What to check if the Secure Remote Access is not working (Troubleshooting)

1\) check whether the secure reboot is disabled on both remote access portal (rap) machine and secure remote access connector/kron pam server if it is enabled the wireguard might not work linux cli \[root@ \rap\ ]# mokutil sb state solution disable secure boot 2\) check the wireguard configuration file on both remote access portal (rap) machine and secure remote access connector/kron pam server read the wireguard config file command on the remote access portal (rap) environment linux cli \[root@ \rap\ ]# cat /etc/wireguard/wg server conf example \[root@ \rap\ ]# cat /etc/wireguard/wg server conf \[interface] privatekey = aaaaaaal/mqg4kkabgxo1gvamqhfpn3jmji4a+se4= listenport = 50044 address = \10 0 0 1/32\ \[peer] publickey = bbbbbbtqwb8qxlgg0c+rflol/2eratmwt7hi/wzjp14= allowedips = \10 0 0 2/32\ (or \10 0 0 2/32\ ) persistentkeepalive=25 read the wireguard config file command on the secure remote access connector/ kron pam server linux cli \[root@ \connector\ ]# cat /etc/wireguard/wg client conf or \[root@ \pam\ ]# cat /etc/wireguard/wg client conf example \[root@ \connector\ ]# cat /etc/wireguard/wg client conf \[interface] privatekey=ccccccduntscufush3crom8qnflnct0xiruh1rksv1e= listenport=50044 address= \10 0 0 2/32\ \[peer] publickey=dddddd9+epcylo4rxdaj6wqpllk9zvp691bkvzip/ju= endpoint=10 10 10 10 50044 allowedips= \10 0 0 1/32\ persistentkeepalive=25 or \[root@ \pam\ ]# cat /etc/wireguard/wg client conf \[interface] privatekey=ccccccduntscufush3crom8qnflnct0xiruh1rksv1e= listenport=50044 address= \10 0 0 2/32\ \[peer] publickey=dddddd9+epcylo4rxdaj6wqpllk9zvp691bkvzip/ju= endpoint=10 10 10 10 50044 allowedips= \10 0 0 1/32\ persistentkeepalive=25 ping the remote access portal (rap)’s wireguard ip address and the secure remote access connector/kron pam server’s wireguard ip address on both environments (you should see that messages are received/sent) linux cli \[root@ \connector\ ]# ping {remote access portal’s wireguard public ip} or \[root@ \pam\ ]# ping {remote access portal’s wireguard public ip} example root@ \connector\ ]# ping \10 0 0 1\ or \[root@ \pam\ ]# ping \10 0 0 1\ linux cli \[root@ \rap\ ]# ping {secure remote access connector/kron pam server’s wireguard public ip} example \[root@ \rap\ ]# ping \10 0 0 2\ or \[root@ \rap\ ]# ping \10 0 0 2\ solution check the wireguard configurations, and restart them linux cli \[root@ ]# wg quick down {wireguard configuration file name} \[root@ ]# wg quick up {wireguard configuration file name} example \[root@ \rap\ ]# wg quick down wg server \[root@ \rap\ ]# wg quick up wg server or \[root@ \connector\ ]# wg quick down wg client \[root@ \connector\ ]# wg quick up wg client or \[root@ \pam\ ]# wg quick down wg client \[root@ \pam\ ]# wg quick up wg client 3\) check the iptables rules on the secure remote access connector linux cli \[root@ \connector\ ]# iptables t nat nvl you need to see at least one iptables rule solution add the iptables rules on the secure remote access connector/kron pam server manually linux cli \[root@ \connector\ ]# iptables t nat a prerouting p tcp dport {https port} j dnat to destination {kronpam server’s ip} {https port} iptables t nat a postrouting p tcp d {kronpam server’s ip} dport {https port} j snat to source {secure remote access connector’s ip} example \[root@ \connector\ ]# iptables t nat a prerouting p tcp dport 443 j dnat to destination 10 20 42 129 443 iptables t nat a postrouting p tcp d 10 20 42 129 dport 443 j snat to source 10 20 42 17 4\) check the status of the pam rap service on the remote access portal (rap) machine linux cli \[root@ \rap\ ]# sudo systemctl status pam rap service if the pam rap service is not working, you need to start it again solution restart pam rap service linux cli \[root@ \rap\ ]# sudo systemctl restart pam rap service 5\) check the port allowance at the server level that is defined in the firewalld service linux cli \[root@ \rap\ ]# sudo firewall cmd list ports or \[root@ \connector\ ]# sudo firewall cmd list ports or \[root@ \pam\ ]# sudo firewall cmd list ports solution stop the firewalld service, if it is not needed linux cli \[root@ \rap\ ]# sudo systemctl stop firewalld or \[root@ \connector\ ]# sudo systemctl stop firewalld or \[root@ \pam\ ]# sudo systemctl stop firewalld 6\) check the ip routing configuration on the both remote access portal (rap) and secure remote access connector/kron pam server linux cli \[root@ \rap\ ]# sysctl net ipv4 ip forward \[root@ \connector\ ]# sysctl net ipv4 ip forward the result should be 1 solution if it is 0 please enable ip routing by setting with 1 linux cli \[root@ \rap\ ]# sysctl w net ipv4 ip forward=1 or \[root@ \connector\ ]# sysctl w net ipv4 ip forward=1 or \[root@ \pam\ ]# sysctl w net ipv4 ip forward=1 7\)check the selinux security mode on the tenant connector linux cli \[root\@rap ]# getenforce or \[root\@connector ]# getenforce or \[root\@pam ]# getenforce the result should be permissive solution\ if the result is enforcing, please select permissive security mode with this command linux cli \[root@ \rap\ ]# setenforce 0 \[root@ \rap\ ]# setsebool p httpd can network connect on \[root@ \rap\ ]# setsebool p httpd can network connect 1 or \[root@ \connector\ ]# setenforce 0 \[root@ \connector\ ]# setsebool p httpd can network connect on \[root@ \connector\ ]# setsebool p httpd can network connect 1 or \[root@ \pam\ ]# setenforce 0 \[root@ \pam\ ]# setsebool p httpd can network connect on \[root@ \pam\ ]# setsebool p httpd can network connect 1 8\) check the portal rights of the users, if the ssh/rdp session over remote access portal (rap) comes with blank or undefined\@undefined page solution grant these portal rights to the users through user groups single connect rdp client modulevisibility single connect cli modulevisibility 9\) check the nginx configuration file under /etc/nginx/nginx conf on the remote access portal (rap) linux cli \[root@ \rap\ ]# cat /etc/nginx/nginx conf … upstream backend { server {secure remote access connector’s wireguard public ip} 443; } … example \[root@ \rap\ ]# cat /etc/nginx/nginx conf … upstream backend { server \10 0 0 2\ 443; } … check the server info in the upstream backend section at the nginx conf and check the activiness of the nginx service solution if the nginx service is not working, please restart it on remote access portal (rap) machine linux cli \[root@ \rap\ ]# sudo systemctl restart nginx service 10\) check whether that you use correct nginx configuration file under /etc/nginx/nginx conf on the remote access portal (rap) machine if the remote access link returns 404 http error, you need to check the nginx configuration file the file should have these lines linux cli \[root@ \rap\ ]# cat /etc/nginx/nginx conf … # # kronpam internal redirections(frontend) # … location /rap ui/static { proxy set header x forwarded for $remote addr; real ip header x forwarded for; proxy pass http //127 0 0 1 7777/static; } … solution if these lines are not added yet, please add location /rap ui/static { … block into nginx conf file on the remote access portal (rap) machine, and save the file after that, restart nginx service (sudo systemctl restart nginx service) 11\) if the remote access portal links get the certificate error, please check whether the self signed certificate and generic rsa private key are changed with the customer’s own certificate and rsa private key the customer should remove the self signed certificate and generic rsa private key on /etc/nginx/certs directory after this, the customer should add the customer’s aws certificate and rsa private key with the same names lastly, the customer should restart nginx service by using sudo systemctl restart nginx service command solution if the customer has its own certificate and rsa private key, put these files under /etc/nginx/certs by using the names of cert crt and cert key after that, restart nginx service (sudo systemctl restart nginx service) solution if the customer has its own certificate and rsa private key, put these files under /etc/nginx/certs by using the names of cert crt and cert key after that, restart nginx service (sudo systemctl restart nginx service) 12\) if you face this error “rap requst not found request with id {no} could not be found” on the remote access portal gui, please check the cors configuration on the kron pam server (for both with connector and without connector options) solution add {rap url} as a cors allowed origins parameter under /pam/gui/conf/web xml solution add {rap url} as a cors allowed origins parameter under /pam/gui/conf/web xml linux cli \[root@ \pam\ ]# cat /pam/gui/conf/web xml /cors … \<param name> cors allowed origins \</param name> \<param value> {rap url} e g , https //remote cloudpam com \</param value> … 13\) check the ip/domain name information on both remote access portal (rap) and the kron pam solution use the correct values in remote access portal (rap) and kron pam server solution use the correct values in remote access portal (rap) and kron pam server 13 1) if the ip is used in the rap links on the remote access portal (rap) linux cli \[root@ \rap\ ]# vi /etc/hosts {private ip of the remote access portal environment} {public ip of the remote access portal environment} example \[root@ \rap\ ]# vi /etc/hosts 10 10 10 10 204 232 204 232 linux cli \[root@ \rap\ ]# vi /pam/remote access portal/conf/application properties sc server={private ip of the remote access portal environment} example \[root@ \rap\ ]# vi /pam/remote access portal/conf/application properties sc server=https //10 10 10 10 on the kron pam server system config man > rap cloud server = {public ip of the remote access portal environment + /connect} example= https //204 232 204 232/connect 13 2) if the domain name is used in the secure remote access’ links on the remote access portal (rap) linux cli \[root@ \rap\ ]# vi /etc/hosts {private ip of the remote access portal environment} {url of the remote access portal environment} example \[root@ \rap\ ]# vi /etc/hosts 10 10 10 10 remote testcloudpam com linux cli \[root@ \rap\ ]# vi /pam/remote access portal/conf/application properties sc server={url of the remote access portal environment} example \[root@ \rap\ ]# vi /pam/remote access portal/conf/application properties sc server=https //remote testcloudpam com on the kron pam server system config man > rap cloud server = {url of the remote access portal environment + /connect} example= https //remote testcloudpam com/connect 14\) check the remote access portal (rap)’s service log under /pam/remote access portal/ on the remote access portal (rap) solution check the recent log lines to see if there are any errors linux cli \[root@ \rap\ ]# tail 1000f /pam/remote access portal/logs/application log 15\) check whether the rap 0 0 1 snapshot jar is downloaded to /pam/remote access portal/ on the remote access portal (rap) via the remote access portal (rap)’s installation script if it is not downloaded, fixing networkmanager might solve this issue solution configure dns with nmtui command on the remote access portal (rap) machine to allow downloading the regarding jar file linux cli \[root@ \rap\ ]# nmtui select eth0 edit change dns as 8 8 8 8 and save \[root@ \rap\ ]# sudo systemctl restart networkmanager 16\) check the catalina out and localhost access log 2025 xx yy txt under /pam/gui/logs on the kron pam server during the session opened on the remote access portal (rap) solution check the recent log lines to see if there are any errors linux cli \[root@ \pam\ ]# tail 1000f /pam/gui/logs/catalina out linux cli \[root@ \pam\ ]# tail 1000f /pam/gui/logs/localhost access log {year month day} txt example root@ \pam\ ]# tail 1000f /pam/gui/logs/localhost access log 2025 02 25 txt 17\) if you get “passcode is wrong” error on the remote access portal (rap) with the usage of 3 6 0 kron pam, the remote access jar file (rap 0 0 1 snapshot jar) for 3 6 0 should be downloaded manually, because the remote access portal script automatically downloads the latest jar file (for instance, for 3 7 0) solution download the rap 0 0 1 snapshot jar for 3 6 0, if the kron pam server version is 3 6 0 once this file is downloaded manually, it should be placed under /pam/remote access portal/ after that, change its ownership and mod by executing chown and chmod commands respectively, and in the last step you need to restart pam rap service linux cli \[root@ \rap\ ]# download rap 0 0 1 snapshot jar file for 3 6 0 and place it under /pam/remote access portal \[root@ \rap\ ]# chown pamuser\ pam group /pam/remote access portal/rap 0 0 1 snapshot jar \[root@ \rap\ ]# chmod 755 /pam/remote access portal/rap 0 0 1 snapshot jar \[root@ \rap\ ]# systemctl restart pam rap service 18\) lastly, please ask the customer to check their firewall at the network level you can understand whether the firewall at the network level blocks the secure tunnel messaging by executing the sudo wg show command and checking its result (if the transfer line has “0b received, 0b sent” , the firewall at the network level blocks the messages through the wireguard port) linux cli \[root@ \rap\ ]# sudo wg show interface wg server public key bbbbbbtqwb8qxlgg0c+rflol/2eratmwt7hi/wzjp14= private key (hidden) listening port 50044 peer dddddd9+epcylo4rxdaj6wqpllk9zvp691bkvzip/ju= allowed ips \10 0 0 2\ /32 or \10 0 0 2\ /32 transfer 0 b received, 0 b sent persistent keepalive every 25 seconds or \[root@ \connector\ ]# sudo wg show interface wg client public key dddddd9+epcylo4rxdaj6wqpllk9zvp691bkvzip/ju= private key (hidden) listening port 50044 peer bbbbbbtqwb8qxlgg0c+rflol/2eratmwt7hi/wzjp14= endpoint 10 10 10 10 50044 allowed ips \10 0 0 1\ /32 transfer 0 b received, 0 b sent persistent keepalive every 25 seconds or \[root@ \pam\ ]# sudo wg show interface wg client public key dddddd9+epcylo4rxdaj6wqpllk9zvp691bkvzip/ju= private key (hidden) listening port 50044 peer bbbbbbtqwb8qxlgg0c+rflol/2eratmwt7hi/wzjp14= endpoint 10 10 10 10 50044 allowed ips \10 0 0 1\ /32 transfer 0 b received, 0 b sent persistent keepalive every 25 seconds you can also use tcpdump and send the test message to check the firewall at the network level linux cli \[root@ \rap\ ]# tcpdump i any port {wireguard port} v \[root@ \connector\ ]# echo "test packet" | nc u {remote access portal’s wireguard public ip} {wireguard port} or \[root@ \pam\ ]# echo "test packet" | nc u {remote access portal’s wireguard public ip} {wireguard port} example \[root@ \rap\ ]# tcpdump i any port 50044 v \[root@ \connector\ ]# echo "test packet" | nc u \10 0 0 1\ 50044 or \[root@ \pam\ ]# echo "test packet" | nc u \10 0 0 1\ 50044 solution if the transfer line has “0b received, 0b sent” after sudo wg show, please ask customer to allow the neccessary ports on the remote access portal (rap) environment 443/tcp, 7777/tcp, 7777/udp {selected wireguard port(e g , 51820)}/udp