Asma Alfayyad Posted July 10 Share Posted July 10 (edited) Dears, I am trying to troubleshoot my issue with tunnel service on WS1 environment. before I add it to AVI LB , the app take the certificate and just wait the rules as below but now when I add the environment on AVI , the certificate not configured for tunnel. knowing that the profile installed successfully and 4 certificates from the environment installed on the device 2 of them appears on the console as unknown. and the below from tunnel server ./vpnreport tool any one can help please Edited July 14 by Asma Alfayyad Quote Link to comment Share on other sites More sharing options...
Asma Alfayyad Posted July 14 Author Share Posted July 14 @Jack @Andreano Lanusse @Graeme Gordon @Sascha Warno dears, your help please Quote Link to comment Share on other sites More sharing options...
Employee Jack McMichael Posted July 16 Employee Share Posted July 16 I would highly recommend you reach out to Broadcom support for AVI and troubleshoot it with them. My best guess based on what you're describing is this is an AVI issue. Quote Link to comment Share on other sites More sharing options...
Employee Sascha Warno Posted July 16 Employee Share Posted July 16 what is the config on AVI? sounds like it is not presenting the certificate, which would point to AVI not using tcp fast path but actually offloading it. Also persistence is set or is there only one tunnel service? Quote Link to comment Share on other sites More sharing options...
Asma Alfayyad Posted July 17 Author Share Posted July 17 Hello @Jack ,, I tried to reach to AVI support team with no help from their side. Hello @Sascha Warno ,, actually I followed the below documentation from AVI exactly https://avinetworks.com/docs/latest/load-balancing-workspace-one-uem-with-avi-vantage/#load-balancing-vmware-tunnel-per-app-vpn I configure it on port 8443. in this L4 service, there is no option to add the SSL cert/profile on AVI. is there any changes need to be on the AVI VS? and if this is not the correct config, can you guide me please Quote Link to comment Share on other sites More sharing options...
Employee Jack McMichael Posted July 22 Employee Share Posted July 22 On 7/17/2024 at 2:20 AM, Asma Alfayyad said: Hello @Jack ,, I tried to reach to AVI support team with no help from their side. Hello @Sascha Warno ,, actually I followed the below documentation from AVI exactly https://avinetworks.com/docs/latest/load-balancing-workspace-one-uem-with-avi-vantage/#load-balancing-vmware-tunnel-per-app-vpn I configure it on port 8443. in this L4 service, there is no option to add the SSL cert/profile on AVI. is there any changes need to be on the AVI VS? and if this is not the correct config, can you guide me please Sorry to hear it's not working still and it does look like you're following the right docs. This will require troubleshooting that only support can provide - it isn't practical for me to do on our community forum, so I encourage you to open a support request and ask for some assistance troubleshooting your config. Quote Link to comment Share on other sites More sharing options...
Edwin Posted July 22 Share Posted July 22 did you replace the certificate for tunnel? If yes you need to push a new version of the VPN profile. Also hit a chicken egg situation before.. where tunnel is always on and pre logon enabled.. it could not connect so the new profile is not pushed.. try to test with a clean machine. sometimes the old certificate stays behind at it uses that one. does it work without the AVI? so direct NAT to UAG (if this is a valid scenario for you to test)? if it does you know it is the AVI config. As stated before.. no SSL offloading shooting some "hail" here but hope it helps 😉 Quote Link to comment Share on other sites More sharing options...
Asma Alfayyad Posted August 4 Author Share Posted August 4 On 7/22/2024 at 5:23 PM, Jack said: Sorry to hear it's not working still and it does look like you're following the right docs. This will require troubleshooting that only support can provide - it isn't practical for me to do on our community forum, so I encourage you to open a support request and ask for some assistance troubleshooting your config. thanks @Jack. I already opened a case for that but still not solved. Quote Link to comment Share on other sites More sharing options...
Asma Alfayyad Posted August 4 Author Share Posted August 4 On 7/22/2024 at 6:26 PM, Edwin said: did you replace the certificate for tunnel? If yes you need to push a new version of the VPN profile. Also hit a chicken egg situation before.. where tunnel is always on and pre logon enabled.. it could not connect so the new profile is not pushed.. try to test with a clean machine. sometimes the old certificate stays behind at it uses that one. does it work without the AVI? so direct NAT to UAG (if this is a valid scenario for you to test)? if it does you know it is the AVI config. As stated before.. no SSL offloading shooting some "hail" here but hope it helps 😉 Thanks @Edwin. actually, the tunnel certificate not changed. and yes, it works without AVI Quote Link to comment Share on other sites More sharing options...
Edwin Posted August 5 Share Posted August 5 I guess if it works without the LB then the answer almost certainly must be the LB config. Take a good look at the load balancing. no SSL offload (decryption)! Load Balancing VMware Tunnel (Per-App VPN) 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.