Installation Guides
Tenant Connector
What to check if the Tenant Connector is not working (Troubleshooting)
1 check that the secure boot is disabled on both the kron pam server and the tenant connector; if it is enabled, wireguard might not work linux cli \[root\@connector ]# mokutil sb state 2 check the wireguard configuration file on the kron pam server and the tenant connector read the wireguard config file command linux cli \[root\@pam ]# cat /etc/wireguard/wg vpn {port number} conf example \[root\@pam ]# cat /etc/wireguard/wg vpn 10001 conf \[interface] privatekey = aaa231425cfcy55zsfg/37xkizmngev8az+xxxxxx= address = 192 168 0 2 192 168 0 2 /32 endpoint = ${vpn node ip} ${tunnel port} listenport = 10001 \[peer] publickey = aaayno14grh7aadq6cbzatmg8bvb3ac5ry3kuxxxxxx= allowedips = 192 168 0 1 192 168 0 1 /32 persistentkeepalive = 25 linux cli \[root\@connector ]# cat /etc/wireguard/wg vpn {port number} conf example \[root\@connector ]# cat /etc/wireguard/wg vpn 10001 conf \[interface] privatekey = bbbld/n5r2ff1pfixu2d5ayk3cppdedixzjtbyyyyyy= address = 192 168 0 1 192 168 0 1 /32 listenport = 10001 \[peer] publickey = bbbyno14grh7aadq6cbzatmg8bvb3ac5ry3kuyyyyyy= allowedips = 192 168 0 2 192 168 0 2 /32 endpoint = 10 10 10 10 10001 persistentkeepalive = 25 ping the kron pam server’s wireguard ip address and the tenant connector’s wireguard ip address on both environments (you should see that messages are received/sent) linux cli \[root\@pam ]# ping {connector’s wireguard public ip} example \[root\@pam ]# ping 192 168 0 1 192 168 0 1 linux cli \[root\@connector ]# ping {pam’s wireguard public ip} example \[root\@connector ]# ping 192 168 0 2 192 168 0 2 3 check the iptables rules on the tenant connector machine linux cli \[root\@connector ]# iptables t nat nvl 4 check the status of the pam connector service on the tenant connector machine linux cli \[root\@connector ]# sudo systemctl status pam connector service 5 check the port allowance at the server level that is defined in the firewall service linux cli \[root\@connector ]# sudo firewall cmd list ports stop the firewall service if it is not needed linux cli \[root\@connector ]# sudo systemctl stop firewalld 6 check the heartbeat messages on the tenant connector page of kron pam web gui (you should see that the heartbeat is received by the kron pam server with a red line at the 4) 7 check the ip routing configuration on the tenant connector linux cli \[root\@connector ]# sysctl net ipv4 ip forward the result should be 1, if it is 0, please enable ip routing by setting it to 1 linux cli \[root\@connector ]# sysctl w net ipv4 ip forward=1 8 check the selinux security mode on the tenant connector linux cli \[root\@connector ]# getenforce the result should be permissive; if it is enforcing, please select permissive security mode with this command linux cli \[root\@connector ]# setenforce 0 9 check the connector log under /pam/gui/logs on the kron pam server during the tenant installation after pressing the save button on the gui linux cli \[root\@pam ]# tail 1000f /pam/gui/logs/connector log 10 check the catalina out and localhost access log 2025 xx yy txt under /pam/gui/logs on the kron pam server during the session opened on the device assigned to the tenant connector linux cli \[root\@pam ]# tail 1000f /pam/gui/logs/catalina out linux cli \[root\@pam ]# tail 1000f /pam/gui/logs/localhost access log 2025 {xx yy} txt example root\@pam ]# tail 1000f /pam/gui/logs/localhost access log 2025 02 25 txt 11 check if messages are going through the tenant connector during the session opened on the device assigned to the tenant connector (you can find the connector’s wireguard ip on the wireguard config file and device port on device properties at the kron pam web gui) linux cli \[root\@connector ]# tcpdump i any host {connector’s wireguard ip} and port {device port assigned from kron pam server} vv example root\@connector ]# tcpdump i any host 192 168 0 1 and port 40000 vv 12 lastly, please ask the customer to check their firewall at the network level you can understand whether the firewall at the network level blocks the secure tunnel messaging by executing the sudo wg show command and checking its result (if the transfer line is 0, the firewall at the network level blocks the messages through the wireguard port) \[root\@connector ]# sudo wg show interface wg vpn 10001 public key bbbyno14grh7aadq6cbzatmg8bvb3ac5ry3kuyyyyyy= private key (hidden) listening port 10001peer aaayno14grh7aadq6cbzatmg8bvb3ac5ry3kuxxxxxx= endpoint 10 10 10 10 10001 allowed ips 192 168 0 2/32 transfer 0 b received, 0 b sent persistent keepalive every 25 seconds