Things to check if the RPAM is not working (Troubleshooting)

0\) (detailed log mode) before you start checking the following steps, you should enable the detailed log mode (“debug” in the application properties) for remote access portal to collect information related to requests/responses that are sent to rpam the logging on the portal should have different levels such as error, warn, info, verbose, and debug “debug level” has the highest amount of information, whereas “error level” has the least amount of information these levels (log level remote access) can be configured on the application properties file located on the remote access portal we should also consider the rotation for log files (log time rotation remote access) to prevent the log file from becoming enormous the default value of log level remote access is info the default value of log time rotation remote accessis 1 week example application properties … log level remote access = error (the other values might be warn, info, verbose, debug) log time rotation remote access = 1 day (the other values might be 3 days, 1 week, 2 weeks, 1 month, 3 months, no rotation) 1\) check whether the secure boot is disabled on both remote access portal machine and rpam connector/kron pam server if it is enabled the wireguard might not work linux cli \[root\@rap ]# mokutil sb state solution disable the secure boot 2\) check the wireguard configuration file on both remote access portal machine and rpam connector/kron pam server read the wireguard config file command on the remote access portal environment linux cli \[root\@rap ]# cat /etc/wireguard/wg server conf example \[root\@rap ]# cat /etc/wireguard/wg server conf \[interface] privatekey = aaaaaaal/mqg4kkabgxo1gvamqhfpn3jmji4a+se4= listenport = 50044 address = 10 0 0 1/32 \[peer] publickey = bbbbbbtqwb8qxlgg0c+rflol/2eratmwt7hi/wzjp14= allowedips = 10 0 0 2/32 (or 10 0 0 2/32) persistentkeepalive=25 read the wireguard config file command on the rpam connector/ kron pam server linux cli \[root\@connector ]# cat /etc/wireguard/wg client conf or \[root\@pam ]# cat /etc/wireguard/wg client conf example \[root\@connector ]# cat /etc/wireguard/wg client conf \[interface] privatekey=ccccccduntscufush3crom8qnflnct0xiruh1rksv1e= listenport=50044 address= 10 0 0 2/32 \[peer] publickey=dddddd9+epcylo4rxdaj6wqpllk9zvp691bkvzip/ju= endpoint=10 10 10 10 50044 allowedips= 10 0 0 1/32 persistentkeepalive=25 or \[root\@pam ]# cat /etc/wireguard/wg client conf \[interface] privatekey=ccccccduntscufush3crom8qnflnct0xiruh1rksv1e= listenport=50044 address= 10 0 0 2/32 \[peer] publickey=dddddd9+epcylo4rxdaj6wqpllk9zvp691bkvzip/ju= endpoint=10 10 10 10 50044 allowedips= 10 0 0 1/32 persistentkeepalive=25 ping the remote access portal’s wireguard ip address and the rpam connector/kron pam server’s wireguard ip address on both environments (you should see that messages are received/sent) linux cli \[root\@connector ]# ping {remote access portal’s wireguard public ip} or \[root\@pam ]# ping {remote access portal’s wireguard public ip} example root\@connector ]# ping 10 0 0 1 or \[root\@pam ]# ping 10 0 0 1 linux cli \[root\@rap ]# ping {rpam connector/kron pam server’s wireguard public ip} example \[root\@rap ]# ping 10 0 0 2 or \[root\@rap ]# ping 10 0 0 2 solution 1 check the wireguard configurations, and restart them linux cli \[root@ ]# wg quick down {wireguard configuration file name} \[root@ ]# wg quick up {wireguard configuration file name} example \[root\@rap ]# wg quick down wg server \[root\@rap ]# wg quick up wg server or \[root\@connector ]# wg quick down wg client \[root\@connector ]# wg quick up wg client or \[root\@pam ]# wg quick down wg client \[root\@pam ]# wg quick up wg client solution 2 if you still cannot ping, most likely, the firewall at the network level blocks the secure tunnel messaging you can check whether the transfer line as “0b received, 0b sent” after executing “sudo wg show” command if the transfer line has any “0b” text, you should use netcat/tcpdump (sudo dnf install nc && sudo dnf install tcpdump) commands to see that you can truly send/receive udp packet to the target environment note that, it is better to check boths sides 1) from rpam connector/ kron pam server to the remote access portal and 2) from remote access portal to the rpam connector/ kron pam server · please do not rely on messages such as “udp packet sent successfully” displayed by netcat in udp, this message only indicates that the packet was handed off to the local network stack; it does not confirm delivery to the remote host · the only reliable way to verify udp communication is to confirm packet transmission and reception using tcpdump on both ends if tcpdump doesn’t catch the packet please ask the customer to check their firewall rules at the network level!!! side 1 linux cli \[root\@rap ]# tcpdump i any port {udp port} example \[root\@rap ]# tcpdump i any port 51820 linux cli \[root\@connector ]# nc u vz {public ip address of remote access portal} {udp port} or \[root\@pam ]# nc u vz {public ip address of remote access portal} {udp port} example \[root\@connector ]# nc u vz 12 12 12 12 51820 or \[root\@pam ]# nc u vz 12 12 12 12 51820 side 2 linux cli \[root\@connector ]# tcpdump i any port {udp port} or \[root\@pam ]# tcpdump i any port {udp port} example \[root\@connector ]# tcpdump i any port 51820 or \[root\@pam ]# tcpdump i any port 51820 linux cli \[root\@rap ]# nc u vz {public ip address of remote access portal} {udp port} example \[root\@rap ]# nc u vz 12 12 12 12 51820 solution 3 rarely, deep packet inspection (dpi) on the firewall blocks the wireguard service especially, if the “netcat tcpdump” duo is working explained in solution 2, but wireguard transfer value is still 0b, dpi should be turned off deep packet inspection (dpi) is a firewall capability that analyzes packet payload (layer 7), not just ip/port (l3/l4) it can identify applications like vpns (including wireguard) via signatures/heuristics and enforce policies based on the detected app dpi common in next generation firewalls (ngfw) palo alto networks (app id) fortinet fortigate (application control) check point (app control) cisco firepower / asa with firepower sophos xg juniper srx some cloud nvas / isp carrier firewalls even if udp/51820 is allowed, dpi can classify traffic as wireguard / unknown vpn drop or throttle it based on application policy example of application aware allow rule source \<connector ip or subnet> destination \<portal ip> protocol udp port 51820 (or chosen port) application wireguard / unknown vpn / any action allow inspection disable (no dpi / no ssl inspection) 3\) check the iptables rules on the rpam connector linux cli \[root\@connector ]# iptables t nat nvl you need to see at least one iptables rule solution add the iptables rules on the rpam connector/kron pam server manually linux cli \[root\@connector ]# iptables t nat a prerouting p tcp dport {https port} j dnat to destination {kronpam server’s ip} {https port} iptables t nat a postrouting p tcp d {kronpam server’s ip} dport {https port} j snat to source {rpam connector’s ip} example \[root\@connector ]# iptables t nat a prerouting p tcp dport 443 j dnat to destination 10 20 42 129 443 iptables t nat a postrouting p tcp d 10 20 42 129 dport 443 j snat to source 10 20 42 17 4\) check the status of the pam rap service on the remote access portal machine linux cli \[root\@rap ]# sudo systemctl status pam rap service if the pam rap service is not working, you need to start it again solution restart pam rap service linux cli \[root\@rap ]# sudo systemctl restart pam rap service 5\) check the port allowance at the server level that is defined in the firewalld service linux cli \[root\@rap ]# sudo firewall cmd list ports or \[root\@connector ]# sudo firewall cmd list ports or \[root\@pam ]# sudo firewall cmd list ports solution stop the firewalld service, if it is not needed linux cli \[root\@rap ]# sudo systemctl stop firewalld or \[root\@connector ]# sudo systemctl stop firewalld or \[root\@pam ]# sudo systemctl stop firewalld 6\) check the ip routing configuration on the both remote access portal and rpam connector/kron pam server linux cli \[root\@rap ]# sysctl net ipv4 ip forward \[root\@connector ]# sysctl net ipv4 ip forward the result should be 1 solution if it is 0 please enable ip routing by setting with 1 linux cli \[root\@rap ]# sysctl w net ipv4 ip forward=1 or \[root\@connector ]# sysctl w net ipv4 ip forward=1 or \[root\@pam ]# sysctl w net ipv4 ip forward=1 7\)check the selinux security mode on the rpam connector linux cli \[root\@rap ]# getenforce or \[root\@connector ]# getenforce or \[root\@pam ]# getenforce the result should be permissive solution\ if the result is enforcing, please select permissive security mode with this command linux cli \[root\@rap ]# setenforce 0 \[root\@rap ]# setsebool p httpd can network connect on \[root\@rap ]# setsebool p httpd can network connect 1 or \[root\@connector ]# setenforce 0 \[root\@connector ]# setsebool p httpd can network connect on \[root\@connector ]# setsebool p httpd can network connect 1 or \[root\@pam ]# setenforce 0 \[root\@pam ]# setsebool p httpd can network connect on \[root\@pam ]# setsebool p httpd can network connect 1 8\) check the portal rights of the users, if the ssh/rdp session over remote access portal comes with blank or undefined\@undefined page solution give these portal rights to the users through user groups single connect rdp client modulevisibility single connect cli modulevisibility 9\) in the kron pam 3 8 0 server or previous versions, the remote access portal might show a 403 error with “the remote access time given to you has expired!!!” message to the user repeatedly this is because the target user is otp enabled user solution either update the kron pam/remote access portal version to the 3 8 1 or above, or disable otp for the target user 10\) check the nginx configuration file under /etc/nginx/nginx conf on the remote access portal linux cli \[root\@rap ]# cat /etc/nginx/nginx conf … upstream backend { server {rpam connector’s wireguard public ip} 443; } … example \[root\@rap ]# cat /etc/nginx/nginx conf … upstream backend { server 10 0 0 2 443; } … check the server info in the upstream backend section at the nginx conf and check the activiness of the nginx service solution if the nginx service is not working, please restart it on remote access portal machine linux cli \[root\@rap ]# sudo systemctl restart nginx service 11\) check whether that you use correct nginx configuration file under /etc/nginx/nginx conf on the remote access portal machine if the rpam link returns 404 http error, you need to check the nginx configuration file the file should have these lines linux cli \[root\@rap ]# cat /etc/nginx/nginx conf … # # kronpam internal redirections(frontend) # … location /rap ui/static { proxy set header x forwarded for $remote addr; real ip header x forwarded for; proxy pass http //127 0 0 1 7777/static; } … solution if these lines are not added yet, please add location /rap ui/static { … block into nginx conf file on the remote access portal machine, and save the file after that, restart nginx service (sudo systemctl restart nginx service) 12\) if the rpam links get the certificate error, please check whether the self signed certificate and generic rsa private key are changed with the customer’s own certificate and rsa private key the customer should remove the self signed certificate and generic rsa private key on /etc/nginx/certs directory after this, the customer should add the customer’s aws certificate and rsa private key with the same names lastly, the customer should restart nginx service by using sudo systemctl restart nginx service command solution if the customer has its own certificate and rsa private key, put these files under /etc/nginx/certs by using the names of cert crt and cert key after that, restart nginx service (sudo systemctl restart nginx service) 13\) if you face this error “rap requst not found request with id {no} could not be found” on the remote access portal gui, please check the cors configuration on the kron pam server (for both with rpam connector and without rpam connector options) solution 1 add {portal url} as a cors allowed origins parameter under /pam/gui/conf/web xml linux cli \[root\@pam ]# cat /pam/gui/conf/web xml /cors … \<param name> cors allowed origins \</param name> \<param value> {portal url} e g , https //remote cloudpam com \</param value> … solution 2 set the users to have at least the following portal functions in order to list devices on the remote access portal and make sessions through them single connect rdp client modulevisibility single connect cli modulevisibility remote access config modulevisibility desktop device group modulevisibility (not required for rpam, but it is needed if the user lists the devices on the kron pam gui or desktop client ) 14\) (ip/domain name) check the ip/domain name information on both remote access portal and the kron pam server solution use the correct values in remote access portal and kron pam server 14 1) if the ip is used in the rpam links on the remote access portal linux cli \[root\@rap ]# vi /etc/hosts {private ip of the remote access portal environment} {public ip of the remote access portal environment} example \[root\@rap ]# vi /etc/hosts 10 10 10 10 204 232 204 232 linux cli \[root\@rap ]# vi /pam/remote access portal/conf/application properties sc server={private ip of the remote access portal environment} example \[root\@rap ]# vi /pam/remote access portal/conf/application properties sc server=https //10 10 10 10 on the kron pam server system config man > rap cloud server = {public ip of the remote access portal environment + /connect} example= https //204 232 204 232/connect 14 2) if the domain name is used in the rpam links on the remote access portal linux cli \[root\@rap ]# vi /etc/hosts {private ip of the remote access portal environment} {url of the remote access portal environment} example \[root\@rap ]# vi /etc/hosts 10 10 10 10 remote testcloudpam com linux cli \[root\@rap ]# vi /pam/remote access portal/conf/application properties sc server={url of the remote access portal environment} example \[root\@rap ]# vi /pam/remote access portal/conf/application properties sc server=https //remote testcloudpam com on the kron pam server system config man > rap cloud server = {url of the remote access portal environment + /connect} example= https //remote testcloudpam com/connect 15\) check the remote access portal’s service log under /pam/remote access portal/ on the remote access portal solution check the recent log lines to see if there are any errors linux cli \[root\@rap ]# tail 1000f /pam/remote access portal/logs/application log 16\) check whether the rap 0 0 1 snapshot jar is downloaded to /pam/remote access portal/ on the remote access portal via the remote access portal’s installation script if it is not downloaded, fixing networkmanager might solve this issue solution configure dns with nmtui command on the remote access portal machine to allow downloading the regarding jar file linux cli \[root\@rap ]# nmtui select eth0 edit change dns as 8 8 8 8 and save \[root\@rap ]# sudo systemctl restart networkmanager 17\) check the catalina out and localhost access log 2025 xx yy txt under /pam/gui/logs on the kron pam server during the session opened on the remote access portal solution check the recent log lines to see if there are any errors linux cli \[root\@pam ]# tail 1000f /pam/gui/logs/catalina out linux cli \[root\@pam ]# tail 1000f /pam/gui/logs/localhost access log {year month day} txt example root\@pam ]# tail 1000f /pam/gui/logs/localhost access log 2025 02 25 txt