You can troubleshoot some common deployment issues for VMware Tunnel using these tools.

Troubleshooting VMware Tunnel Using the Tunnel_snap Utility

The tunnel_snap utility collects all the necessary diagnostic data required for troubleshooting your VMware Tunnel deployment. This utility saves time by reducing the back and forth communication with support.

You must run this utility on each VMware Tunnel server separately, on these folders:
  • awcm.dat
  • ca.pem
  • device.xml
  • dh2048.pem
  • server.conf
  • tunnel_init.log
  • tunnel.log
  • tunnel.log.1
  • version.info
  • vpn.dat
/opt/vmware/tunnel

To run the utility, use this command:

sudo ./tunnel_snap.sh

The utility collects the diagnostic data in:

_/opt/vmware/tunnel/tunnel_snap.tar _

Troubleshooting VMware Tunnel Using the UAG Web UI

The UAG Web UI offers a way to check the service availability and collect all the UAG log files including Tunnel and Proxy log files.

  1. Click the Read More section to assist with troubleshooting.
  2. Monitor the Edge Services Status. Expand the Edge Services section and find VMware Tunnel. When VMware Tunnel is running as expected, a green light on the left side of the service is shown. If any other color light is shown, either the service is not running or it is running with errors that requires further investigation. In the UAG Web UI, hover over the color light shown for more information.
  3. Collecting Logs from the Appliance. Download the .zip archive of logs from the Support Settings section of the Admin UI. These log files are collected from the /opt/vmware/gateway/logs directory on the appliance.
  4. Review the appliance-agent.log, making sure that both Tunnel and the Proxy services are installed correctly.
    Note: The log should display: [main] INFO c.a.a.a.s.i.tunnel.TunnelInstaller - VMware Tunnel Proxy installation SUCCESS!!!! and/or [main] INFO c.a.a.a.s.i.tunnel.TunnelInstaller - VMware Tunnel Per-App Tunnel installation SUCCESS!!!!

You can access the VMware Tunnel logs from the UAG without logging into the appliance by accessing a specific URL based on your deployment. To download a ZIP file that contains your logs, enter the following URL in a browser:https://<virtual appliance domain name>:9443/rest/v1/monitor/support-archive

Troubleshooting Per-App Tunnel Component

Use these commands to troubleshoot the Per-App Tunnel component.

Function Command
Unified Access Gateway/CentOS/RHEL 7.x

Start the Service

 systemctl start vpnd.services
Unified Access Gateway/CentOS/RHEL 7.x

Stop the Service

 systemctl stop vpnd.service
Unified Access Gateway/CentOS/RHEL 7.x

Restart the Service

 systemctl restart vpnd.service

Troubleshooting PAC Reader

If you have any issues with the VMware Tunnel PAC Reader, check the status and the logs of the PAC Reader. The logs are located in the home pacreader folder on the PAC Reader. Use these commands to troubleshoot the PAC Reader.

Function Command

Start the PAC Reader

 ./pacreader.sh start

Stop the PAC Reader

 ./pacreader.sh stop

Check the PAC Reader status

 /pacreader status

Run the PAC Reader in validation mode

 ./pacreader.sh validate

This command tells the PAC Reader to fetch and parse the PAC file but does not push the rules to the Workspace ONE UEM console.