Q. Mobile user cannot authenticate to the gateway (Active Directory user)
A. When a user cannot log into the Blue Cedar Connect Gateway and authenticate using an Active Directory server, the problem could be that the gateway has cached a set of credentials that are no longer available or used. To remove any stale user credentials from the gateway's cache so it can be refreshed with newer credentials, use this template:
> request clear-active-directory-cache result "The cache has been emptied successfully.";
Note: Clearing the cache does not clear out the currently connected users—they can still access the gateway until the gateway is rebooted. Consequently, the clearing of the cache only takes effect when the users log in again.
Q. Traceroute operation not permitted
When checking the route that a packet takes, the traceroute command returns this error:
> network traceroute 10.10.99.99 Initiating traceroute (Ctrl-C to cancel)... traceroute to 10.10.99.99 (10.10.99.99), 30 hops max, 60 byte packets send: Operation not permitted
This error indicates that the packet is being routed out the public interface to an external server. Such routes are not allowed: traceroute is intended to find the route that a packet takes via the private interface.
Q. Cannot authenticate to the gateway after configuring search-order number for Active Directory
A. As explained in Step 2: Defining the search order of the configured authentication providers, the gateway uses a chain of authentication providers to validate user requests. When a client makes an authentication request, the gateway starts looking at the appropriate auth-group (which is local) and then the auth-provider with the lowest search-order to validate the request.
If the gateway receives a "No such user or resource" result from the auth-provider, the gateway continues on to the next auth-provider in the sequence until it receives a definitive success or error and then returns the result.
However, if there is a user in the local auth-provider named "Administrator", and the search-order of local is less than the search-order of an Active Directory (AD) server, this can cause the gateway to attempt a query of the AD domain instead of allowing the administrator to log into the gateway.
Configure the auth-provider local with the lowest search-order number, which is 0. This best practice helps you avoid the undesired behavior of the gateway when logging in.
Q. Blue Cedar-secured apps cannot access the desired internal corporate resources
A. Occurs after secured app was authenticated to the gateway.
The gateway assigns each secured app an IP address either from a local static IP address pool or from a DHCP server. These IP addresses must have access to the desired internal corporate resources/servers/services. However, the corporate firewall may not be set correctly to allow access for these IP addresses.
Add or modify the appropriate firewall rules and Access Control Lists to allow secured apps to gain access to the desired corporate resources or services.
Q. My CLI script stopped running and I don't know why
A. Occurred while the CLI was in operational or configuration mode.
Most likely the CLI script contained a CLI command that prevented the script from running to completion. At this point, you would not know where the script stopped running in the CLI tree-structure or which mode the gateway is still running in (configuration or operational).
From the gateway prompt:
top(this command returns you back to the top-level of either mode), or
?(this command returns the level and location of the tree-structure that the script stopped.