Troubleshooting Remote Access Errors

1.0 General Remote Access to Realm/Solaris and Realm/Linux Applications
  1.1 Why can't I print to my local printer from my remote-access session?
  1.2 Are there Realm applications that do not work well remotely?
  1.3 What does the error message, "Can't open display," mean?
  1.4 What does the error message, "Xlib: connection to 'engr01ras.eos.ncsu.edu:10.0' refused by server Xlib: Client is not authorized to connect to server," mean?
  1.5 I can't connect with my firewall enabled. What ports are needed for SSH?
  1.6 I am getting one of the following error messages:
"Xlib: PuTTY X11 proxy: wrong authentication protocol attempted"
"Xlib: PuTTY X11 proxy: MIT-MAGIC-COOKIE-1 data did not match"
"X11 connection rejected because of wrong authentication"
  1.7 What do the following error messages mean?
"Unable to open connection to remote.eos.ncsu.edu. Network error connection refused."
"ssh: connect to host remote.eos.ncsu.edu port 22: Operation timed out"
2.0 General Secure File Transfer
  2.1 I can't connect with my firewall enabled. What ports are needed for SCP/SFTP?
3.0 General AFS Access
  3.1 AFS access is very slow, has frequent disconnects, hangs up the computer or generates lots of errors.
  3.2 If I turn on my Firewall, AFS access breaks.
     
Windows Specific
  4.5 "X connection to engr03ras.eos.ncsu.edu:11.0 broken (explicit kill or server shutdown)."
5.0 Secure File Transfer from Windows
  5.1 How do I enable debugging in F-Secure?
  5.2 How do I enable debugging in WinSCP?
  5.3

Why does WinSCP/F-Secure error/hang after successfully logging in?
F-Secure gives the following error: "File transfer server could not be started or it exited unexpectedly. Exit value 0 was returned."
WinSCP: "Recieved too large SFTP packet. Max supported packet size is XXXXX bytes. This error is typically caused by message printed from startup script (like .profile). This message may start with..."

6.0 AFS Access From Windows and WolfCall
  6.1 What does the following error message mean: "Starting the AFS Service failed:[1] Windows-StartService:The dependency service does not exist or has been marked for deletion."
  6.2 "Offline Folders" or other File Searching Operations break horribly with a Windows AFS Client.
     
Macintosh Specific
     

1.0 General Remote Access

1.1 Why can't I print to my local printer from my remote-access session?

Your application is not actually running on your computer. It is running on the remote access server. In order to print out your work, print it to a file, download the file using scp or sftp, and print it on your local printer.

1.2 Are there Realm applications that do not work well remotely?

Some applications simply do not work well over a remote connection and should be run in campus labs or with a user-owned copy of the program. This is not to say that the application will not load, just that it will be extremely slow and prone to crashing.

Matlab

1.3 What does the error message, "Can't open display," mean?

The client application is trying to forward its display to somewhere other than the SSH/X11 tunnel and is not getting a response. This usually only happens when X11 forwarding is not being used. When someone is using X11 forwarding, information is passed to the remote access server from the SSH client and the $DISPLAY variable is set to a non-existent display on the remote access server. The remote access server then automatically acts as a proxy and sends the X11 applications GUI through the encrypted SSH tunnel.

The reasons may be that you:

  • Do not have X11 forwarding/tunnelling turned on. See PuTTY / F-Secure instructions for Windows Clients. See Recommended SSH Settings for Macintosh/Linux clients.
  • Changed the $DISPLAY variable from the default. Let the SSH Client set it.

Other error messages that are application specific, but which the info above applies to:

  • Adams
    appbar.exe: cannot connect to X server unix:0.0
  • ANSYS
    Application initialization failed: no display name and no $DISPLAY
    environment variable
  • ArcView
    ------------------- TRACEBACK -------------------------
    Module "X " Message 2: file "err.c " line 453
    Module "Dsply" Message 0: file "./xdsply.c" line 102
    Module "Err " Message -1: file "err.c " line 1489
    -------------------------------------------------------
    ERROR Cannot open display "engr10ras.eos.ncsu.edu:0.0"
    while Initializing windowing environment
    EXITING cannot recover from error
  • Cadence
    *ERROR* X Window Display Initialization failure
    *WARNING* X Window Display Initialization failure
  • emacs
    emacs: Cannot connect to X server engr10ras.eos.ncsu.edu:0.0.
    Check the DISPLAY environment variable or use `-d'.
    Also use the `xhost' program to verify that it is set to permit
    connections from your machine.
  • Netscape
    Gtk-WARNING **: cannot open display:
  • Photoshop
    Fatal Error: Unable to open display. Exiting...
  • Slickedit
    Visual SlickEdit: Can't open connection to X. DISPLAY='<Default Display>'

1.4 What does the error message, "Xlib: connection to 'engr01ras.eos.ncsu.edu:10.0' refused by server Xlib: Client is not authorized to connect to server," mean?

This error is very similar to the above error. The cause of the actual error is that the $DISPLAY variable is set to a display greater than 10 on the remote access server, but X11 forwarding is not enabled. As a result, the application actually tries to display on the server instead of being proxied. Since the remote access servers don't run X (and you wouldn't be allowed to display on them even if they did), the connection is refused.

1.5 I can't connect with my firewall enabled. What ports are needed for SSH?

TCP port 22 outbound is the only port that needs to be open for contacting the remote access server. However, in order for an X application to be tunneled through that connection, you need to also be able to communicate on the loopback interface.

1.6 I am getting one of the following error messages:
"Xlib: PuTTY X11 proxy: wrong authentication protocol attempted"
"Xlib: PuTTY X11 proxy: MIT-MAGIC-COOKIE-1 data did not match"
"X11 connection rejected because of wrong authentication"

The issue is that you do not have write access to your AFS Home Directory (or K: Drive). This is either because of being over quota or the permissions are not correct. Typing quota at the command line will tell you your quota; typing fs la at the command line will display the permission on the directory.

There are files in the root of your AFS Home Directory that store information that are used when tunnelling an X11 session through an SSH connection. If you are over quota or have lost access to that space, then the files can't be written.

1.7 What do the following error messages mean?
"Unable to open connection to remote.eos.ncsu.edu. Network error connection refused."
"ssh: connect to host remote.eos.ncsu.edu port 22: Operation timed out"

The failure point is in the SSH Client attempting to connect to the remote access server. Possible causes include: incorrectly setup DNS, blocked ports, a non-integrated proxy server, or a misconfigured local firewall (something like the Windows XP Firewall or IPChains) on the workstation.

1. DNS resolution is needed for the current SSH Client setup since the addresses of the remote access servers are actually round-robin DNS pools, and the hostname is what the SSH Client has as its host argument. An attempted nslookup hostname on the box should be able to determine if this is the problem.

2. If you are implementing a firewall not on the local machine, port 22 outbound is the only open port needed from the firewall. When using X forwarding, the X connection is completely transparent to the firewall as it is tunnelled through the ssh connection.
Windows Only: The connection methods we use do not require port-forwarding to be set. Starnet's website refers to the need for this, but it is not applicable to our situation. Their website talks almost exclusively about using XDMCP for connections, and in that case, it would probably require port-forwarding. But since we only use XWin32 to display connections forwarded on the localhost, there is not a problem there with XWin32.

3. The definition of a "proxy" server is "a single server that sits in between the client workstation and the resource it is trying to access," a very general meaning. In private networks that have multiple connections to the Internet, to make use of all of the connections, you must have a NATing box or router along all of the network paths (routers connected in parallel), or the paths must converge at a single point supporting NAT. The first may or may not use proxy (i.e., for http caching or filtering, which would be a user-defined proxy). The second of the possibilities above would be very simple to implement since the proxy would be integrated with normal routing.
Windows Only: Here is information on using Proxy with PuTTY and F-Secure (under Section 3.6: Firewalls).

4. Windows-based local firewalls are all different, but the default for some local firewalls stop traffic even on the localhost. If one is being used, then disabling that before further troubleshooting is required.

 

2.0 General Secure File Transfer

2.1 I can't connect with my firewall enabled. What ports are needed for SCP/SFTP?

Since SCP is essentially just SSH (SFTP is slightly different but uses the same port), TCP port 22 outbound is the only port that needs to be open for contacting the remote access server.

 

3.0 General AFS

3.1 AFS access is very slow, has frequent disconnects, hangs up the computer or generates lots of errors.

AFS access requires a fast, always on Internet connection like DSL or a Cable Modem and is intended only for those who need constant access to AFS storage. AFS access over dialup will be very poor if at all. SCP/SFTP is recommended over AFS for casual use or for slow connections.

3.2 If I turn on my Firewall, AFS access breaks.

AFS and firewall specific issues are covered in Interoperation with Firewalls. Note that this site is targeted at the Windows OpenAFS client, but is applicable to all OS's.

 

4.0 Realm/Solaris and Realm/Linux Applications on Windows

4.1 What Realm/Linux applications have problems being remotely accessed from Windows?

Certain Linux programs merge the X resources information when accessing the application. This currently breaks X11 Tunneling when used in conjunction with XWin32. The following applications, if using a Windows SSH Client with Xwin32 from a Linux remote access server, will not work at the present time.

XTRACS

4.2 Why do I still have problems when I re-installed XWin32 and my SSH client?

Installers for most Windows applications are very smart these days. Sometimes they are too smart. This issue is a configuration problem in XWin32 or your SSH client. When you re-install the application on top of itself, the installer sees those incorrect settings and assumes that you want to keep them, so re-installation is only useful in cases where the files get messed up. Un-install before re-installing.

4.3 "XWin32 has generated errors and will be closed by Windows."

Unfortunately, this error is due to an instability in the operating system and is not a remote access problem. This error appears when attempting to run an application back to the remote display. XWin32 closes and the application is never displayed. Ttry some basic computer maintenance including:

Reboot
Run chkdsk on the system drive
Virus-check the system drive
Search for AdWare/Spyware (try Ad-Aware or Spybot)
Download the newest OS Service Packs
Defrag the system drive
Re-install XWin32

4.4 How do I enable debugging in PuTTY?

PuTTY has built-in debugging that is available under Session -> Logging. Note that you need to load the session you are going to use prior to setting the Logging settings. Logging settings are part of a session's configuration.

4.5 "X connection to engr03ras.eos.ncsu.edu:11.0 broken (explicit kill or server shutdown)."

The client application cannot contact the X-Server (XWin32 on Windows). This could be for any number of reasons. Some possible ones include:

 

5.0 Secure File Transfer from Windows

5.1 How do I enable debugging in F-Secure?

F-Secure has built-in debugging that is available under Help -> Debugging. Logging to a file and setting the debug level to 4 should be adequate to determine errors in most situations.

5.2 How do I enable debugging in WinSCP?

WinSCP has built-in debugging that is available only if you check the "Advanced Options" checkbox. Then it is placed under Session -> Logging.

5.3 Why does WinSCP/F-Secure error/hang after successfully logging in?
F-Secure errors with a "File transfer server could not be started or it exited unexpectedly. Exit value 0 was returned."
WinSCP: "Recieved too large SFTP packet. Max supported packet size is XXXXX bytes. This error is typically caused by message printed from startup script (like .profile). This message may start with..."

SCP and SFTP are file transfer protocols are are based entirely off of
SSH. In fact SCP on *nix OS's is just a wrapper that passes extra command line parameters to the SSH binary. When connecting to a remote host (on this campus) with SSH, you get a login shell that sources the same dotfiles as when logging in to a Solaris or Linux lab machine. Both SCP and SFTP source those same files.

Therefore adding certain lockers or running certain programs at login time by changing your UNIX dotfiles (.mycshrc, .cshrc, and .login) can cause SFTP/SCP programs to error/hang.

 

6.0 AFS Access From Windows and WolfCall

6.1 What does the following error message mean: "Starting the AFS Service failed:[1] Windows-StartService:The dependency service does not exist or has been marked for deletion."

In order for the AFS Client to function, two services must be installed (Workstation and Server) on the computer and bound to the NIC. Check your list of services on the computer by right clicking on My Computer, then select "Manage." In the window that comes up, select the plus sign next to "Services and Applications," then click "Services."

If "Workstation" is not listed, go to Start -> Settings -> Network and Dial-Up connections. Then right click NIC you are using for AFS, "Local Area Connection" (or similar) and go to Properties. Once there, check "Client for Microsoft Networks" and hit install.

If "Server" is not listed, go to the same location above and install "File and Printer Sharing for Microsoft Networks."

More information is available on the Wolfcall Locking down NetBIOS and Microsoft Loopback Adapter pages.

6.2 "Offline Folders" or other File Searching Operations break horribly with a Windows AFS Client.

Windows will follow all UNIX-style symbolic links. This means that you can, if you are not careful, cause programs that parse through the AFS filesystem on Windows to crash, or even possibly corrupt data that it has access to.

 

7.0 Realm/Solaris and Realm/Linux Applications on Macintosh

7.1 "X connection to engr03ras.eos.ncsu.edu:11.0 broken (explicit kill or server shutdown)."

The client application cannot contact the X-Server ( X11.app on Macintosh). This could be for any number of reasons. Some possible ones include:

  • Not using the terminal that is automatically started by X11.app
  • Not starting ssh with the correct command line parameters.
  • Changing the $DISPLAY variable from the default. Let the SSH Client set it.
  • Incorrectly configuring the OSX firewall so that it stops traffic on the localhost

 

8.0 Secure File Transfer from Macintosh

8.1 How do I get debugging information in Fugu?

Fugu is just a graphical frontend for SSH and SFTP/SCP. Before connecting to a server, expand the "Advanced SFTP Options" portion on the Connect Pane. There is an "Additional SSH Options" field. You can enter -v in the field for more verbose info. The more v's you have, the more verbose, meaning -vvvvvvv gives more data than -v.

Next, click on SFTP -> Open Console from the menu bar at the top of the screen. Once you connect to a server, debugging information will be output to the console window. If you need to send the information, you can just cut and paste into a mail client or text file.

 

9.0 AFS Access From Macintosh

9.1 Mac OS X kernel panics while moving files in AFS

Certain releases of the OpenAFS client for Macintosh have a bug that would cause the client OS to Kernel Panic and crash when doing "Move" operations in AFS. Please download the newest verision of OpenAFS for Mac from ITD's website.

9.2 I get errors about not being the owner of files in my AFS Home directory or errors about UID's not matching.

Your user account on your Macintosh and your user account in AFS both have UID's (userid's) that are numbers that map to your user account name. If these UID's are not the same (even though the user name is the same) you can get errors when certain applications try to access things in AFS. This webpage describes how to sync the two UID's: Synchronizing your MacOS X UID with your AFS® UID.

9.3 I cannot Authenticate to Kerberos and get time sync errors.

In order to be able to authenticate to Kerberos (and therefore AFS), the system clock on your machine must be within 5 minutes of the clock on the servers. This webpage describes how to sync your clock with the campus servers: Synchronizing your computer’s clock with NC State’s time server.