Skip to main content

Troubleshooting Issues

Basic Connectivity Requirements

If you receive an error regarding the virtual appliance not being able to communicate with Autotunnel cloud infrastructure, this typically means that either the virtual appliance has no internet connectivity (including DNS), or that communications are being filtered by an upstream device. The following IP addresses and ports must be allowed through any upstream firewalls in order for the virtual appliance to be able to communicate with Autotunnel cloud infrastructure:

  • Autotunnel Registry:
    • on UDP port 4270
    • on UDP port 4270
  • Autotunnel Controller:
    • on TCP port 443
  • Outbound DNS access:
    • Outbound to your configured DNS servers

Of course, the virtual appliance must also be permitted to communicate with the remote peers public IP address in order to establish the tunnel. This will typically take place over UDP port 4270, but could change depending on if the port is already in use, or the NAT configuration of any upstream devices.

The error you receive on the virtual appliance should help you narrow down where the connectivity issue is.

Peer Not Ready

This error means that you have successfully authenticated with the Autotunnel Controller and are ready for tunnel negotiation, but the remote peer is not. At this point the remote peer should ensure that their virtual appliance is set up correctly and resolve any outstanding errors on their side. Once any errors have been resolved, the process of negotiating the tunnel will automatically resume.

Tunnel Establishment Failed

If your virtual appliance attempts to establish a tunnel, but fails, first ensure that the Basic Connectivity Requirements have been met and that there are no errors related to connectivity to the Autotunnel cloud infrastructure.

Next, ensure that the shared secret set on both sides match. To do this, compare the "Secret fingerprint" listed on the virtual appliance main screen with that of the remote peer. If both fingerprints are the same, this means the shared secrets match. If the values do not match, there's likely been a typo when entering the secret, and you should confirm the shared secret and set it again by pressing the S key.

Secure Secret Generation

Secure secret generation is intentionally designed to be computationally expensive for security reasons. If the virtual appliance doesn't have sufficient memory, the secure secret generation process may take an excessive amount of time, rather than the few seconds it should typically take. Ensure that the virtual appliance is allocated at least 2 GB of memory to avoid this problem.

Advanced Troubleshooting

Some users may want to perform more advance troubleshooting activities using tools such as ping, traceroute, tcpdump, etc; or may find it useful to view logs on the virtual appliance. To obtain terminal access simply hit ALT+F2 and log in using the default credentials autotunnel:autotunnel. The autotunnel user has sudo access.


Other than for the purposes of running basic troubleshooting commands and changing the default password, we do not recommend making any changes to your virtual appliance via the terminal. We cannot provide support for virtual appliances that have had their configuration modified from the factory default.