/vmware/tunnel/tunnel_snap.tar _Troubleshooting VMware Tunnel using the UAG web UI
The UAG web UI offers a simple way to check the service availability and collect all the UAG log files that includes the Tunnel and Proxy log files.
- Click the Read more section that can assisit you with the troubleshooting.Monitoring Edge Services Status:
Expand the Edge Services section and find VMware Tunnel. If the Tunnel is running as expected, it shows a green light on the left side of the service. Any other color indicates that either the service is not running, or is running with errors and requires further investigation.
Collecting Logs from the Appliance:
Download a .zip archive of logs from the Support Settings section of the Admin UI. These log files are collected from the /opt/vmware/gateway/logs directory on the appliance.
- To check if the Tunnel and the Proxy services are installed correctly, always review the appliance-agent.log. The log displays the following information:
[main] INFO c.a.a.a.s.i.tunnel.TunnelInstaller - VMware Tunnel Proxy installation SUCCESS!!!! and/or [main] INFO c.a.a.a.s.i.tunnel.TunnelInstaller - VMware Tunnel Per-App Tunnel installation SUCCESS!!!!
Upgrade Java Without Reinstalling Tunnel Proxy
When a new version of Java releases, you must update the server hosting the Tunnel Proxy server. VMware Tunnel supports a method that does not require reinstalling the Tunnel Proxy component.
- Download the latest RPM package for Java from the official Oracle site.
- Upload the RPM package to your Linux server.
- Install the RPM package.
sudo rpm -1 jdk8u112-linux-x64.rpm - Run the following command to ensure Java is upgraded correctly"
ls -la /usr/java/latest - Restart the Tunnel Proxy service.
Troubleshooting Per-App Tunnel Component
Per-App Tunnel logs are stored in the native syslog system of Linux. This topic covers the commnans that can be used to troubleshoot Per-App Tunnel Component
Troubleshooting Proxy Tunnel Component
tail -f /var/log/vmware/tunnel/vpnd/tunnel.log
The following table lists the commands that are used to troubleshoot Per-App Tunnel Component:
Commands Used to Troubleshoot Per-App Tunnel Component
| Component | Function | Command |
|---|---|---|
| Unified Access Gateway/CentOS/RHEL 7.x | Start the Service |
systemctl start vpnd.services |
| Unified Access Gateway/CentOS/RHEL 7.x | Stop the Service |
systemctl stop vpnd.service |
| Unified Access Gateway/CentOS/RHEL 7.x | Restart the Service |
systemctl restart vpnd.service |
Access Unified Access Gateway Logs:
You can access the VMware Tunnel logs from the Unified Access Gateway without logging into the appliance by accessing a specific URL based on your deployment. To download a ZIP file that contains your logs, enter the following URL in a browser: https://<virtual appliance domain name>:9443/rest/v1/monitor/support-archive.
Troubleshooting PAC Reader
If you have any issues with the VMware Tunnel PAC Reader, check the status and the logs of the PAC Reader to help troubleshoot any issues.
Before contacting Workspace ONE UEM Support, consider checking the PAC Reader logs for any issues. The logs are located in the home folder of the PAC Reader. This folder is the pacreader folder.
The following table lists the commands that are used to troubleshoot PAC Reader:
| Function | Command |
|---|---|
| Start the PAC Reader |
./pacreader.sh start |
| Stop the PAC Reader |
./pacreader.sh stop |
| Check the PAC Reader status |
/pacreader status |
| Run the PAC Reader in validation mode |
./pacreader.sh validate This command tells the PAC Reader to fetch and parse the PAC file but does not push the rules to the Workspace ONE UEM console. |
Troubleshooting Proxy Tunnel Component
Proxy logs are stored in the native syslog system of Linux. The topic covers the commnads that are used to Troubleshoot Proxy Tunnel Component.
Commands Used to Troubleshoot Proxy Tunnel Component
Logs are stored in /var/log/vmware/proxy and can be sorted by the following command (as root):
tail -f /var/log/vmware/proxy/proxy.log
The following table lists the commands that are used to troubleshoot Proxy Tunnel Component:
| Component | Function | Command |
|---|---|---|
| Proxy – Any CentOS/RHEL version/Virtual Appliance |
Start the Service |
sudo service proxy start |
| Proxy – Any CentOS/RHEL version/Virtual Appliance |
Stop the Service |
sudo service proxy stop |
| Proxy – Any CentOS/RHEL version/Virtual Appliance |
Restart the Service |
|
Access Unified Access Gateway Logs
You can access the VMware Tunnel logs from the Unified Access Gateway without logging into the appliance by accessing a specific URL based on your deployment. To download a ZIP file that contains your logs, enter the following URL in a browser:https://<virtual appliance domain name>:9443/rest/v1/monitor/support-archive
Change the Log Level of VMware Tunnel Proxy Component
You can change the log levels for the Proxy component in the Workspace ONE UEM console by navigating to Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel > Configuration > Advanced. In cases where communication between the VMware Tunnel and AWCM or API breaks, you can still change the log level.
- Edit the
/opt/vmware/tunnel/proxy/conf/logback.xmlfile. - Change <root>log-level=VALUE to DEBUG and Save on file.
- Stop and Start the service.
- Revert changes and restart the proxy service when finished.
Verify VMware Tunnel Proxy Connectivity
- Navigate to Groups & Settings > All Settings > System > Enterprise Integration > VMware Tunnel - Proxy.
- Select Test Connection.The page displays version info, connectivity through HTTP/S, and certificate chain validation.
Proxy Component Error Codes
You can use error codes and their messages to help monitor the health of your VMware Tunnel Proxy component. Learn more about the errors using their code, displayed name, and meaning to your Workspace ONE UEM Tunnel Proxy environment.
| Code | Name | Meaning |
|---|---|---|
| 0 | UNKNOWN | Unknown error. A runtime exception while processing the request |
| 1 | MISSING_HEADER | Headers are missing. This can include headers such as "Proxy-Authorization". Possible Cause: The request was stripped in transit or a bad request was sent from the application. Possible Solution: select all hops between the device and VMware Workspace ONE Tunnel to see if another network component (e.g. proxy, VPN) stripped the header. |
| 2 | WRONG_ENCODING | Proxy-Authorization header value is not Base64 encoded. Possible Cause: The request was stripped in transit or a bad request was sent from the application. Possible Solution: select all hops between the device and VMware Workspace ONE Tunnelto see if another network component (e.g. proxy, VPN) stripped the header. |
| 3 | TOKENS_DONT_MATCH | Client identification tokens in Proxy-Authorization header do not follow alg:%s;uid:%s;bundleid:%s format. ID_FORMAT should contain encryption algorithm, uid and bundleID in a specific format. One or more of these is not present. Possible Cause: The request was stripped in transit or a bad request was sent from the application. Possible Solution: select all hops between the device and VMware Workspace ONE Tunnel. |
| 4 | INVALID_ALGO | The algorithm in the Proxy-Authorization token is not supported. |
| 5 | EMPTY_CERT_CHAIN | There is no certificate present in the digital signature passed in the Proxy-Authorization header Possible Solution: select all hops for a stripped certificate. |
| 6 | SINGLE_SIGNER | Error thrown if there are multiple signers found in the certificate chain. The request is expected to be signed by only one entity. Possible Cause: A bad certificate. Possible Solution: Create another certificate with a single signer. |
| 7 | SINGLE_SIGNER_CERT | Error thrown if there are multiple certificates for signers. The VMware Workspace ONE Tunnel expects only one signer. The request signer should sign it with only one certificate. Possible Cause: A bad certificate. Possible Solution: Create another certificate with a single signer. |
| 8 | INVALID_SIGN | The signer information could not be verified. Possible Solution: Import the signer into the trusted certificate store on the server. |
| 9 | UNTRUSTED_ISSUER | The certificate used for signing wasn't issued by Device-Root of the given OG. Possible Cause: Workspace ONE UEM device root is different for enrolled OG and the OG on which VMware Workspace ONE Tunnel is configured. Possible Solutions: (1) Override the Workspace ONE UEM device root certificate and regenerate the VMware Workspace ONE Tunnel certificate. (2) Export the Workspace ONE UEM certificate from the Console or reinstall the VMware Workspace ONE Tunnel. |
| 10 | MISSING_SIGN_TIME | The signing time attribute which is used to determine potential replay attack is missing in the signature Possible Cause: A bad certificate. Possible Solution: Determine which certificate is bad in a request log. Create a correct certificate (if the cert is not a Workspace ONE UEM certificate). Rerun the VMware Workspace ONE Tunnel installer. |
| 11 | POTENTIAL_REPLAY | There is more than a 15 minute interval between signature creation by the requester (AW Browser, Wrapping, etc) and verification by VMware Workspace ONE Tunnel. |
| 12 | INVALID_SIGN_DATA | There is discrepancy in the data that was signed by the requester (AW Browser, Wrapping, etc) and what was expected to be signed by VMware Workspace ONE Tunnel. Any method other than the "CONNECT" request is sent to the VMware Workspace ONE Tunnel and is rejected. Possible Cause: An invalid request. Possible Solution: select all hops for what changed with the request at each hop. |
| 13 | DATA_UNAVAILABLE | The requester’s (AW Browser, Wrapping, etc) related data is not available with VMware Workspace ONE Tunnel even after making an API call. No data available for Udid: #####, BundleId: ####. Possible Cause: VMware Workspace ONE Tunnel does not have device details. Possible Solutions: Check the VMware Workspace ONE Tunnel to API connection. Restart the VMware Workspace ONE Tunnel service. |
| 14 | INVALID_THUMBPRINT | The thumbprint of the certificate used by the requester (AW Browser, Wrapping, etc) for signing and the one expected by VMware Workspace ONE Tunnel is different. Invalid SHA-1 thumbprint. Udid: ####, BundleId: ####. VMware Workspace ONE Tunnel expected: XYZ, Found:ABC Possible Cause: Occurs only when device is re-enrolled. Possible Solutions: Reinstall the Client (AWB, Wrapped application). Select the VMware Workspace ONE Tunnel to AWCM connection. Restart VMware Workspace ONE Tunnel Service. |
| 15 | NOT_COMPLIANT | The device making the request is not compliant (Must be in compliance states of ‘Compliant’ or ‘Not Available’). Possible Cause: VMware Workspace ONE Tunnel expected: X,Y, Found: Z Possible Solution: select the compliance status in the Device Dashboard. |
| 16 | NOT_MANAGED | The device is not managed by Workspace ONE UEM. Possible Cause: The device is not enrolled. Possible Solution: Enroll the device. |
| 17 | INVALID_CERT | The certificate used by the requester (AW Browser, Wrapping, etc) for signing is not valid (ex. signing time does not fall in the certificate lifetime). Possible Solution: Identify the invalid certificate. |
| 18 | NEED_CHUNK_AGGREGATION | Chunk aggregation is not enabled in MAG.properties file |
| 19 | HOST_DISCREPANCY | Host name in the URI does not match the one in the host header, deemed as a potential replay attack |
Verifying Proxy connectivity post-installation can help determine whether your installation was successful.
