I recently ran into a tough problem with a new Access Gateway setup. The setup was 2 virtual appliances controlled with the Access Controller on a Windows domain member server. The problem presented with a 500 error. Then if you refreshed the page the logon page would appear, but logins were erroring with a message something like “Try again, or contact your help desk or system administrator for help”. Google searching for 500 errors on the Access Gateway pulled up a bunch of older articles that weren’t relevant to 5.0.4 version. When we went to the web interface of the appliances we noticed that there was a warning that the access gateway cannot connect to controller. So we started looking at the network, and nothing had changed. Then we searched that error and came to this article. It then occured to us to check the time synchronization between AD and the access gateway appliances. We then noticed that the time was out of sync by more than a minute. Per the article, the time needs to be less than 30 seconds apart in time. We had set up a network ACL so that the appliances in the DMZ could get NTP from our internal server, however the ACL was accidentally configured as TCP over port 123 instead of UDP over port 123, and the clocks eventually got out of sync. Setting the NTP settings on the appliance to time.nist.gov and rebooting the appliances ended up getting us within 7 seconds, which fixed the problem.