Administration Troubleshooting
This document attempts to cover some of the most common issues people run into using Twingate, and how to resolve them.
Known Incompatibilities
We do our best to make our software compatible with most products and services that are used in the corporate environment. However, some products are not compatible at this time, generally because they are trying to use the same system functionality that we require for operation.
- Cisco Umbrella is currently incompatible due to conflicts around DNS resolution. If both Twingate and Umbrella are installed, neither will likely work properly. Umbrella must be uninstalled or permanently disabled from launching (not simply exiting the program) for Twingate to work properly. Other similar products, such as DNSFilter are compatible with Twingate.
Cisco AnyConnect with Umbrella Module
Cisco Umbrella can be replaced by its more modern counterpart: Cisco AnyConnect (with the Umbrella Module). The upgrade is reported to be free of charge and the Cisco AnyConnect Client is fully compatible with the Twingate Client.
- Most VPNs and VPN-like software, for example other ZTNA solutions, are not compatible with Twingate because we are both trying to forward the same network traffic. Enterprise VPNs will generally not interfere with Twingate unless they are actually connected, but many consumer VPNs (e.g., TunnelBear, NordVPN, ExpressVPN) attempt to run in the background all the time, even if they appear to be disconnected, and will not let Twingate connect. if you are having connectivity issues with your client and have any VPN software installed, even if you do not think it is running, we strongly recommend you do a full uninstall and see if that resolves the issue.
- NetBIOS name resolution (e.g.,
\\MYCOMPUTER
) will not work on Windows Workgroup networks because it relies on broadcast communications. It will work on domains powered by a domain controller. As a workaround, you can type in the IP manually (e.g.,\\192.168.1.6
) and connections should work normally. We are currently working on a fix and expect to have this working shortly. - AD Domain joins are not supported currently, but most other Active Directory operations are, including access for devices that are already domain-joined.
- Some security software like MalwareBytes and Trend Micro have incompatibilities in how their web protection analyzes URLs that users are visiting. Turning off the web protection feature should resolve the issue, the core anti-malware functionality remains compatible.
- Connectors hosted in China can sometimes be impacted by local restrictions imposed within China. This is because Connectors maintain outbound connections to our GCP-hosted Relay infrastructure, and connections to GCP may be subject to those restrictions.
- Google Workspace as an IdP for users in China is not supported as local restrictions imposed within China block connections to some of Google’s services, including Google Workspace and Gmail.
Unsupported Use Cases
- Twingate clients can only initiate connections to remote servers on the private network, they cannot receive connections initiated by machines on the private network. Clients do not get their own IP addresses like a typical VPN and hence cannot receive inbound connections from the private network. It is very rare for a modern enterprise application to require inbound connectivity to clients, though some VoIP software still works this way. If you think you might be in this situation, please contact us as we may be able to offer an alternative solution.
Troubleshooting Checklist
If you encounter an issue setting up Twingate, following some simple steps can save you time and reduce the amount of diagnostic steps required if you contact our support team.
The first step is to identify what component is not working correctly:
- If the Remote Network of the Resource shows up in red on the Admin Console, that means the Connector is not working correctly.
- If the Remote Network is green but clients do not show the Resource in question in the Resource list (in the tray menu) when signed in, it is likely a permissions problem. Make sure that the user is in a Group that contains the Resource. If the client does not show the Resource, it will not be reachable.
- Try to use a different machine to connect to the Resource to isolate the problem. Macs and especially Windows PCs may have third-party programs running that can interfere with our private connection, so using an iOS or Android device can be very helpful as a debugging tool to isolate any interference from third party software. If other clients work, the issue is on the user’s specific device.
If none of these steps helped:
- If possible, log into the machine running the Connector and attempt to initiate a connection to the Resource’s DNS name or IP address in the same manner as your client. If it fails, that is almost certainly the root cause of any connectivity issues. All connections flow through the Connector, so you cannot connect to a Resource that the Connector for its Remote Network cannot reach.
- If you are trying to access a Resource by a DNS name, remember that the exact name or a wildcard that matches it must be defined in the Admin Console. This is the case even if the IP address the name resolves to is defined as a Resource, for example if
test.yourcompany.int
resolves to10.0.0.15
and you have10.0.0.0/24
defined as a Resource in Twingate, the connection will fail unless you also addtest.yourcompany.int
as a Resource. Wildcards also must be defined carefully, for example*.yourcompany.int
does not matchyourcompany.int
, only subdomains of that domain. - Many web applications connect to other domains “under the hood,” often without the user’s knowledge. If an internal web application is not functioning correctly, try creating a broader wildcard DNS zone, and seeing if that helps. For example, if
yourapp.yourcompany.int
is not loading correctly, try defining*.yourcompany.int
. Note that we do not recommend leaving it this way as overly broad permissions do not comply with zero trust best practices, but you can use network analytics to determine what other domains are being connected to, and then define those more precisely.
How to Collect Logs
If you can’t figure out the issue, our support team is here to help! You can contact us via email or via chat in the Admin console. The first thing we will likely ask you to do is to send us the Client application logs from the Client and/or Connector experiencing the issue, so it’s best to provide them at the beginning when contacting us.
For Connector logs, you will need to redeploy the Connector with a setting that turns on more verbose logging:
- For a Connector deployed as a
systemd
service, add the lineTWINGATE_LOG_LEVEL=7
to your/etc/twingate/connector.conf
, then restart the service by runningsudo systemctl restart twingate-connector
. Retrieve the logs by runningsudo journalctl -u twingate-connector
. - For a Connector deployed as a Docker container, redeploy the Connector, adding the argument
--env LOG_LEVEL=7
to thedocker run
command. Retrieve the logs by runningdocker logs [ID of container]
.
Please make sure to replicate the issue you experienced after detailed logging is turned on, and note the time where the issue occurred so our support team can cross-reference with the logs.
Last updated 3 minutes ago