SafeLinx Server problems

Review the frequently asked questions and answers about problems with the SafeLinx Server.

Browse these questions, then link to the following answers.

Answers to the problems with the SafeLinx Server include:

  1. What are the file names of the log files and where are they located?

    SafeLinx Server log file locations and file names are configurable by using the SafeLinx Administrator.

    The default file names are:
    • wg.log - Message log
    • wg.trace - Individual users' trace log
    • wgmgrd.log - Access manager trace log
    • wg.acct - Accounting and billing log (when the SafeLinx Server is not configured to use relational database for storing accounting records)
    These files are by default in /var/adm/ on AIX and Linux. On Windows, these files are in the installation directory under the /logs subdirectory.
  2. How do I reset the log files?

    The message, trace, or accounting log files can be reset by using the SafeLinx Administrator. On the Resources tab, right-click the SafeLinx Server resource, then click Reset Log Files. Choose to reset All files or specific files.

    Resetting log files date/time stamps the current file in the format of wg.<logfilename>.$yy.mm.dd.hh.mm.ss.

    Message, accounting, and trace log files can also be reset from the command line by using the command:
    • chwg -r log to reset the message log file
    • chwg -r acct to reset the accounting and billing log file
    • chwg -r trace to reset the trace log file
    • chwg -r all to reset all of the files
    If you are collecting a new log for HCL Support, run a reset before re-creating any problem.
  3. Can I set the maximum size of the log files?

    You can set the maximum size of the message log file (wg.log) only. Click the Logging tab on a SafeLinx Server, then enter the maximum size of the message log file in MB. When the maximum file size is reached, the file is renamed in the form wg.log.bak.$date. The maximum number of backup log files is 10 and the maximum file size for each file is 1GB, but it is suggested for normal diagnostic purposes to use a file size of 100MB each.

    The logging subsystem checks for available space and automatically reduces the logging level as the file system nears capacity. An SNMP trap is fired (120284 WARNING for the accounting log) as the log level is automatically reduced.

    Store log and trace files in their own file system. These files are by default in /var/adm/ on AIX and Linux. On Windows, these files are in the installation directory under the /logs subdirectory. Use the operating system documentation to help you carry this task out.

  4. What should I check if SafeLinx Server logging stops?

    Check the size of the log files. Some operating systems have limitations on file sizes. If logging stops, reset the log files. On UNIX operating systems check that there is sufficient file space left. On Windows there might sometimes be a permissions issue which prevents the SafeLinx Server from writing to the wg.log file. See Technote 1981745 for additional information.

  5. How do I set the trace for an individual SafeLinx Client?

    In some cases, it is necessary to have a trace log for a specific SafeLinx Client. Use SafeLinx Administrator to activate the trace. Edit the User properties, click the Account tab, then click the Start trace box.

    To read the resulting wg.trace file, use the wg_trc command. This command is fully documented in the HCL SafeLinx Command Reference.

  6. How can I validate that traffic is routable between the SafeLinx Server and the SafeLinx Client?
    If the SafeLinx Client times out while trying to log on to the SafeLinx Server, validate that TCP/IP traffic is routable between the two:
    1. Disconnect the SafeLinx Client from the SafeLinx Server and stop the SafeLinx Server.
    2. Ping the SafeLinx Server after establishing a physical network connection. Since many firewalls, including desktop firewalls, filter ping and UDP, use wcecho to verify that the UDP path between the SafeLinx Client and SafeLinx Server is not obstructed by a firewall rule:
      1. Start the UNIX echo server for UDP, set it to the port number of the MNC (8889 by default) and verify that the echod daemon is running by issuing the command: netstat -an | grep 8889
        Note: For Windows systems, you must first download the Utilities for Subsystem for UNIX™-based Applications package before you can install the echo server.
      2. Establish the physical network connection on the client workstation.
      3. Start wcecho.exe, found in your SafeLinx Client installation directory, and target the echod daemon that runs on the SafeLinx Server workstation: wcecho -c 2 -i 1000 -p For example,
        C:\PROGRA~1\HCL\SAFELI~1>wcecho -c 2 -i 1000 -p 8889 hcaix123
        WCECHO hcaix123: (9.42.96.140) 64 data bytes via UDP port 8889
        64 bytes from 9.42.96.140: seq=1  time=0 ms
        64 bytes from 9.42.96.140: seq=2  time=0 ms
        -----hcaix123 WCECHO statistics-----
        2 packets transmitted, 2 packets received, 0% packet loss
        round-trip min/avg/max = 0/0/0 ms
        Once the wcecho test is successful, then stop the echod server and 
        restart the SafeLinx Server and verify the MNC is running
        On the SafeLinx Server machine issue netstat -an |grep  |more
        [hcaix123]:root:/>netstat -an |grep 8889 |more
        udp4       0      0  *.8889                 *.*
        [hcaix123]:root:/>
  7. How can I validate that IP traffic is routable between an enterprise application server and the SafeLinx Client?
    If an application times out while trying to run its transaction, validate that IP traffic is routable between the enterprise application server and the SafeLinx Client.
    1. First determine whether name resolution is required and, if so, is it working:
      1. Ping the destination host by IP address.
      2. Ping the destination host by host name and see whether an IP address is returned.

        If the ping by IP address works but ping by host name does not, then add your enterprise domain name system (DNS) to the mobile network interface (MNI) properties. This process is done on the SafeLinx Server. Then, reconnect the SafeLinx Client.

    2. Does the IP stack of the SafeLinx Client have a route table entry to direct the traffic into the SafeLinx Server system?

      On Windows systems, use the commands route print or netstat -nr. The route table needs entries to cover DNS and the destination application server.

    3. Does the destination server have a return route into the MNI on the SafeLinx Server? For example, Can you issue a ping from the destination server to the MNI address and get a positive response back? If your destination application server has an IP address of 10.120.15.20 and the SafeLinx Server's MNI address is 192.168.10.1, can a PING be completed between the Application Server and the SafeLinx Server's MNI? Sometimes PING to the SafeLinx Server is not allowed, in which case perhaps a Telnet command to the SafeLinx Server should be sufficient. If not, then the network routers need to be updated to be able to route IP traffic to the MNI address.

      If you are not using network address translation (NAT), then the enterprise routing infrastructure must be aware of your mobile network definition. Add routes where appropriate. The syntax varies depending upon platform but is generally: route add netmask gateway

    4. If you are using SafeLinx Server network address translator (NAT) on your MNIs, did you publish the NAT address by using the arp command of the operating system? For example,
      root@gw79:/#>arp -a
      wxp1e99.test.hcl.com (9.42.96.99) at 0:6:29:6c:9d:e2 [ethernet] 
      permanent published stored in bucket 6 
      
      
      A common mistake is not using the correct media access control (MAC) address. The MAC address must be that of the network interface card (NIC) connected to the destination network. Check firewall filters to ensure that the firewalls are not filtering out the application packets.
  8. What should I check when the initial configuration of the access manager fails or is canceled?

    On UNIX-based SafeLinx Servers a common cause for not being able to complete the Access Manager configuration is the inability to connect or properly configure the relational database, whether that is local or remote. In general there should be an error message issued by the SafeLinx Administrator in these situations, which gives clues as to the cause. On the SafeLinx Server system, review the wgated.conf file. On AIX or Solaris systems, this file is in /opt/HCL/SafeLinxServer. On Windows systems, this file is in \Program Files\HCL\SafeLinxServer. On Linux systems, the file is in /opt/hcl/SafeLinxServer/wgated.conf. Delete this file then restart the SafeLinx Administrator to configure the access manager again.

  9. What should I check when the SafeLinx Server does not start?

    Check all directory service parameters. The SafeLinx Server's parameters default to those parameters of the access manager. The currently logged in administrator's ID and password might be different from the logon information for the access manager.

  10. What should I do when the SafeLinx Server startup seems to be slow?

    Activate all message log levels, then monitor messages in the wg.log file to determine whether you have an X.25 problem. Your calls might be timing out or it might be a domain name system (DNS) problem. DNS problems include taking too long to resolve the host name, or experiencing a lookup failure.

  11. On AIX systems, what do I do when all or some groups of mobile devices fail to connect to the SafeLinx Server?
    Start by checking underlying devices: X.25, TCP, tty, or ISDN:
    • Use x25status, lsdev, and x25mon to verify X.25 connections
    • Use netstat -a to verify TCP connections
    • For X.25-based RDNs, verify incoming traffic at the X.25 level, by using x25status and x25mon
    • Monitor modem activity if you are using TTY- and ISDN-based RDNs
    Activate the message log and review wg.log for non-zero numerical return codes. These files are in /var/adm/ on AIX, Linux, or Solaris. On Windows, these files are in the installation directory under logs\.
  12. I cannot establish a connection from the SafeLinx Client. What should I check?

    SafeLinx Client operation depends on the network provider. Check:

    • Is there a validation problem? Are the user and mobile device defined to the SafeLinx Administrator? Is the password correct?
    • Does the IP address of the SafeLinx Client match one on an MNI subnet? If using DHCP, is there an address available?
    • Use the tail command to display the account log file and ensure that data is arriving from the SafeLinx Client.
    • Ensure that the mobile access services established communications with the network provider.
    • Check the status display on the SafeLinx Client to see whether it is receiving any packets. If so, there might be a message that indicates a problem. If not, there might be a configuration error.
    • If the mobile device uses a connection that displays signal strength and battery strength, check these values.
  13. There is a connection error between the SafeLinx Server and the SafeLinx Server Administration Portlets. The connection was dropped because of an XML parser error. What do I do?

    If you are using a globalization other than English, make sure that the Unicode Transformation Format-8 (UTF-8) support is installed on the operating system of the SafeLinx Server workstation.

  14. The wg_acct command stops running after an extended period. What do I do?

    When the SafeLinx Server is configured to use a database for accounting and billing data, and the wg_acct command is used with the -f flag to display the accounting data, the wg_acct command can stop running. This problem does not affect the integrity of the accounting and billing data nor does it affect the running of SafeLinx Server or access manager processes. No action is required after the problem occurs and the wg_acct command can be restarted. This problem was observed only on AIX 5.1.

  15. On Windows systems after disabling the SafeLinx Server network connection, the SafeLinx Server does not operate. What do I do?

    Enable the network connection, then restart the SafeLinx Server. To enable the network connection, click Start > Settings > Network Connections. Right-click the SafeLinx Server, then click Enable. Then, restart the SafeLinx Server.