Secure Mobile Access 12.4 Administration Guide

Table of Contents

General Networking Issues

These troubleshooting tips for networking issues are grouped by type of solution. Before using the ping utility, make sure that Enable ICMP pings is enabled on the Configure Basic Network Settings page. Some tips are given in these tables:

  • the Troubleshooting tips for networking issues table

  • the Troubleshooting tips for networking issues: hardware table

  • the Troubleshooting tips for networking issues: third-party solutions table

Troubleshooting tips for networking issues
Utility Troubleshooting tip
Ping the external interface Ping the external interface to verify the network connection. If you can ping a host's IPv4 or IPv6 address, but not its fully qualified domain name, there is a problem with name resolution. You can issue the ping command from the command line or from within AMC (see Ping Command).
Capture network traffic on the external interface To verify that traffic is reaching the appliance and being returned, use the network traffic utility in AMC, which is based on tcpdump. You can send this network traffic data to Technical Support, or review it using a network protocol analyzer like Wireshark. See Capturing Network Traffic for more information.
Ping the network gateway(s) Ping the external gateway and/or internal gateway. You can issue the ping command from the command line or from within AMC. For more information, see Ping Command.
Use ping to test DNS

If you experience DNS problems, first determine whether client DNS resolution is working:

  1. Make sure that the client machine has Internet access.

  2. At a DOS command prompt, type ping google.com. You should see a response like this:

Pinging google.com [nnn.nnn.nnn.nnn]

If basic DNS functionality is available, the IP address in square brackets is resolved by DNS lookup, demonstrating that basic DNS is functioning at the client. If DNS is not available, the ping program will pause for a few seconds and then indicate that it could not find the host google.com.
Try to use DNS to resolve the appliance host name

If you continue to experience DNS problems, determine whether DNS can resolve the appliance host name. Repeat the ping procedure described above but replace google.com with the host name of your appliance.

If ping finds:

  • No address for your host name, troubleshoot the DNS server that should be serving that host name. Try working around client connection issues by replacing the host name with the IP address of the appliance’s external interface.

  • An address for your host name, but no replies appear (Request timed out), ICMP echoes may be blocked at any hop between the client and the appliance.
Clear the ARP If you’ve recently assigned a new IP address to the appliance, be sure to clear the local Address Resolution Protocol (ARP) cache from network devices such as firewalls or routers. This ensures that these network devices are not using an old IP-to-MAC address mapping.
Troubleshooting tips for networking issues: hardware
Hardware Troubleshooting tip
Cables Check all network cables to be sure you don't have a bad cable.
Bypass the firewall

If you're using network address translation (NAT), you might be blocked by a firewall. Temporarily bypass the firewall by connecting a laptop to the appliance on the physical interface using a cable, and then verify network connectivity.

If this type of connection is impractical, try placing your laptop on the same network segment as the external interface of the appliance (to get as close to the appliance as possible).
Configure the switch port

If you experience network latency, such as slow SCP file copying or slow performance by the Web proxy or network tunnel service, the problem may be due to configuration differences between the appliance interface settings and the switch ports to which the appliance is connected. It’s possible for a switch to improperly detect duplex-mode settings (for example, the appliance is configured at full duplex but the switch detects half duplex). Cisco has documented such problems with its switches.

To resolve this problem, disable auto negotiation. Instead, configure the switch port to statically assign settings that match the appliance. You must check both switch ports and both appliance interface settings (internal and external, if applicable). If even one interface/switch port is mismatched, performance suffers.

If you are experiencing network latency but your appliance/switch ports are configured correctly, the problem lies somewhere else in the network. It could also be an application-level issue (such as slow name resolution on the DNS server being accessed by the Web proxy or network tunnel service).
Troubleshooting tips for networking issues: third-party solutions
Third-party solution Troubleshooting tip
Verify that traffic is not being filtered out

Review the contents of the log file /var/log/kern.iptables while a connection attempt is failing. If packets are reaching the appliance but are being dropped or denied by iptables (a firewall running on the appliance), review the iptables ruleset by running the following command:

iptables -L -n -v

Traffic that is filtered by iptables is logged but not forwarded to an external syslog server.