AdiNugrahaTjand
Enthusiast
Enthusiast

cannot open tunnel configuration page after upgrade 1907 patch 5

Hello,

I've recently upgraded an on premise installation from 1903.4 to 1907.2 , after the upgrade the VMware tunnel configuration page have been inaccessible where the parent OG (tunnel is not configured) I can still see the configuration page, on the Child OG where tunnel is configured it keeps giving ' An error has occured'  and right now the vpn profiles won't push to the device

and today tried updating the patch again and it's now at 1907.5 and still seeing the same problem any suggestions ? other than rolling back the upgrade
Labels (1)
42 Replies
AdiNugrahaTjand
Enthusiast
Enthusiast

hi ZHEREBYATEV V.
do you know which certificate and what was done to it ?
0 Kudos
AdiNugrahaTjand
Enthusiast
Enthusiast

19.9.0.4 console is out for on premise and it finally fixed my tunnel issue
0 Kudos
jpacho
Contributor
Contributor

I´m on 19.9.0.11 and I can´t save Vmware Tunnel configuration. Any update about this case?
0 Kudos
JoeBeaty
Enthusiast
Enthusiast

Jesus, check out the response from Zherebyatev regarding the cert issue on device services server.  ' The problem was in the certificate on the device server. Technical support will help you solve this problem.'

Maybe give them a call and refer to this thread.
0 Kudos
JoeBeaty
Enthusiast
Enthusiast

Zherebyatev V.

What certificate was causing an issue on the device services server and how was it resolved?
0 Kudos
SergeLandryTare
Contributor
Contributor

For us, there was CORS policy that was causing the Header to be dropped. After fixing that bug on the proxy, we were able to reach the Tunnel Configuration page.
0 Kudos
ChristophBaecke
Contributor
Contributor

Still broken Tunnel-Config-Page with 19.09.0.17 on my own lab.


Have seen this on three customer installations this week updating, one coming all the way from 9.2.3.x directly to 19.09.0.4 (after DB 9.2->9.3->19.09 of course).


What the heck is going on? One says Site URLs, cannot confirm (can one even hit override for sub-global entries?). A specific patch for 19.07 (15), doesn*t help with 1909..in a deeper inspection the one thing that should be altered in the tunnel appsettings.json isn`t even present (' Usage' ) .Certificate thing on DS? hmm, don´t find anything specific here that makes sense.


It is not only that you can`t access the the TunnelConfig-Page in the Console. You cannot deploy tunnel-profiles anymore, after you have removed them once. The UAG does not find the entry anymore an the service does not start. I can`t even edit a single Apps Assignment where the Tunnel is being configured, I cannot remove the App entirely from the console and re-add it without tunnel-config, I cannot add an assignment.

0 Kudos
ZHEREBYATEVVLAD
Contributor
Contributor

Good afternoon! I apologize for not responding for a long time. I work through a ' general'  account and did not see messages ((.
1) Question on the ' tunnel' : The problem was resolved after replacing the internal and external certificates of the ' IIS'  service, replacing the certificates on the ' tunnel'  server.
2) Recently, I again had a problem with the ' proxy tunnel'  (the profile on the devices stopped being installed), the problem was solved by technical support in the ' DSAW'  server configuration API. A correction has already been made to the patch for software 19.9 ......
0 Kudos
AdiNugrahaTjand
Enthusiast
Enthusiast

I've since worked with a customer using onpremise 19.9.0.4 that can't save the per-app-tunnel vpn configuration and the solution from support was to create a dummy Enterprise CA, the issue was that the configuration was somehow looking for an enterprise CA (which was never configured)

another one was using a dedicated cloud tenant running 19.8.0.1. according to suppor there was a known issue where the tunnel page would randomly crash, the workaround provided was to get vmware's SaaS Ops team to restart vmware tunnel service on the servers
0 Kudos
jahuu
Contributor
Contributor

Same here: On-Premise 19.09.17 - cannot open Tunnel-Config Page on my Testenviroment. I have made some ' Device Traffic rules'  and suddenly I cannot open the Tunnel-Config Page.
Tunnel on UAG (Relay-Enpoint-Config - UAG 3.7) cannot start.
But it works for weeks (per-App-Tunnel)..
In Logfile (logs/services) w1.tunnel.log I can read:
' Error VMware.WS1.Tunnel.API.Middlewares.AppLoggingMiddleware+d__2 - - /tunnel/configurations/b08adcfd-dd9e-4d1a-82b5-454145a78762/nsx-configurations - GET 500 6 /tunnel/configurations/{uuid}/nsx-configurations '
0 Kudos
ChristophBaecke
Contributor
Contributor

I opened a ticket with one of my customers (OnPrem 19.07.0.19) an we came to a solution and it was nothing that was mentioned in this thread (the patch 19.07.0.15 comes closest or to be precise, what it actually does, but did not work in my case!), so either there are many different reasons for the issue to occur, or some posts are out of context or simply wrong/misunderstandings or there are just many solutions, this one included.


However, starting with 1907 the way the tunnel/Api access is working changed and somehow might be broken afterwards if it was configured in earlier releases. Check the following on all CS/DS/API-Servers:


Open ' filepath.txt'  in ' C: or AirWatch or AirWatch 1907 or Supplemental Software or Tools or UpdateSQLServerInfo'  (or ' AirWatch %version%'  you are running in the custom path you chose) with Notepad++ and search for ' AirWatch.ApiGateway'


If you find that, you can most likely ignore this post. If not, that's most likely one reason for the issue. Next Search for ' AirWatch.DevicesGateway'  and below that line, add:


.. or .. or .. or Websites or AirWatch.APIGateway or Web.config


Safe the file filepath.txt. Then start ' UpdateSQLServerInformation.exe'  located in the same folder as admin and click ' Update' . This puts the previous change into the associated config files associated with DB-Access.


Now - according to support - a restart of that server/all servers where you did the change) is recommended. If that`s not possible, restarting the following services might do it:


AirWatch API Workflow
AirWatch Tunnel Service


____________________________________


As always: No Backups, little sympathy. Feeling safer Contacting VMware Support or Partner? Of course, do so!


However, if this has helped you (or not), I would love to know including the version you are running. Thank you!


_____________________________________

@Olaf

As you are running UAG 3.7, just in case no edge services and HA come alive after a reboot one day, you are facing the follwoing issue:

https://kb.vmware.com/s/article/76424

Ignore this, if you already fixed this. 😉

jahuu
Contributor
Contributor

Thanks Christoph.
I also open a case an today I become same solution - and it works. In my case the ' line'  Airwatch.APIGateway or Web.config'  was present in the filepath.txt - the Support just Change ' API'  to ' Api' , save the file - updatesqlserverinformation.exe - restart services an I can open the Tunnel Configuration Page now..
ChristophBaecke
Contributor
Contributor

Interesting and disturbing.

On my fresh 1909 working Test-Installation ' API'  it is indeed written in Capital letters. In the customers environment 1907 it was added ' Api'  by support.

I will keep an eye on that, thanks for pointing that out Olaf!
0 Kudos
syarbrou
Enthusiast
Enthusiast

So do we know what the official reason for this is and the solution?  Here's our situation.  We have been running on 19.7.0.18 for a while now.  Basically the day the .18 patch came out we have been on it whenever that was.  VPN has been working fine.  Couple days ago we noticed a yellow triangle next to the VPN Profile on one of our test devices but ignored it since it wasn't the reason for our testing and just thought it was because the Tunnel app wasn't also assigned to the device.  So we just setup one of our company presidents new phones and boom his per app VPN won't work and he's annoyed.  Now none of the devices will install.  So this wasn't necessarily part of an upgrade, happened a while later so find this a bit odd.  Also I can not access on the OG that is configured, the Tunnel config in All Settings.  I've been off for a couple days but don't think my team has figured it out yet.

Thanks.

Steve

0 Kudos
Vestengen
Enthusiast
Enthusiast

19.07.29 patch or upgrade to 19.09 should fix it. Or create a ticket to get help adding the missing api record in the database

0 Kudos
syarbrou
Enthusiast
Enthusiast

Thanks, I'll try applying the latest patch Monday and see what happens.  Do we have any idea why it would just work and then suddenly stop?  Makes no sense.  Looked like most people found it when they updated but mine was working for months before it starting having this enrollment problem.

Thanks.

Steve

0 Kudos
Vestengen
Enthusiast
Enthusiast

I have no idea, but got the same problem. Worked for months, then suddenly stopped. Support fixed it manually by creating the missing database record.

0 Kudos
syarbrou
Enthusiast
Enthusiast

Errrr.  Well I hope it works.  That said, I'm going to be a conspiracy theorist and say that it's because they are trying to get everyone to move to the cloud version and these kinds of problems are their way of making you do it.  Not the first time something popped up and we all had to react to it to get a fast fix.

0 Kudos
syarbrou
Enthusiast
Enthusiast

By the way updating now.  Also does this happen with versions of 19.09 as well?  Think my dev environment is on 19.09.04 and one of my team said it has the same problem.

EDIT:  Updated the database, device server, and console server.  We are going to test enrollment but the tunnel page still errors for us.  We are on 19.7.0.39.

EDIT EDIT:  Thought I posted an update but guess not.  The update didn't help.  Enrolling a device still won't accept the tunnel profile.

0 Kudos
JoeBeaty
Enthusiast
Enthusiast

I contacted support about this because all of the sudden my tunnel profile stopped working.  What they said was this was related to an API string in the appsetting.json file where the DB password is not getting update by the tunnel service after a 90 day period.  This is why they said we didn't see it right away.

They sent me an updated UpdateSQLServerInformation.exe file which had the same hash as my current file.  Here were the instructions to fix:

  1. Download the zip (you will need to get this from support)
  2. copy to UpdateSQLServerInformation.exe to E:\AirWatch\AirWatch 1907\Supplemental Software\Tools\UpdateSQLServerInfo\ (replacing E: with the installed drive and "AirWatch 1907" with your current version)
  3. Run the UpdateSQLServerInformation.exe on the API server (this is our DS server)
  4. Restart services.

Oddly enough after a screen share session, it just started working again without running UpdateSQLServerInformation.exe.

Hope this helps.

0 Kudos