VPN

Articles in section

Troubleshooting Per-App-VPN

Check device profile has VPN section and Per-App-VPN enabled: View profile in XML, record VPN profile unique identifier (VPNUUID):

Verify the Application has “Use Per-App VPN” enabled: Verify on device: check-in command is delivered to device, device receives App Install command:

  • Verify on device: Device receives Managed Application Attributes command
  • Managed Application Attributes command links app with VPN profile

Verify on device: (on iOS) Settings → General → Profiles & Device Management → MDM Profile → Apps
Application displays VPN information under Device Management settings: ”App will use a VPN for all network access”

Device Services (DS) server (front-end communication with managed device) logs:

  • DeviceServicesLogs (C:\AirWatch → Logs → DeviceServices)

Search for:

  • ApplicationAttributes
  • App Bundle ID
  • VPNUUID

Troubleshooting Windows 10 Tunnel Client

Client is unable to connect to Tunnel Server

  • Check Network connection
  • Check DNS
  • Check Configuration of Tunnel Server
  • Check Firewall configuration - rules denying outbound session
  • Check Tunnel Server port with telnet/curl

No applications configured 

  • Add the application to the UEM Console 
    • Configure the Tunnel.
    • Add application details (Example: add chrome and Firefox ) and DTR rules from that added application to Block, Tunnel ,By Pass or Proxy and provide destinations ( like *company-site.com)
    • Set default rule action to the Tunnel.
    • Create a user VPN profile and publish it to the device.
  • Check for application to be whitelisted in DTR, if not then add it with proper spelling/format
  • Check the logs for registration status of application

No Traffic Rules configured

  • Check for addition of application in Device Traffic Rule configuration in Windows Registry
    • Open \HKLM\SOFTWARE\VMware, Inc.\VMware Tunnel
    • Open the DeviceTrafficRules file
    • Check for the application to be whitelisted

Mutli-Auth. failure or compliance failures

  • Device must be whitelisted in Tunnel Configuration in Registry
  • Check for Device to be compliant
  • Check for validation of certificates
    Go to Manage Compute Certificate → Trusted Root Certificate Authorities → Certificate → Check for Tunnel Server Authorized certificate

Whitelisted App’s traffic is not getting tunneled

The app’s executable may not be the one which is creating the connection.
Turn off the tunnel service, open the app in question and browse to an end-point. Run command netstat -aonb  to check what executable is connecting to the end point. If this executable is different than the whitelisted exe then use this exe instead.

Warning

DO NOT whitelist svchost.exe. This is the common service used for many functions in windows. This may lead to BSOD.

Unable to open internal website (in configured domain) from whitelisted application

NRPT may be corrupted. Stop the vmware tunnel service. This should ideally clear all NRPT entries. Now open NRPT- Edit Group Policy → Windows Settings → Name Resolution Policy. Check if there any entries left, if there are, then delete them.

Browsing experience via whitelisted app seems to be staggered. And unable to access configured domain websites

Turn on Debug logs for tunnel client. It is possible there is an issue with tunnel connectivity. Either tunnel client cannot reach tunnel server (there is an SSL error while trying to connect to server) or there is Multi-Auth Failure/ Whitelist failure for the device in server.

Subsections of VPN

IKEv2 on iOS

Example of device profile config

Warning

IKE2 cipher must be configured as well as CHILD cipher. Or else XML of config will be incorrect! Error example: ChildSecurityAssociationParameters does not specify keys ‘EncryptionAlgorithm’ and ‘IntegrityAlgorithm’ in the dictionary on the console XML.

Configure IKE as follows:

Configure Child as follows:

Warning

If configuring Always-On mode, the same thing applies to WIFI/Cellular radio buttons and IKE2/Child in this mode: both must be configured for correct XML to be formed!