Room/Desktop Connectivity Troubleshooting Guide
This guide provides you with tips to troubleshoot Room and Desktop connectivity issues that may crop up while you are using the Tehama platform.
Connectivity Troubleshooting
Having a connectivity issue in your Room? Unable to access a resource from a Desktop session? Read through the troubleshooting tips below.
Regardless of the nature of your connectivity issue, your first steps should include the following:
A. Determine which type of Network Access your Room is configured to use. From the Tehama Web UI:
- Click on the ROOMS tab.
- Click on the name of your Room in the list of Rooms.
- Click on the Room's CONNECTION tab.
- Click on the STATUS sidebar menu item.
On the resulting screen, you will see the 'Network Access' field, which shows your Room's network access setting - one of 'Multi-Path', 'Tehama Gateway' and 'Internet Only'.
B. If your Room's network access is 'Multi-Path', determine the status of the connections you have added to your Room. On the same screen where you just checked your network access, look at the table of connections. The icon before the connection name denotes the connection's status. A red X means the connection is unhealthy. A green checkmark means the connection is healthy. If unhealthy, check the status of the VPN IPSec connection you set up for this connection in your private network.
C. If your Room's network access is 'Tehama Gateway', determine the version of the Gateway (or Gateways). On the same screen where you just checked your network access, look at the table of Gateways. The version can be seen under the Gateway Version column. If the Gateway is not the most currently available Gateway, the Status column will show status and a link to 'Update' the Gateway will be available under the actions menu for the Gateway.
Is your network access setting correct for your needs?
- Network access set to 'Internet Only':
If you need access to resources in the connected organization's private network(s), this is not the correct network access option for you. Discuss switching to either the 'Tehama Gateway' network access option or the 'Multi-Path' network access option with your Room's connected organization. See the instructions for changing network access under the 'Change a Room's network access setting' section in the Room/Desktop Connectivity - Types, Status and Settings guide. - Network access set to 'Tehama Gateway':
If you DO NOT need access to resources in any of the connected organization's private networks, this is not the correct network access option for you. Discuss switching to the 'Internet Only' network access option with your Room's connected organization. See the instructions for changing network access under the 'Change a Room's network access setting' section in the Room/Desktop Connectivity - Types, Status and Settings guide. Alternately, consider switching your Room's network access to 'Multi-Path', which provides internet access without the need to install a gateway or to configure a connection.
If you need access to resources in MORE THAN ONE of the connected organization's private networks, this is not the correct network access option for you. Consider switching your Room's network access to 'Multi-Path', which has the capability to connect to multiple private networks.
If you need access to resources in ONE OR MORE of the connected organization's private networks, but you DO NOT WANT TO INSTALL A TEHAMA GATEWAY within the connected organization's networks, this is not the correct network access option for you. Consider switching your Room's network access to 'Multi-Path', which has the capability to connect to private networks through VPN IPSec connections - no gateway required.
If your network access setting is 'Tehama Gateway', is the Gateway connected to the Room?
Check that the Gateway (or at least one of the Gateways, if your Room has more than one enabled) is successfully connected to Tehama. See instructions in the Verify Connectivity with Tehama from the Tehama Web UI section of Tehama Gateway - Installation and Management. If there is no connectivity, have the Room's connected organization run the Gateway diagnostic tool to help track down the connectivity issue(s). See the Tehama Gateway Diagnostic Tool section in Tehama Gateway - Installation and Management.
You may see the following connectivity warning on the Room's STATUS page:
"Gateway connection warning We are not able to communicate to the gateway at this time. This might be caused by your network configuration. Please check the connectivity of the gateway and disregard this message if connected."
The Gateway Connection Warning notice serves to provide a warning that Tehama is unable to directly confirm that a Tehama Room has an active connection to its corresponding Gateway. It does not mean that the Gateway is disconnected, and in fact in almost every case the connection is still up. It's just that the connection health monitor can no longer see the Gateway to confirm if it is operating or not.
This issue can occur if there has been a change in network routing between the Gateway and the Tehama Web Server responsible for monitoring the service. If you are uncertain about the Gateway status, you should attempt to launch a Tehama Desktop and validate the connection from an application running on the desktop itself rather than assuming that Gateway has failed.
Note: The choice of application used to verify connectivity is dependent on the Gateway Firewall rules that are in place, and should align with the intended use of the Room. Please do not attempt to validate connectivity by running a connection test from either the in-room Workspace Agent or the Tehama web portal, the connection test does not run when the Connection Status is Warning, and do not use an ICMP Ping to attempt to verify connectivity - ICMP pings do not traverse the Tehama Gateway.
If your network access setting is 'Tehama Gateway', is the connected organization's private network firewall configured correctly?
Have the Room's connected organization check to be sure that the firewall has been configured in one of the ways outlined in the Firewall Configuration section in Tehama Gateway - Installation and Management.
If your network access setting is 'Multi-Path', are the firewalls for the connected organization's private networks , to which the Room is connected, configured correctly?
Have the Room's connected organization check to be sure that the firewalls have been configured to allow access to the Multi-Path Room's Room subnet value. See the Firewall Configuration section in Multi-Path Room - Add and Manage Connections.
Are you having difficulty accessing a particular resource in a Multi-Path Room?
Multi-Path Rooms have an optional, additional layer of access control that the other Room types do not have - DNS Filtering. This feature filters access to the internet through a list of allowed domains, before applying the firewall rules. Check to see if the DNS Filtering in your Room is active and, if so, if the domain for your resource is in the list of allowed domains.
Are you having difficulty accessing a particular resource in a Gateway or Internet-Only Room?
Run the connection test tool targeting the address and port for that resource. See instructions in the Connection Test Tool User Guide. This tool can be used from either the Tehama Web UI or from the Desktop Agent in a running Desktop session.
Note: The Connection Test tool is not currently available for Rooms with 'Network Access' set to 'Multi-Path'.
IMPORTANT: Make sure you are testing with the form of the target address that you will be using. For example, if your application connects with the IP address of the target, test with the IP address. If your application connects with the FQDN, test with the FQDN.
NOTE: Do not use 'ping' to check connectivity to the resource from your Desktop. The 'ping' command is of no use in troubleshooting connectivity issues since it requires ICMP traffic which is not supported by Tehama. (Tehama supports TCP/UDP only.) Instead, run the connection test tool, as described above.
- Connection Test for Network access setting 'Internet Only':
- If the connection test fails with an indication that the connection-infrastructure for internet-only Rooms is not functioning, have the Room's owner organization escalate the connectivity issue to Tehama Support.
- If the connection test fails with an indication of a missing firewall rule, have the Room's connected organization add the firewall rule.
- If the connection test indicates that the resource is reachable from the connection-infrastructure, yet you are still having issues, run the connection test tool from the Desktop Agent in a running session of a Desktop in the Room. If that connection test fails with an indication that the address is not reachable from the Desktop, have the Room's owner organization escalate the connectivity issue to Tehama Support.
- If the connection test indicates that the resource is reachable from both the connection-infrastructure and the Desktop, but your application (Putty, for example) still does not connect to the resource, have the Room's owner organization escalate to Tehama Support.
- If the connection test fails with an indication that the connection-infrastructure for internet-only Rooms is not functioning, have the Room's owner organization escalate the connectivity issue to Tehama Support.
- Connection Test for Network access setting 'Tehama Gateway':
- If the connection test fails with an indication that the Gateway is down (or both of the Gateways are down, if your Room has more than one enabled), that is to say not running and/or not connected to your Room, have the Room's connected organization run the Gateway diagnostic tool to help track down the connectivity issue(s).
- If the connection test fails with an indication of a missing firewall rule, have the Room's connected organization add the firewall rule.
- If the connection test, using the IP version of the resource address, fails with an indication that the address for the resource is not reachable from the Gateway machine, have the connected organization investigate their data center routing.
- If the connection test, using the FQDN version of the resource address, fails with an indication that the address for the resource is not reachable from the Gateway machine, yet testing with the IP version of the address passes, have the connected organization investigate their DNS setup.
- If the connection test indicates that the resource is reachable from the Gateway machine, yet you are still having issues, run the connection test tool from the Desktop Agent in a running session of a Desktop in the Room. If that connection test fails with an indication that the address is not reachable from the Desktop, have the Room's owner organization escalate the connectivity issue to Tehama Support.
- If the connection test indicates that the resource is reachable from both the Gateway machine and the Desktop, but your application (Putty, for example) still does not connect to the resource, have the Room's owner organization escalate to Tehama Support. (See note below.)
NOTE: For some applications, like ssh, what appears to be a connectivity issue to the application's host may actually be an authentication issue with the application itself. The response you see for both issues may be similar. For such applications, use telnet to test the connectivity to the application's host/port in isolation. Try telnetting to the application's address and port from a terminal window in your Desktop.
For example if the application is ssh:- Open a terminal window in your Desktop.
- Enter:
telnet <address>:22
If telnet is able to connect (i.e.: if you see an empty screen with a blinking cursor) then your problem may well be an authentication issue with the application.
- If the connection test fails with an indication that the Gateway is down (or both of the Gateways are down, if your Room has more than one enabled), that is to say not running and/or not connected to your Room, have the Room's connected organization run the Gateway diagnostic tool to help track down the connectivity issue(s).
Desktop Log Collection
Still having issues in your Desktop after troubleshooting your connectivity? Escalate to Tehama Support.
Tehama Support may ask you to provide them with current logs from your Desktop. They will direct you to:
- Connect to your desktop.
- Open up your Desktop Agent application (AKA Workspace Agent).
- Click on the ABOUT tab.
- Click on the COLLECT LOGS button. The COLLECT LOGS dialog will appear.
- Read over the list of log files that will be collected.
- Click SUBMIT to agree to make the desktop logs available for troubleshooting purposes.
The logs will be placed in a secure storage location that is only accessible by the Tehama Support team. They will be used to diagnose your current Desktop issues. The logs will remain in the storage for the lifetime of your Desktop.