managing twingate

Quick Start

Automated Deployment

Connectors

Resources

Remote Networks

Best Practices

JIT Access Requests

Usage-based Auto-lock

Ephemeral Access

Resource Tags

Aliases

Kubernetes

Route Traffic from Kubernetes

Manage Kubernetes using kubectl

Private Resources in Kubernetes

Publicly Exposed Resources in Kubernetes

Privileged Access for Kubernetes

Team

Users

Admins

How to Offboard Users

Social Logins

Groups

Identity Providers

Entra ID Configuration

Google Workspace Configuration

JumpCloud Configuration

Keycloak Configuration

Okta Configuration

OneLogin Configuration

SCIM Provisioning API

Security Policies

Location requirements via geoblocking

Security Policies: Migration Guide

Policy Guides

Authentication

Device-only Resource Policies

Trusted Devices

Two-Factor Authentication

Devices

Client Application

Endpoint Requirements

Using Twingate

Managed Devices

Windows Client Migration to .NET 8

macOS & iOS

macOS standalone Client

Windows Managed Devices

Device Administration

1Password XAM Configuration

CrowdStrike Configuration

Device Security Posture Checks

Device Security Guide

Intune Configuration

Jamf Configuration

Kandji Configuration

Linux device ID migration

Manually Verified Devices

SentinelOne Configuration

Services

Headless Clients

Linux Headless Mode

Windows Headless Mode

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Admin Console Export

Audit Logs Schema

Network Traffic

Detailed Network Event Schemas

Network Events Admin Console Export

User Activity

Device Report

Syncing Data to AWS S3

Internet Security

Browser Security

NextDNS Integration

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Exit Networks

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Customer Network

MSP Billing

Cancel Your Subscription

Notifications

Troubleshooting

Device Failures

DNS Failures

Connector Failures

Firewall Failures

Split Tunnel Failures

additional resources

Help Center ↗

Need help?

Troubleshooting

Changelog

FAQ

Twingate Trust Center

Twingate & Customer Data

DORA Compliance

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

Connector Failures

How to Troubleshoot Connector Issues

Connector and Remote Network Issues

Connectors are the critical gateways to your private Resources. If a Connector is offline, misconfigured, or unhealthy, access to all Resources within its designated Remote Network will fail (unless another working Connector is available on that Remote Network).

Common Symptoms:

An entire set of Resources in a specific Remote Network (e.g., “AWS US-East-1 VPC”) becomes unreachable for all users and/or disappears from Clients.
The Twingate Admin Console shows a Connector’s status as “Offline” or flapping intermittently between “Online” and “Offline.”
Connector logs contain repeating errors like “Invalid token,” “failed to get an access token,” or “Gone, code 410.”
Connector logs show “Failed to preconnect a relay listener” with a “Connection timed out” error.
ICMP traffic (ping) to Resources behind a Connector fails, even though connections to other services succeed.

How to Identify and Troubleshoot:

Use the Admin Console as Your Dashboard: The Connector details page is the single best place to check a Connector’s health.
- Navigate to the Remote Network, click on the suspect Connector, and review its details.
- Status: The most obvious check. If it’s “Offline,” the host is likely down or has lost internet connectivity.
- Time Offset: This is a critical but subtle metric. Twingate’s authentication protocol is sensitive to clock skew. In the Connector details, check the Time Offset value. If the absolute value is greater than 5 seconds, the Connector’s system clock is out of sync with global time. This will cause its authentication tokens to be rejected by the Twingate Controller, resulting in “Invalid token” errors and a flapping status.
- Resolution for Clock Drift: Ensure the Connector’s host machine is running a time synchronization service. chronyd is generally recommended over the older ntpd. This is a host-level configuration, not a Twingate configuration.
Check Connector Host Configuration:
- Ensure that the Connector was installed with the correct tokens. If tokens were regenerated in the Admin Console, the Connector must be reconfigured with the new tokens.
- Verify that only one instance of the Connector is running with a given set of tokens. Running multiple Connectors with the same tokens will cause conflicts and connection failures.
- Make sure the Connector software is up to date. Much older versions may have incompatibilities or be blocked.
- Verify that the host machine meets the hardware and OS requirements for running a Connector.
- Verify that the host OS allows outbound ICMP traffic if pinging Resources is required.
Dive into Connector Logs: The logs provide the ground truth for what a Connector is experiencing.
- You must enable detailed logging by setting TWINGATE_LOG_LEVEL=7.
- For systemd deployments, view logs with journalctl -u twingate-connector -f. For Docker, use docker logs <container_name> -f.
- Look for specific error patterns:
  - Invalid token: Almost always indicates a clock drift issue.
  - too many open files: The host system’s file descriptor limit (ulimit) is too low and needs to be increased.
  - Failed to preconnect a relay listener: This often indicates an outbound connectivity problem from the Connector host. It may be unable to reach Twingate’s Relay infrastructure, potentially due to a firewall or a lack of a public IPv4 address.
Verify Connector Host Connectivity:
- The host machine running the Connector must have outbound internet access to the Twingate infrastructure. Refer to the firewall requirements page for more information.
- The host machine must have a network route to the private Resources it is intended to serve. A common error is deploying a Connector in a VPC subnet that has no route to the subnet where a database or application server resides.

If the Connector is online and healthy, but performance is poor or connections are unreliable, the problem is likely in the network path between the Client and the Connector.

Last updated 4 days ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

Introduction to DNS

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

How NAT Traversal Works

How to troubleshoot peer-to-peer connections

Encryption in Twingate

API

Getting Started with the API

Exploring the APIs

Introduction to tg CLI (JavaScript)

Introduction to the Python CLI

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Connector Best Practices

Aptible

How to Deploy a Connector on AWS

How to Deploy a Connector on Azure

How to Deploy a Connector on Linux

How to Deploy a Connector on GCP

K8s Helm Chart

Managed Connectors

Updating Connectors

How to Upgrade Connectors Running in AWS/Azure/Docker Containers

K8s Helm Chart Upgrades

Systemd Service Upgrades

Advanced Connector Management

Connector Details

Connector Health Checks

Connector Metadata

Real-time Connection Logs

Deployment Automation

Supporting Unqualified Domain Names