This is a troubleshooting guide to assist with commonly found problems when trying to connect to a device remotely using SORACOM Napter. This will cover common causes and how to isolate them utilizing audit logs and Soracom Peek.
Common Issues
SORACOM Napter has expired
SORACOM Napter enables remote access by setting a time limit for connectivity. The default setting is 30 minutes. If Napter has been connected for longer than 30 minutes, disconnect and reconnect. Please note that the unit of the duration parameter is seconds when creating remote access with SORACOM API.
Network is blocking SORACOM Napter
When connecting from a company network, check with your network administrator to see if there are any restrictions such as a proxy or firewall that could be blocking traffic.
Enabling TLS option even though protocol is not available
Disable the TLS option when connecting via SSH or RDP.
The device port number set when creating SORACOM Napter is incorrect
The device port number defaults to 22 for SSH, 80 for HTTP, and 3389 for RDP.
Traffic blocked by IPTables, WIndows firewall, etc on the device side
If you were able to connect via Wi-Fi or wired LAN, check to see if you have restricted the IP address range on the device.
You are trying to access with a protocol other than TCP, such as UDP or ICMP
Napter can only be used with TCP.
How to triage using Napter audit logs
With SORACOM Napter, you can use the Napter audit log function to determine how far you have reached trying to connect before the remote access fails.
What are Napter audit logs?
Napter audit logs are stored for free for up to 24 hours. SORACOM offers the option, for a fee, to store for 366 days.
How to retrieve and check Napter audit logs
1. Check the global IP address you are accessing from here
and specify it to enable SORACOM Napter. Make a note of the assigned destination IP address and port number (123.456.789.12:3456 etc)
2. Try to access using SORACOM Napter
3. Select [Napter Audit Log] from [Menu] on the upper left of the User Console
4. Check the event type being logged, such as CREATED
Causes and Resolutions for each event type
Depending on the event type that can be confirmed, there are possible causes and countermeasures to try to resolve the connection issues.
CREATED, DELETED, EXPIRED, etc are logged but no ACCESS
ACCESS indicates that it has reached SORACOM Napter. If you do not have this, it is possible that your network is denying access to SORACOM Napter. Check whether access to the access destination IP address and port number as noted earlier, is permitted
DENIED, REFUSED are recorded
DENIED indicates that access was denied by SORACOM Napter's access source IP address restriction function. REFUSED becomes DENIED in succession, indicating that the IP address of the access source was blocked because it was regarded as an unauthorized access. A common cause is that SORACOM Napter has expired. Please enable remote access again and check to see if you can connect. If you still cannot connect, check if the IP address written on the left side of the 'Details' matches the access source IP address noted earlier. If not, the global IP address used in your network.
CONNECTED is logged
CONNECTED indicates that the device is reachable. If you cannot access the device even though the status of the audit logs indicates CONNECTED, there are a few possible causes
- Enabling the TLS option even though the protocol is not available
- The port number of the target device is wrong
- Priority is given to the route of the other interfaces, such as Wi-Fi and wired LAN in the routing of the destination device
- IPtables, Windows Firewall, etc. are blocking access on the destination device
- Applications on the destination device are not running
If there are no problems with the above, we will conduct further investigation such as packet analysis on the device. We can do this by utilizing Soracom Peek.
Separation method using SORACOM Peek
SORACOM Peek is a service that captures IP packets that pass through the SORACOM platform when communicating with devices using a Soracom IoT SIM. Customers can easily and safely capture packets using the API without having to prepare a server for packet capture. Please refer to the SORACOM Peek documentation to determine whether the packet has reached the SORACOM platform or whether there is a response from the device.
If you are still unable to identify the cause of the issue after performing the steps listed above, please contact us via support ticket with the following information included in the ticket:
- IMSI for the SIMs
- Details of the device you are using (manufacturing, model number, product name)
- Time when issue occurred
- Audit log output, screenshots are helpful as well
- Details of the problem
- Packet capture (if possible) at the time of the event