While working on a project that utilizes the Tunnel configuration within the UEM web console, I browsed to GROUPS & SETTINGS > Configurations > Tunnel. Shortly after, I got the error below.

Below is what this setting normally looks like.

Unfortunately, this has happened at least once in my UAT and my production environment under the same console version 19.07. I then reached out to VMware support and below is the detailed resolution for our SaaS environment which I believe should apply to the on-premises environment as well based on this community post. Hopefully, this is helpful to anyone who may come across the same issue.

Issue: Unable to access the Tunnel Configuration page on CNXXX

Root cause: Tunnel Service sometimes is unable to add new encryption key in the registry to decrypt the connection string from the console

Description: For the UEM Console, we have an encryption key that gets generated with a validity period of 90 Days by default. This key will be used to decrypt the connection string(which has the DB login info) stored in appsettings.json. Once this key is expired ( i.e after 90 days ) or corrupted, AirWatch tunnel microservice should create a new key and use that key to decrypt the connection string. That is not happening in some environments. The quick fix is to run an UpdateSQLServerInformation.exe to update the connection strings so that Tunnel service in UEM can reconnect with the new encryption key. This is not a patch and no code changes will be done. This is to update the connection strings. This workaround is valid for 90 days. The permanent fix is to apply a DLL patch or upgrade your UEM Console to a higher version.

 Workaround: UpdateSQLServerInformation.exe to update the connection strings. Saas Ops will update the web.config for the tunnel service. This will immediately restore your Tunnel configuration connection

Permanent solution for Customers on console version 1912, 1909, 1908, 1907: Apply DLL 19.7.0..45 (PPAT-6727) or upgrade to 2001