MS tunnel gateway problem

Tahir Vahid 65 Reputation points
2024-06-03T10:13:53.1433333+00:00

I have created MS tunnel gateway server on Ubuntu 22.04.4 LTS.

In INTUNE dashboard server display healthy.

Installed certificates - from my on prem CA.

Root certificate installed on devices as Trusted Root.

When i try to connect from Android MS Defender i get error - unable to check certificate.

On server:

worker: warning: Discarded message[0] due to invalid decryption

GnuTLS error (at worker-vpn.c:888): Decryption has failed.

Any help appreciated.

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,302 questions
{count} votes

5 answers

Sort by: Most helpful
  1. ZhoumingDuan-MSFT 14,315 Reputation points Microsoft Vendor
    2024-06-04T02:11:16.8033333+00:00

    @Tahir Vahid,Thanks for posting in Q&A.

    From your description, I know you got some error on MS Tunnel Gateway.

    To clarify the issue, please check the following information.

    1.Check whether the Root Certificate was expired in Intune portal.

    2.Check the TLS certificate status in Intune portal. In the Microsoft Intune admin center, go to Tenant administration > Microsoft Tunnel Gateway > Health status. Select your server and then open the Health check tab to view the server’s health status metrics

    3.Re-install the app and reboot the server to see if the issue can be fixed.

    https://www.reddit.com/r/Intune/comments/s6x9of/microsoft_tunnel_gateway_was_working_fine_now_isnt/

    Please check above information, if there is any update, feel free to let me know.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  2. Tahir Vahid 65 Reputation points
    2024-06-04T04:49:06.41+00:00

    Thank you for reaction.

    Installation is fresh, i did it three times, to check.

    This info from INTUNE portal.

    CPU usage Healthy 0%

    CPU cores Healthy 4 cores

    Memory usage Healthy 6%

    Disk space usage Healthy 37.61 GB available of 51.29 GB

    Latency Healthy 0 ms

    Management agent certificate Healthy Certificate expires in 359 days

    TLS certificate expiration Healthy Certificate expires in 726 days

    TLS certificate revocation Healthy The TLS certificate is not revoked.

    Internal network accessibility Healthy Internal resource is reachable.

    Upgradeability Healthy Server can contact the Microsoft Container Repository.

    Server version Healthy Up to date

    Server container Healthy The server conatiner status is healthy.

    Server configuration Healthy The server configuration was successfully applied.

    Server logs Healthy Server logs have been uploaded in the last 60 minutes.


  3. Roman Mudra 0 Reputation points
    2024-09-23T14:22:14.9633333+00:00

    Hello @Tahir Vahid

    did you manage to resolve this issue ? -

    worker: warning: Discarded message[0] due to invalid decryption

    GnuTLS error (at worker-vpn.c:888): Decryption has failed.

    We recently started to get same errors on our end.

    Thank you


  4. BERNIER Mathieu 0 Reputation points
    2024-09-24T07:40:18.95+00:00

    We have the issue here.


  5. Matt Rioux 0 Reputation points
    2024-11-24T16:52:38.1833333+00:00

    Hi to those experiencing a TLS error our site saw this as well when using our internal pki infrastructure. We ended up resolving this by adding the entire pem encoded trusted root to our .pem file. The output in the pem will look something like this.

    ------ Begin Certificate -------

    Pem encoded web certificate
    ------ End Certificate ---------

    ------ Begin Certificate -------

    Pem encoded Intermediate CA certificate

    ------ End Certificate ---------

    ------ Begin Certificate -------

    Pem encoded Root CA certificate

    ------ End Certificate ---------

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.