What to check if the Tenant Connector is not working (Troubleshooting)

1 check that the secure boot is disabled on both the kron pam server and the tenant connector; if it is enabled, wireguard might not work linux cli \[root\@connector ]# mokutil sb state 2 check the wireguard configuration file on the kron pam server and the tenant connector read the wireguard config file command linux cli \[root\@pam ]# cat /etc/wireguard/wg vpn {port number} conf example \[root\@pam ]# cat /etc/wireguard/wg vpn 10001 conf \[interface] privatekey = aaa231425cfcy55zsfg/37xkizmngev8az+xxxxxx= address = \<font color="#eab308">192 168 0 2\</font> /32 endpoint = ${vpn node ip} ${tunnel port} listenport = 10001 \[peer] publickey = aaayno14grh7aadq6cbzatmg8bvb3ac5ry3kuxxxxxx= allowedips = \<font color="#22c55e">192 168 0 1\</font> /32 persistentkeepalive = 25 linux cli \[root\@connector ]# cat /etc/wireguard/wg vpn {port number} conf example \[root\@connector ]# cat /etc/wireguard/wg vpn 10001 conf \[interface] privatekey = bbbld/n5r2ff1pfixu2d5ayk3cppdedixzjtbyyyyyy= address = \<font color="#22c55e">192 168 0 1\</font> /32 listenport = 10001 \[peer] publickey = bbbyno14grh7aadq6cbzatmg8bvb3ac5ry3kuyyyyyy= allowedips = \<font color="#eab308">192 168 0 2\</font> /32 endpoint = 10 10 10 10 10001 persistentkeepalive = 25 ping the kron pam server’s wireguard ip address and the tenant connector’s wireguard ip address on both environments (you should see that messages are received/sent) linux cli \[root\@pam ]# ping {connector’s wireguard public ip} example \[root\@pam ]# ping \<font color="#22c55e">192 168 0 1\</font> linux cli \[root\@connector ]# ping {pam’s wireguard public ip} example \[root\@connector ]# ping \<font color="#eab308">192 168 0 2\</font> 3 check the iptables rules on the tenant connector machine linux cli \[root\@connector ]# iptables t nat nvl 4 check the status of the pam connector service on the tenant connector machine linux cli \[root\@connector ]# sudo systemctl status pam connector service 5 check the port allowance at the server level that is defined in the firewall service linux cli \[root\@connector ]# sudo firewall cmd list ports stop the firewall service if it is not needed linux cli \[root\@connector ]# sudo systemctl stop firewalld 6 check the heartbeat messages on the tenant connector page of kron pam web gui (you should see that the heartbeat is received by the kron pam server with a red line at the 4) 7 check the ip routing configuration on the tenant connector linux cli \[root\@connector ]# sysctl net ipv4 ip forward the result should be 1, if it is 0, please enable ip routing by setting it to 1 linux cli \[root\@connector ]# sysctl w net ipv4 ip forward=1 8 check the selinux security mode on the tenant connector linux cli \[root\@connector ]# getenforce the result should be permissive; if it is enforcing, please select permissive security mode with this command linux cli \[root\@connector ]# setenforce 0 9 check the connector log under /pam/gui/logs on the kron pam server during the tenant installation after pressing the save button on the gui linux cli \[root\@pam ]# tail 1000f /pam/gui/logs/connector log 10 check the catalina out and localhost access log 2025 xx yy txt under /pam/gui/logs on the kron pam server during the session opened on the device assigned to the tenant connector linux cli \[root\@pam ]# tail 1000f /pam/gui/logs/catalina out linux cli \[root\@pam ]# tail 1000f /pam/gui/logs/localhost access log 2025 {xx yy} txt example root\@pam ]# tail 1000f /pam/gui/logs/localhost access log 2025 02 25 txt 11 if you have seen this problem during the mtc installation linux cli \[root\@connector ]# sh configure sh … errors during downloading metadata for repository 'appstream' curl error (60) peer certificate cannot be authenticated with given ca certificates for https //mirrors rockylinux org/mirrorlist?arch=x86 64\&repo=appstream 8 \[ssl certificate problem certificate is not yet valid] … please check the system clock and sync the clock time systemctl enable chronyd now chronyc a makestep 12 (through the multi tenant connector or direct access check) if the kron pam server can access directly the remote devices somehow (for instance, in the test environments, both kron pam server and multi tenant connector can be in the same network), you need to ensure whether can access directly the remote devices or through multi tenant connector in this case, please use tcpdump · tcpdump (to install sudo dnf install tcpdump) commands to see that you can truly receive messages through secure tunnel linux cli \[root\@connector ]# tcpdump i any host {mtc’s wireguard ip} and port {target device’s virtual port assigned by kron pam server} vv example \[root\@connector ]# tcpdump i any host 192 168 0 1 and port 40000 vv if tcpdump doesn’t capture the messages during the successful session , the target device is directly accessed by the kron pam server, whereas, if tcpdump captures the tons of messages, the target device is accessed through the multi tenant connector 13 (wireguard communication check) lastly, please ask the customer to check their firewall at the network level you can understand whether the firewall at the network level blocks the secure tunnel messaging by executing the sudo wg show command and checking its result (if the transfer line is 0, the firewall at the network level blocks the messages through the wireguard port) linux cli \[root\@connector ]# sudo wg show interface wg vpn 10001 public key bbbyno14grh7aadq6cbzatmg8bvb3ac5ry3kuyyyyyy= private key (hidden) listening port 10001 peer aaayno14grh7aadq6cbzatmg8bvb3ac5ry3kuxxxxxx= endpoint 10 10 10 10 10001 allowed ips 192 168 0 2/32 transfer 0 b received, 0 b sent persistent keepalive every 25 seconds to ensure whether the firewall at the network level blocks the secure tunnel messaging please use · netcat (to install sudo dnf install nc) commands to see that you can truly send udp packet to the target environment · tcpdump (to install sudo dnf install tcpdump) commands to see that you can truly receive udp packet through secure tunnel note that, it is better to check boths sides 1) from multi tenant connector to the kron pam server and 2) from kron pam server to the multi tenant connector please do not rely on messages such as “ udp packet sent successfully ” displayed by netcat in udp, this message only indicates that the packet was handed off to the local network stack; it does not confirm delivery to the remote host the only reliable way to verify udp communication is to confirm packet transmission and reception using tcpdump on both ends if tcpdump doesn’t capture the packet please ask the customer to check their firewall rules at the network level!!! side 1 (from multi tenant connector to the kron pam server) linux cli \[root\@pam ]# tcpdump i any port {wireguard udp port} example \[root\@pam ]# tcpdump i any port 10000 linux cli \[root\@connector ]# nc u vz {public ip address of pam server} {wireguard udp port} example \[root\@connector ]# nc u vz 1 1 1 1 10000 side 2 (from kron pam server to the multi tenant connector) linux cli \[root\@connector ]# tcpdump i any port {wireguard udp port} example \[root\@connector ]# tcpdump i any port 10000 linux cli \[root\@pam ]# nc u vz {public ip address of multi tenant connector} {wireguard udp port} example \[root\@pam ]# nc u vz 2 2 2 2 10000