Occasionally, certain configuration errors in App Net Manager will cause an interruption in service between sites. App Net Manager will alert the user immediately when certain configuration errors are present. However, if App Net Manager is unable to detect conflicts that allow a service to function normally but may block particular types of traffic, for example, from traveling site to site.
One of the most common policy errors occurs in the configuration of User Groups for each Corente Services Gateway. User Groups are the groups of machines (such as computers, servers, and printers) on the local network that are allowed to participate in the Corente Services network. Occasionally, a new machine may be added to a customer site LAN and its IP address will not be included in the User Group that is configured to access the application at the hub site.
To view or update the User Groups, do the following:
Determine the IP addresses of the machines that cannot access the application.
Right-click the Corente Services Gateway icon on the App Net Manager map and select Edit. The Location form is displayed.
Click the User Groups tab of at the top of the Location form.
Select Default User Group from the list that is displayed and click the Edit button at the bottom of the window.
In the User Groups Subnets/Address Ranges section on this window, are the IP addresses of the machines included in any of the ranges or subnets that are displayed?
If not, create a new subnet and address range entry. Select the Add button.
Include Subnet: Select this option to specify a range that will be included in the group. Fill out the available fields as follows:
Network Address: Enter the first address of the subnet in this field.
Subnet Mask: Enter the net mask of the subnet in this field, which will define the range of addresses within this subnet.
NoteIf you include a range of IP addresses that is not contained within the same subnet of the LAN IP Address of the Corente Services Gateway or not distributed by the Corente Services Gateway’s DHCP server, you must provide routing information to this subnet on the Routes tab or enable RIPv2 or OSPF on the Network tab of this form.
Outbound NAT: You must set the appropriate Outbound NAT settings for this subnet. For now, select Permitted.
Click OK to add this definition to this Default User Group.
Click OK on the on the Default User Group window, and OK on the Location form window.
Click the Save button in the App Net Manager tool bar to save your changes.
Once the changes have been saved and distributed to the Corente Services Gateway, the user should be able to access the application from the new machine.
Occasionally, routing issues at the hub site or customer site can cause a tunnel to appear green and active in App Net Manager, but actually prevent traffic from correctly traversing the secure tunnel and prevent an application from functioning correctly. This is a common issue for a Corente Services Gateway that is using the Peer configuration.
The Top Talkers feature in Gateway Viewer can help verify that traffic is traversing the tunnel, so that you can narrow down the problem to routing issues on the hub site or the customer site.
If the tunnel appears active in App Net Manager and the User Groups are configured correctly, but the customer site is unable to reach hosts on the other side, do the following:
Access the customer's Gateway Viewer remotely, from the hub site.
To do this, ensure that there is a tube configured on both the hub site Corente Services Gateway and the customer site Corente Services Gateway that allows access to the customer's Corente Services Gateway LAN IP address from the hub site.
Log in to Gateway Viewer.
Click the Monitoring button and then click Top Talkers. Top Talkers displays the top ten most active hosts on the customer’s site.
Choose one of the hosts listed on this page. Note the IP address of the host, and select the Set Options hyperlink.
On the Top Talkers Options page, in the Address Ranges field, enter the IP address of host that you noted in the previous step. Click Submit to save your changes. Now on the Top Talkers page, data will be displayed for that host only.
Open a terminal window and ping the IP address of the host that you chose. If you can see echo requests come through on the Top Talkers page, then the issue is most likely due to routing on the customer side, where the return traffic does not have a route that allows traffic back.
To allow remote access to a customer's Gateway Viewer, do the following:
In App Net Manager, access the Location form for the Corente Services Gateway by right-clicking on the Corente Services Gateway icon in the map and selecting Edit. The Location form is displayed in a new window.
On the Location form, click the Partners tab. This tab is used to choose the partners of this Corente Services Gateway.
The main Partners tab presents a table of all partners of the Corente Services Gateway. Select the hub site Corente Services Gateway and click the Edit button. The Edit Partner screen is displayed.
On this screen, click the Add button to create a new tube.
Select the Location LAN Address option from the Local User Group pull-down menu.
Select a Firewall Policy that allows the gateway_viewer Firewall Service both inbound and outbound over the connection, or leave this option set to None.
Select the Remote User Group that contains the IP address of the computer you are currently using, therefore allowing this computer to access the customer's Corente Services Gateway.
Click OK to store the tube definition. Click OK on the Edit Partner screen, then OK on the Location form, and then click the App Net Manager Save button to save your changes.
Similar configuration must be performed on the hub site Corente Services Gateway. Access the Location form for the hub site Corente Services Gateway, open the Location form, and access the Partners tab.
Select the customer's Corente Services Gateway on the Partners tab and click the Edit button. Add a new tube.
Select the Local User Group that contains the IP address of the computer you are currently using, therefore allowing this computer to access the customer's Corente Services Gateway.
Select a Firewall Policy that allows the gateway_viewer Firewall Service both inbound and outbound over the connection, or leave this option set to None.
Click OK to store the tube definition. Click OK on the Edit Partner screen, then OK on the Location form, and then click the App Net Manager Save button to save your changes.
Select the Location LAN Address from the Remote User Group pull-down menu.
You should now be able to access the customer’s Gateway Viewer by typing the LAN IP address of their Corente Services Gateway into a browser.
You can also check the administrator logs in App Net Manager to see if any recent administrative changes could have caused the issue. To access the administrator logs in App Net Manager, do the following:
Double-click the Reports category in the domain directory.
Double-click the Logs subcategory.
Double-click the Administration Logs subcategory.
Select any month to view the logs of administrator activity for that month in a table on the right side of the App Net Manager interface.
A common configuration error to check for in the logs is as follows:
Did any administrators recently make changes to any Firewall Policies?
Firewall Policies are created once and can then be applied to multiple Corente Services Gateways throughout the Corente Services network to control what type of traffic is allowed over specific partner to partner connections. If any changes are made to an existing Firewall Policy, those changes will be applied automatically to any Corente Services Gateway that is currently using that Firewall Policy. Ensure that any changes made to a Firewall Policy do not block the protocols that your applications require to operate between sites.
To view the Firewall Policies currently defined in your domain, open the Global Intranet Settings category in the domain directory. Open the Firewall subcategory and do the following:
Open the Firewall Policies subcategory.
Select the Firewall Policies subcategory and view the table on the right side of the interface. This table displays the following fields:
Firewall Policy: The name of the policy.
Out Default: The default behavior for outbound Firewall Services that are not specified (Deny, Allow, or Continue to the next policy).
Exceptions: The number of specified Firewall Services for outbound traffic.
In Default: The default behavior for inbound Firewall Services that are not specified (Deny, Allow, or Continue to the next policy).
Exceptions: The number of specified Firewall Services for inbound traffic.
Permission: The Corente Services Gateways that have permission to use this particular Firewall Policy (All, None, or Specified).
In Use: Whether or not the Firewall Policy is currently in use for any Corente Services Gateway.
To view the definition of an existing Firewall Policy, open the Firewall Policy's branch in the domain directory. Three categories are displayed: Inbound, Outbound, and Policy Use.
Open the Inbound or Outbound branches to see what Firewall Services have been specified for that direction. A note in brackets for each of these branches will tell you whether the specified Firewall Services are allowed through the firewall but all other protocols and ports are denied (Allow Specified/Deny) or whether the specified Firewall Services are denied through the firewall but all other protocols and ports are allowed (Deny Specified/Allow).
Open the Policy Use branch to see which Corente Services Gateways are allowed to use the Firewall Policy in their configurations.