Search the VMware Knowledge Base (KB)
View by Article ID

Troubleshooting connectivity issues between the agent, client, and connection server in VMware Virtual Desktop Manager (1006734)

  • 18 Ratings
Language Editions


  • While deploying a pool, virtual machines are stuck with a status of Customizing on the Virtual Machines tab.
  • Connection to the virtual desktop fails.
  • You receive this pop-up message:

    The connection to the remote computer ended

  • In the debug-timestamp.txt log file of the View Agent, you see the error:

    DEBUG <theTopicMessageManager> [JmsManager] Unable to connect to JMS server com.vmware.vdi.agent.messageserver.JmsManager.a(SourceFile:238)
    javax.jms.JMSException: Unable to create a connection to: [[ServerEntry, hostname=<VDM CONNECTION SERVER>, port=4001]]

  • In the debug-timestamp.txt log file of the View Connection Server, you see the warning:

    WARN <Tunnel#1> [r] (57A52D9B20F08C9B788FFE22380F92DD) Problem starting channel 0 for Port1: Failed to allocate onbound connection to <VDM AGENT IP ADDRESS>:3389 - Onbound connection timed out
    com.vmware.vdi.ob.tunnelservice.u: Failed to allocate onbound connection to <VDM AGENT IP ADDRESS>:3389 - Onbound connection timed out

    Note: For more information on the location of the View log files, see Location of VMware View log files (1027744).


There are different paths or legs of connection between the client and the desktop virtual machine, and connectivity issues may be caused by failure of any of the connection legs.

View Client-Connection Server Issues
  • Failure in one branch
  • Incorrect Internet setting on the client computer
  • Inability to resolve DNS name of the connection server
Connection Server-View Agent Issues
  • Resolving the DNS name.
  • Agent establishes JMS communication with connection server
  • Connection server and security server establish an RDP connection
  • Security server establishes a JMS communication with its connection server
Testing Methods
  1. Log in to a virtual desktop.
  2. Click Start > Run, type cmd, and click OK. The Command Prompt window opens. For more information, see Opening a command or shell prompt (1003892).
  3. Ensure that the desktop can resolve the DNS name of the connection server(s) and that the IP address resolved is the correct IP address for the connection server.

    Run the nslookup cs_hostname command.

  4. Ensure that the agent can communicate with the connection server over port 4001. This port is the first example.

    Run the telnet cs_hostname 4001 command.

    If you receive a connection error, check if a firewall or anti-virus is enabled on the virtual desktop, connection server, or in the network infrastructure between the two points.

  5. Repeat these steps according to the port requirements listed below. You may need to adjust where the test is run in step 1. Choose the appropriate location according to the descriptions below.

Client-Server Issues
  • Failure in one branch: You must isolate which step is failing. The location of the problem is usually clear from the error messages on the client side. For example, the client displays VDM Server connection failed or A secure connection to the VDM Server cannot be established if the client-connection server connectivity leg fails. Another possibility is, that after the connection server is contacted and list of desktops displays, opening a desktop fails. The server-desktop-virtual machine connectivity must be investigated.

  • Incorrect Internet setting on the client computer: If you cannot connect to the server with a Microsoft Windows Client, try to access this server with Microsoft Internet Explorer, using HTTP or HTTPS. If you do not see the login page, apply general troubleshooting techniques to resolve the issue.

  • Inability to resolve DNS name of the connection server: You can determine if it is an inability to resolve DNS name when the login page is shown, and you enter the valid credentials, you receive an error message related to the secure connection unable to start. The most common reason for the error is that the client or proxy server is unable to resolve the DNS name of the connection server. When the client successfully authenticates to the connection server, the server directs the client to open a secure connection, If it cannot be resolved by the IP address of the broker computer, the secure connection setup fails. If the browser is configured with an HTTP proxy Web access, the proxy server has to resolve the fully qualified domain name (FQDN). Configure the VDM server to report its externally visible DNS name or IP address in the external URL setting.

    When there are external and internal users who access VDM, and there is no common IP address or domain name, set up two or more identical connection servers and use one group for internal users and the second one for external users.

    To override the external URL, do the following:
    1. Create the file C:\Program Files\VMware\VMware VDM\Server\sslgateway\conf\
    2. Add the line:


      If a load balanced setup is used, the initial connection is made to the LB address and a secure connection is made directly to the server.

Server-Desktop Issues

For successful communication between the server and the desktop virtual machine:
  • Resolving the DNS name: The communication server's DNS name must be resolvable.

  • Agent establishes JMS communication with connection server: The Agent must establish JMS communication with the connection server using FQDN and TCP port 4001. This port can be checked by issuing the command telnet <connection server DNS name> 4001 from the command prompt at the desktop virtual machine. If the connection is established, network connectivity is working. The connection to port 4001 may have failed because of firewalls on the desktop, connection server, the network infrastructure, DNS address resolution issues, or JMS router not working on the server.

  • Connection server and security server establish an RDP connection: The connection server and security server must establish an RDP connection to the desktop virtual machine using its last reported IP address and port 3389. If the security server is deployed in the DMZ, exception rules must be created in the inner firewall to allow RDP connectivity between the security server and all desktop virtual machines. If you bypass the secure connection, the client must establish a direct RDP communication to the desktop virtual machine over RDP (port 3389).

  • Security server establishes a JMS communication with its connection server: The security server must establish a JMS communication with the connection server with which it is associated. The FQDN of the connection server must be added to the local host's file to support this connection. The security server has to establish a connection over the AJP13 protocol with the connection server using port 8009.

Additional Information


cannot-connect network-connection-fails dns-incorrectly-configured network-settings no-network-connectivity

See Also

Update History

07/12/2012 - Added additional error/warning messages in the Symptoms section 07/30/2012 - Added to check for anti-virus being enabled 08/02/2012 - Updated Product Versions to include 4.5 up to 5.1 04/28/2013 - Added Horizon View product version. 01/14/2014 - Added Horizon View 5.3 to Product Versions.

Language Editions



Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.


  • 18 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)

Please enter the Captcha code before clicking Submit.
  • 18 Ratings