Installation Guides
Secure Remote Access
What to check if the Secure Remote Access is not working (Troubleshooting)
1\) check whether the secure reboot is disabled on both remote access portal (rap) machine and secure remote access connector/kron pam server if it is enabled the wireguard might not work linux cli \[root@ rap rap ]# mokutil sb state solution disable secure boot 2\) check the wireguard configuration file on both remote access portal (rap) machine and secure remote access connector/kron pam server read the wireguard config file command on the remote access portal (rap) environment linux cli \[root@ rap rap ]# cat /etc/wireguard/wg server conf example \[root@ rap rap ]# cat /etc/wireguard/wg server conf \[interface] privatekey = aaaaaaal/mqg4kkabgxo1gvamqhfpn3jmji4a+se4= listenport = 50044 address = 10 0 0 1/32 10 0 0 1/32 \[peer] publickey = bbbbbbtqwb8qxlgg0c+rflol/2eratmwt7hi/wzjp14= allowedips = 10 0 0 2/32 10 0 0 2/32 (or 10 0 0 2/32 10 0 0 2/32 ) persistentkeepalive=25 read the wireguard config file command on the secure remote access connector/ kron pam server linux cli \[root@ connector connector ]# cat /etc/wireguard/wg client conf or \[root@ pam pam ]# cat /etc/wireguard/wg client conf example \[root@ connector connector ]# cat /etc/wireguard/wg client conf \[interface] privatekey=ccccccduntscufush3crom8qnflnct0xiruh1rksv1e= listenport=50044 address= 10 0 0 2/32 10 0 0 2/32 \[peer] publickey=dddddd9+epcylo4rxdaj6wqpllk9zvp691bkvzip/ju= endpoint=10 10 10 10 50044 allowedips= 10 0 0 1/32 10 0 0 1/32 persistentkeepalive=25 or \[root@ pam pam ]# cat /etc/wireguard/wg client conf \[interface] privatekey=ccccccduntscufush3crom8qnflnct0xiruh1rksv1e= listenport=50044 address= 10 0 0 2/32 10 0 0 2/32 \[peer] publickey=dddddd9+epcylo4rxdaj6wqpllk9zvp691bkvzip/ju= endpoint=10 10 10 10 50044 allowedips= 10 0 0 1/32 10 0 0 1/32 persistentkeepalive=25 ping the remote access portal (rap)’s wireguard ip address and the secure remote access connector/kron pam server’s wireguard ip address on both environments (you should see that messages are received/sent) linux cli \[root@ connector connector ]# ping {remote access portal’s wireguard public ip} or \[root@ pam pam ]# ping {remote access portal’s wireguard public ip} example root@ connector connector ]# ping 10 0 0 1 10 0 0 1 or \[root@ pam pam ]# ping 10 0 0 1 10 0 0 1 linux cli \[root@ rap rap ]# ping {secure remote access connector/kron pam server’s wireguard public ip} example \[root@ rap rap ]# ping 10 0 0 2 10 0 0 2 or \[root@ rap rap ]# ping 10 0 0 2 10 0 0 2 solution check the wireguard configurations, and restart them linux cli \[root@ ]# wg quick down {wireguard configuration file name} \[root@ ]# wg quick up {wireguard configuration file name} example \[root@ rap rap ]# wg quick down wg server \[root@ rap rap ]# wg quick up wg server or \[root@ connector connector ]# wg quick down wg client \[root@ connector connector ]# wg quick up wg client or \[root@ pam pam ]# wg quick down wg client \[root@ pam pam ]# wg quick up wg client 3\) check the iptables rules on the secure remote access connector linux cli \[root@ connector connector ]# iptables t nat nvl you need to see at least one iptables rule solution add the iptables rules on the secure remote access connector/kron pam server manually linux cli \[root@ connector connector ]# iptables t nat a prerouting p tcp dport {https port} j dnat to destination {kronpam server’s ip} {https port} iptables t nat a postrouting p tcp d {kronpam server’s ip} dport {https port} j snat to source {secure remote access connector’s ip} example \[root@ connector connector ]# iptables t nat a prerouting p tcp dport 443 j dnat to destination 10 20 42 129 443 iptables t nat a postrouting p tcp d 10 20 42 129 dport 443 j snat to source 10 20 42 17 4\) check the status of the pam rap service on the remote access portal (rap) machine linux cli \[root@ rap rap ]# sudo systemctl status pam rap service if the pam rap service is not working, you need to start it again solution restart pam rap service linux cli \[root@ rap rap ]# sudo systemctl restart pam rap service 5\) check the port allowance at the server level that is defined in the firewalld service linux cli \[root@ rap rap ]# sudo firewall cmd list ports or \[root@ connector connector ]# sudo firewall cmd list ports or \[root@ pam pam ]# sudo firewall cmd list ports solution stop the firewalld service, if it is not needed linux cli \[root@ rap rap ]# sudo systemctl stop firewalld or \[root@ connector connector ]# sudo systemctl stop firewalld or \[root@ pam pam ]# sudo systemctl stop firewalld 6\) check the ip routing configuration on the both remote access portal (rap) and secure remote access connector/kron pam server linux cli \[root@ rap rap ]# sysctl net ipv4 ip forward \[root@ connector connector ]# sysctl net ipv4 ip forward the result should be 1 solution if it is 0 please enable ip routing by setting with 1 linux cli \[root@ rap rap ]# sysctl w net ipv4 ip forward=1 or \[root@ connector connector ]# sysctl w net ipv4 ip forward=1 or \[root@ pam pam ]# sysctl w net ipv4 ip forward=1 7\)check the selinux security mode on the tenant connector linux cli \[root\@rap ]# getenforce or \[root\@connector ]# getenforce or \[root\@pam ]# getenforce the result should be permissive solution\ if the result is enforcing, please select permissive security mode with this command linux cli \[root@ rap rap ]# setenforce 0 \[root@ rap rap ]# setsebool p httpd can network connect on \[root@ rap rap ]# setsebool p httpd can network connect 1 or \[root@ connector connector ]# setenforce 0 \[root@ connector connector ]# setsebool p httpd can network connect on \[root@ connector connector ]# setsebool p httpd can network connect 1 or \[root@ pam pam ]# setenforce 0 \[root@ pam pam ]# setsebool p httpd can network connect on \[root@ pam pam ]# setsebool p httpd can network connect 1 8\) check the portal rights of the users, if the ssh/rdp session over remote access portal (rap) comes with blank or undefined\@undefined page solution grant these portal rights to the users through user groups single connect rdp client modulevisibility single connect cli modulevisibility 9\) check the nginx configuration file under /etc/nginx/nginx conf on the remote access portal (rap) linux cli \[root@ rap rap ]# cat /etc/nginx/nginx conf … upstream backend { server {secure remote access connector’s wireguard public ip} 443; } … example \[root@ rap rap ]# cat /etc/nginx/nginx conf … upstream backend { server 10 0 0 2 10 0 0 2 443; } … check the server info in the upstream backend section at the nginx conf and check the activiness of the nginx service solution if the nginx service is not working, please restart it on remote access portal (rap) machine linux cli \[root@ rap rap ]# sudo systemctl restart nginx service 10\) check whether that you use correct nginx configuration file under /etc/nginx/nginx conf on the remote access portal (rap) machine if the remote access link returns 404 http error, you need to check the nginx configuration file the file should have these lines linux cli \[root@ rap rap ]# cat /etc/nginx/nginx conf … # # kronpam internal redirections(frontend) # … location /rap ui/static { proxy set header x forwarded for $remote addr; real ip header x forwarded for; proxy pass http //127 0 0 1 7777/static; } … solution if these lines are not added yet, please add location /rap ui/static { … block into nginx conf file on the remote access portal (rap) machine, and save the file after that, restart nginx service (sudo systemctl restart nginx service) 11\) if the remote access portal links get the certificate error, please check whether the self signed certificate and generic rsa private key are changed with the customer’s own certificate and rsa private key the customer should remove the self signed certificate and generic rsa private key on /etc/nginx/certs directory after this, the customer should add the customer’s aws certificate and rsa private key with the same names lastly, the customer should restart nginx service by using sudo systemctl restart nginx service command solution if the customer has its own certificate and rsa private key, put these files under /etc/nginx/certs by using the names of cert crt and cert key after that, restart nginx service (sudo systemctl restart nginx service) solution if the customer has its own certificate and rsa private key, put these files under /etc/nginx/certs by using the names of cert crt and cert key after that, restart nginx service (sudo systemctl restart nginx service) 12\) if you face this error “rap requst not found request with id {no} could not be found” on the remote access portal gui, please check the cors configuration on the kron pam server (for both with connector and without connector options) solution add {rap url} as a cors allowed origins parameter under /pam/gui/conf/web xml solution add {rap url} as a cors allowed origins parameter under /pam/gui/conf/web xml linux cli \[root@ pam pam ]# cat /pam/gui/conf/web xml /cors … \<param name> cors allowed origins \</param name> \<param value> {rap url} e g , https //remote cloudpam com \</param value> … 13\) check the ip/domain name information on both remote access portal (rap) and the kron pam solution use the correct values in remote access portal (rap) and kron pam server solution use the correct values in remote access portal (rap) and kron pam server 13 1) if the ip is used in the rap links on the remote access portal (rap) linux cli \[root@ rap rap ]# vi /etc/hosts {private ip of the remote access portal environment} {public ip of the remote access portal environment} example \[root@ rap rap ]# vi /etc/hosts 10 10 10 10 204 232 204 232 linux cli \[root@ rap rap ]# vi /pam/remote access portal/conf/application properties sc server={private ip of the remote access portal environment} example \[root@ rap rap ]# vi /pam/remote access portal/conf/application properties sc server=https //10 10 10 10 on the kron pam server system config man > rap cloud server = {public ip of the remote access portal environment + /connect} example= https //204 232 204 232/connect 13 2) if the domain name is used in the secure remote access’ links on the remote access portal (rap) linux cli \[root@ rap rap ]# vi /etc/hosts {private ip of the remote access portal environment} {url of the remote access portal environment} example \[root@ rap rap ]# vi /etc/hosts 10 10 10 10 remote testcloudpam com linux cli \[root@ rap rap ]# vi /pam/remote access portal/conf/application properties sc server={url of the remote access portal environment} example \[root@ rap rap ]# vi /pam/remote access portal/conf/application properties sc server=https //remote testcloudpam com on the kron pam server system config man > rap cloud server = {url of the remote access portal environment + /connect} example= https //remote testcloudpam com/connect 14\) check the remote access portal (rap)’s service log under /pam/remote access portal/ on the remote access portal (rap) solution check the recent log lines to see if there are any errors linux cli \[root@ rap rap ]# tail 1000f /pam/remote access portal/logs/application log 15\) check whether the rap 0 0 1 snapshot jar is downloaded to /pam/remote access portal/ on the remote access portal (rap) via the remote access portal (rap)’s installation script if it is not downloaded, fixing networkmanager might solve this issue solution configure dns with nmtui command on the remote access portal (rap) machine to allow downloading the regarding jar file linux cli \[root@ rap rap ]# nmtui select eth0 edit change dns as 8 8 8 8 and save \[root@ rap rap ]# sudo systemctl restart networkmanager 16\) check the catalina out and localhost access log 2025 xx yy txt under /pam/gui/logs on the kron pam server during the session opened on the remote access portal (rap) solution check the recent log lines to see if there are any errors linux cli \[root@ pam pam ]# tail 1000f /pam/gui/logs/catalina out linux cli \[root@ pam pam ]# tail 1000f /pam/gui/logs/localhost access log {year month day} txt example root@ pam pam ]# tail 1000f /pam/gui/logs/localhost access log 2025 02 25 txt 17\) if you get “passcode is wrong” error on the remote access portal (rap) with the usage of 3 6 0 kron pam, the remote access jar file (rap 0 0 1 snapshot jar) for 3 6 0 should be downloaded manually, because the remote access portal script automatically downloads the latest jar file (for instance, for 3 7 0) solution download the rap 0 0 1 snapshot jar for 3 6 0, if the kron pam server version is 3 6 0 once this file is downloaded manually, it should be placed under /pam/remote access portal/ after that, change its ownership and mod by executing chown and chmod commands respectively, and in the last step you need to restart pam rap service linux cli \[root@ rap rap ]# download rap 0 0 1 snapshot jar file for 3 6 0 and place it under /pam/remote access portal \[root@ rap rap ]# chown pamuser\ pam group /pam/remote access portal/rap 0 0 1 snapshot jar \[root@ rap rap ]# chmod 755 /pam/remote access portal/rap 0 0 1 snapshot jar \[root@ rap rap ]# systemctl restart pam rap service 18\) lastly, please ask the customer to check their firewall at the network level you can understand whether the firewall at the network level blocks the secure tunnel messaging by executing the sudo wg show command and checking its result (if the transfer line has “0b received, 0b sent” , the firewall at the network level blocks the messages through the wireguard port) linux cli \[root@ rap rap ]# sudo wg show interface wg server public key bbbbbbtqwb8qxlgg0c+rflol/2eratmwt7hi/wzjp14= private key (hidden) listening port 50044 peer dddddd9+epcylo4rxdaj6wqpllk9zvp691bkvzip/ju= allowed ips 10 0 0 2 10 0 0 2 /32 or 10 0 0 2 10 0 0 2 /32 transfer 0 b received, 0 b sent persistent keepalive every 25 seconds or \[root@ connector connector ]# sudo wg show interface wg client public key dddddd9+epcylo4rxdaj6wqpllk9zvp691bkvzip/ju= private key (hidden) listening port 50044 peer bbbbbbtqwb8qxlgg0c+rflol/2eratmwt7hi/wzjp14= endpoint 10 10 10 10 50044 allowed ips 10 0 0 1 10 0 0 1 /32 transfer 0 b received, 0 b sent persistent keepalive every 25 seconds or \[root@ pam pam ]# sudo wg show interface wg client public key dddddd9+epcylo4rxdaj6wqpllk9zvp691bkvzip/ju= private key (hidden) listening port 50044 peer bbbbbbtqwb8qxlgg0c+rflol/2eratmwt7hi/wzjp14= endpoint 10 10 10 10 50044 allowed ips 10 0 0 1 10 0 0 1 /32 transfer 0 b received, 0 b sent persistent keepalive every 25 seconds you can also use tcpdump and send the test message to check the firewall at the network level linux cli \[root@ rap rap ]# tcpdump i any port {wireguard port} v \[root@ connector connector ]# echo "test packet" | nc u {remote access portal’s wireguard public ip} {wireguard port} or \[root@ pam pam ]# echo "test packet" | nc u {remote access portal’s wireguard public ip} {wireguard port} example \[root@ rap rap ]# tcpdump i any port 50044 v \[root@ connector connector ]# echo "test packet" | nc u 10 0 0 1 10 0 0 1 50044 or \[root@ pam pam ]# echo "test packet" | nc u 10 0 0 1 10 0 0 1 50044 solution if the transfer line has “0b received, 0b sent” after sudo wg show, please ask customer to allow the neccessary ports on the remote access portal (rap) environment 443/tcp, 7777/tcp, 7777/udp {selected wireguard port(e g , 51820)}/udp