Service Tunnel Troubleshooting

Best practices for resolving Service Tunnel issues

  • Updated on May 04, 2022
  • 20 minutes to read
  • Contributors

This article describes features that are only available in the Banyan Enterprise edition.

Overview

This doc recommends steps to take if you encounter issues using Service Tunnel. Admins can find more information on our recommended Service Tunnel deployment method here.

Steps

If you’re unable to access resources protected via Service Tunnel, complete the following troubleshooting steps.

  • (A) Mac users

  • (B) Windows users

(A) Mac users

Step 1: Determine whether your Tunnel Service is Running

1.1 In Banyan’s Desktop app, navigate to Settings, and confirm that the status of your Tunnel Service is Tunnel Service Running:

1.2 If your Tunnel Service is not running, select Start.

Note: This step requires admin privileges, so you’ll be asked for an admin password.

1.3 If the Tunnel service doesn’t start or returns an error, run the following command:

launchctl unload -w /Applications/Banyan.app/Contents/Resources/conf/com.banyan.banyanwgs.plist

Note: If the above command fails with the error message below, uninstall and reinstall the Banyan app. If uninstalling and reinstalling the app doesn’t resolve the issue, see Step 4 below.

1.4 You should now be able to open the Banyan Desktop app and start your Tunnel Service. If this doesn’t work, see Step 4 below.

Step 2: Determine whether your Service Tunnel is Ready

2.1 Once you confirm that Step 1 is working, navigate from Services > Service Tunnels in the Banyan Desktop app, and ensure that your Service Tunnel is Ready.

2.2 If it is not ready, select Connect so that its status is Ready. You should now be able to access resources behind the Service Tunnel.

2.3 If the Service Tunnel shows as Ready and you’re still unable to access resources, complete Step 3.

Step 3: Troubleshooting connectivity

3.1 Run the following command on Terminal to validate the Banyan WireGuard service configuration:

sudo /Applications/Banyan.app/Contents/Resources/bin/wg

Output details:

  • peer: you should see the public key of the Access Tier (this can be confirmed by running the same wg command on the Access Tier)

  • endpoint: this should be in the following format– IP:Port

    • Verify that the IP address shown here is pointing to the Access Tier’s public IP address (if it doesn’t match the IP address, check the DNS entry for Access Tier’s domain name).
    • Verify the port shown is the same as the configured UDP Port Number on the Access Tier (also confirm this same port is open on the cloud provider side, e.g., Firewall configuration on GCP, Security Group configuration on AWS, etc.).
  • allowed ips: Confirm these CIDRs match the Backend CIDRs on the Access Tier Service Tunnel configuration (if the CIDRs don’t match, ensure that the configuration is correct).

  • latest handshake: This parameter indicates that the handshake was successful and that the tunnel is working. The value is periodically updated and it should not be more than 180 seconds. A higher value indicates that the tunnel is not currently working. (If you don’t see this section, it means that the tunnel was not established and needs further troubleshooting).

  • transfer: Every time you run this command, confirm that both counts are incremented (if both the received and sent counters are not incrementing, this would indicate that there are connectivity issues between client and the Access Tier, i.e. the Firewall or Security Group rules).

If the parameters in your output match the description, proceed to the next step.

3.2 Check your connectivity to the Access Tier:

Make sure you’re able to ping the CIDR with /32 from the allowed ips section (from the output of the above command):

ping <IP address> (Example: ping 10.113.0.0)

3.3 If the ping command fails, ensure that ping is enabled. If it is, check your network connectivity. If this is working, proceed to the next step.

3.4 Verify that the banyanwgs service is running through the following command:

sudo launchctl list | grep banyan

3.5 Now you have verified all Service Tunnel related configuration items. If all of the above are working correctly, and you’re still unable to access the resource(s) behind it, verify that you are able to resolve the host name or ping the IP address of your Banyan protected resource.

If you can’t resolve the host name, proceed to the next step.

3.6 Verify DNS configuration:

Run the command below to verify that the Domain and NameServers match the Service Tunnel configuration:

scutil --dns

3.7 Verify connectivity:

Once you’ve confirmed that the DNS resolution works, confirm whether you can send traffic to the IP addresses and ports behind the Service Tunnel. Some of the commands to verify the connectivity are as follows:

  • ping
  • nc
  • curl
  • tcpdump/wireshark

3.8 If none of the above steps work, proceed to Step 4.

Step 4: Contact Banyan Support

4.1 Provide the following information to Banyan Support:

Logs:

Output of the following commands:

  • sudo launchctl list | grep banyan
  • ps -el | grep banyan
  • sudo /Applications/Banyan.app/Contents/Resources/bin/wg
  • netstat -rn
  • ls -l /etc/resolver/`
  • cat /etc/resolver/<domain-name>`

(B) Windows users

Step 1: Determine whether Tunnel Service is Running

1.1 Open the Banyan Desktop app, and navigate to Settings to confirm that the Tunnel Service is Running.

1.2 If Tunnel Service is not running, select Start.

Note: This step requires admin privileges so you will be asked for an admin password.

1.3 If the Tunnel service doesn’t start or returns an error, please run the following commands:

  • (a) Stop the Banyan WireGuard service: sc stop banyan-wgs

  • (b) Delete the service: sc delete banyan-wgs

Note: If the above commands fail, uninstall and reinstall the Banyan Desktop app. If uninstalling and reinstalling the Banyan Desktop app doesn’t resolve the issue, refer to Step 4.

Step 2: Determine whether your Service Tunnel is Ready

2.1 Once you confirm that Step 1 is working, navigate from Services > Service Tunnels, and ensure that your Service Tunnel is Ready.

2.2 If it isn’t Ready, select Connect to ensure its status is Ready. You should now be able to access resources behind the Service Tunnel.

2.3 If the Service Tunnel is Ready and you’re still unable to access resources, complete the steps below:

Step 3: Troubleshooting connectivity

3.1 Run the following commands on the Windows command prompt to validate your Service Tunnel configuration:

  • (a) Navigate to C:\Program Files\Banyan\resources\bin

  • (b) Run wg

Output details:

  • peer: You should see the public key of the Access Tier (this can be confirmed by running the same wg command on the Access Tier)

  • endpoint: this should be formatted as follows– IP:Port Verify that the IP address shown here is pointing to the Access Tier’s public IP address (if it doesn’t match the IP address, check the DNS entry for Access Tier’s domain name). Verify the port shown is the same as the configured UDP Port Number on the Access Tier (also confirm this same port is open on the cloud provider side, e.g., Firewall configuration on GCP, Security Group configuration on AWS, etc.).

  • allowed ips: Confirm these CIDRs match the Backend CIDRs on the Access Tier Service Tunnel configuration (if the CIDRs don’t match, then please make sure the configuration is correct)

  • latest handshake: This parameter indicates that the handshake was successful and that the tunnel is working. The value is periodically updated and should not be more than 180 seconds. A higher value indicates the tunnel is not currently working. (If you don’t see this section, it means the tunnel was not established and needs further troubleshooting).

  • transfer: Every time you run this command, confirm both counts are incremented (if both the received and sent counters are not incrementing, this would mean connectivity issues between client and the Access Tier i.e. the Firewall or Security Group rules).

If the parameters in the output match the description, proceed to the next step.

3.2 Check your connectivity to the Access Tier:

Make sure you’re able to ping the CIDR with /32 from the allowed ips section from output of the above command:

ping <IP address> (Example: ping 100.110.0.0)

3.3 If the ping command fails, ensure that ping is enabled. If it is enabled and ping doesn’t work, check your network connectivity. If it’s working, proceed to the next step.

3.4 Confirm the banyanwgs service is running through the following command:

sc query banyan-wgs

If it is running, you should get an output with the STATE parameter as RUNNING.

3.5 Now you have verified that all the Service Tunnel related configuration items are correct. If all of the above are working correctly and you’re still unable to access the resource(s) behind it, verify whether you’re able to resolve the host name or ping the IP address of the respective Banyan protected resource.

If you can’t resolve the host name, proceed to the next step.

3.6 Verify DNS configuration:

Run the command below to verify whether the Domain and NameServers match the Service Tunnel configuration (this command needs to be run on Windows PowerShell):

Get-DnsClientNrptRule

3.7 Verify connectivity:

Once you’ve confirmed the DNS resolution works, confirm whether you can send traffic to the IP addresses and ports behind the Service Tunnel. Some of the commands to verify the connectivity are as follows:

  • ping
  • nc
  • curl
  • tcpdump/wireshark

3.8 If none of the above steps work, proceed to Step 4.

Step 4: Contact Banyan Support

4.1 Provide the following information to Banyan Support:

Logs:

Output of the following commands:

  • sc query banyan-wgs
  • C:\Program Files\Banyan\resources\bin\wg.exe
  • route PRINT
  • Get-DnsClientNrptRule
  • C:\ProgramData\Banyan\logs\bwgs-port-8119.log

Note: some of these steps will be taken care of in the upcoming release of the Banyan Desktop App.

Can’t find what you’re looking for?

We’re happy to help. Contact our team.