top of page
Writer's pictureairwatchhk

Workspace ONE Tunnel Troubleshooting

Updated: Feb 11


Reference:


Check the tunnel status on both front end and back end server





On your UAG front end and backend, run the followings commands to make sure they can reach to API and AWCM with no error



curl -v https://xxx.xxx.com:2001/awcm/statistics -cacert /etc/pki/tls/certs/ca-bundle.crt
curl -v https://xxx.xxx.com:443/api/help -cacert /etc/pki/tls/certs/ca-bundle.crt

Please pay attentions to the output as the error might not be obvious in some of the cases


If you got error communicating to AWCM&API, follow this:




To get more log, please use DEBUG level. You can get the set up from the UEM console





If API is good, it is expected to see Tunnel to get a list of white listed devices in the tunnel log. Tunnel allows/disallows devices to get connected based on the device.

tunnel.log path

tunnel.log





We also need to good AWCM connection from Tunnel to have things working. This is an example of a good AWCM connection.

This is tunnel log sample when an iOS tunnel app requests to connect tunnel server




Server certificate health check



Check the certificate thumbprint in the backend server.conf file server.conf file location



When connect to tunnel backend Showing the certificate of tunnel backend


Run the openssl command to connect to the tunnel backend to make sure the cert thumbprint match



[root@localhost vpnd]# openssl s_client -connect 127.0.0.1:8443
CONNECTED(00000003)
depth=0 CN = 192.168.43.17
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = 192.168.43.17
verify return:1
139624013629328:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1493:SSL alert number 40
139624013629328:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/CN=192.168.43.17
   i:/CN=192.168.43.17
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE6DCCAtCgAwIBAgIQFSq//capIY5Pu9YfZaciyjANBgkqhkiG9w0BAQ0FADAY
MRYwFAYDVQQDEw0xOTIuMTY4LjQzLjE3MB4XDTE4MDUxNTE1MDAwMFoXDTM4MDUx
NjE1MDAwMFowGDEWMBQGA1UEAxMNMTkyLjE2OC40My4xNzCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBANLMwx/ACq8oDfKLGH/oudldJwXDuFGBaDLm5BKR
SVdmMRce6RwkHSM2dDhFXJcI5M1KJ8wzPxpjRBRPmuZI5d6Jwy6mJJACyEALKB8i
eZdWKyYtUBwi/bcDKmcplJe7fEV6+arnsyQTTGhuL64oxjXxn7tbuJi8opc2jtCn
FbbFm+RDTY0bgi6XVGJSJVOvB6EIQ/tNQPQ41jjEyOvxP7ISDM02rLlT1jMXwQ5q
TjPBvaS/wXD8BvyCnEyQXdUkfsgaNn9O7flq95rGWrVZqDdDOFM610J9b4ruJ8RL
Z5/j6iyvVDsvfq6VJgnmSfxpA1DnTwlZDaemLaS3HVFVlOlLteaKuLhmJNkUTkSw
J9ncuccbu8nCmKXT+Dhw0DYoYliiDheQqR2/62fA24C95OUk612vXEJMv0ge5fBz
v9/2cZvFExun69UQf51PH0kII54V9OQYf9TpKOz+iS335sibRP8zbPWRlCkTTf+U
XvwHW10G/5sfbryleCBBYfvc6vmNHhgwqwWaFTlPjrWfNt+74cHPfJeuyMu/VQFT
GCT/IcYyDk3Z2zkYZeGA8O17HNMOJSG8dZjAjsgHbtO62LqVn6dRTbL2j1LovdVM
6ry+uj6GpAIiVd+7c+oF/HiyRKuA4xyk/ZuOlZVkONpTypNN6gutblBTy7kYmA0m
s1+rAgMBAAGjLjAsMAsGA1UdDwQEAwICtDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDQYJKoZIhvcNAQENBQADggIBAKHN9clJkzUwPhLmKPw2EjqzjYca
mB6FDxFSaj0KX2Xndol3MNZHtZchK8Va1Z/8ff3q1iHs3n8o2QAwR6yF+s4RyyR6
Mr+TnKet+otHZls65w9ryGMtWCiQQRlXDgTSD15vpKD35UOiflWuTHUE/Xp3KqRk
m6P4+5CYXIY+dm3rY8LdUF6Vb9Vd2hbysiDb3lYLtmX9Cu2TeX3gIaKJozsDMlPI
JJijZZkGC4kdnhxKtLerO5r0kv9t10xcK2eBrNJS/iypOebHyY+NQl3dQNF+SEfp
l9F1fU9hjbxMl38vHDdcGuZLZABJNw7y1o4dyWBlvTq8p3kQRGJTdJXdFeGWYmPn
O9m6bdXcECwzdkZgnB/uuxeCq/fkVYoN6mfQ0b/crMLiil995yb0smrbJksqmm3g
o9zfkfuvQdeJGi4YgOWk0nTFaXdZ3eX24J8um/yA+fO7V9YAR3zW7wk5s67OG7FI
1L8zLeEqIquS8fAn1h71vgTUT4TosVYXt8+zZEP2P7TPKSvm5hkUQvnxn7W9atXF
Hvt0SKlPriv38RVJ8fFQMnVMl7Nfc/pgiKUaTGmq5qwu3UVBzRL89Vo5psvy5O78
tDJWDnt41Gi6HGUJAhoR/p/O8Uc67wZS6l8LNJZt/qzqrQJgsCSjseszRcDYiu87
ATN5V28k8y8gnsrP
-----END CERTIFICATE-----
subject=/CN=192.168.43.17
issuer=/CN=192.168.43.17
---
Acceptable client certificate CA names
/CN=AwVPNDeviceRoot cn1109.awmdm.com/AFW
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2049 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 1F2E08B98CBE3E946B1C3BED6D7ACE7F151762381B50275EA0FF1A86A202F36B6C8CF29FFCC6F71656B393F9F9770FEF
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1585369914
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

Check the device side


You should have two certificates on your device. One is the tunnel server certificate. The other one is the client cert for client side authentication.




Make sure Workspace ONE tunnel client is on a device




Make sure connection is good





Check the VPN client if required

If you have iOS device and a Mac with you, you can plug your iPhone to your Mac, open the Mac console application and see the iOS tunnel app debug log in real time





VMware self signed certificate strength


This is a comparison of VMware self signed server certificate and a public certificate. You can see VMware self signed certificate is competitive with a public certificate.



96 views0 comments

Recent Posts

See All

Comments


Post: Blog2_Post
bottom of page