ZTNA Connector Diagnostic Tools
Focus
Focus
Prisma Access

ZTNA Connector Diagnostic Tools

Table of Contents

ZTNA Connector Diagnostic Tools

Diagnostic tools used with ZTNA Connector and how to use them (ping, tcpping, traceroute, nslookup).
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Prisma Access 4.0
  • ZTNA Connector add-on license
    The Essential license with the add-on license includes 8 ZTNA Connectors, 100 FQDNs, and 4 IP subnet functionality.
    The Advanced license with the add-on license includes 40 ZTNA Connectors, 300 FQDNs, and 1024 IP subnet functionality.
    The Premium license with the add-on license includes 200 ZTNA Connectors, 4000 FQDNs, and 1024 IP subnet functionality.
  • If you don't purchase the ZTNA Connector add-on license, Prisma Access licenses include four connectors, 40 FQDNs, and four IP subnets. This functionality is provided for the purpose of trying out ZTNA Connectors in your environment.
If you encounter issues with accessing private apps using ZTNA Connector, you can run tests from the ZTNA Connector UI to help you find the issue, using the following networking tools:
  • ping
  • TCP Ping
  • traceroute
  • nslookup
  • dump overview
  • You can also take packet captures to help determine the cause of any issues with ZTNA Connector.
Be sure that ICMP is allowed in your network before using the ping and traceroute tools. Some cloud environments have ICMP disallowed for security concerns and these tools do not display any activity.
  1. Go to WorkflowsZTNA ConnectorConnectors.
  2. Select ActionsDiagnostics for the connector.
  3. Run the ping, TCP Ping, traceroute, or nslookup diagnostic tools.
    • ping:
      1. Select the IP or FQDN of the application you are trying to reach.
      2. Select the interface from which you are testing the ping.
        If you have configured your VM with a two-arm deployment, select internal to check the LAN side (port 2) of the VM and select external to check the WAN side (port 1).
        For a one-arm deployment, choose either internal or external, as both the WAN and LAN side map to port 1.
      3. Select ping.
        The ping output displays.
      4. To finish the test, Stop.
    • TCP Ping:
      Upgrade the Connector to ZTNA Connector 6.2.5-b1 version. If the Connector is not up to date with this version, then Strata Cloud Manager UI will not offer TCP Ping as a diagnostic tool.
      1. Select the IP or FQDN of the application you are trying to reach.
      2. Select the interface from which you are testing the ping.
        If you have configured your VM with a two-arm deployment, select internal to check the LAN side (port 2) of the VM and select external to check the WAN side (port 1).
      3. Select TCP Ping.
      4. To finish the test, Stop.
    • traceroute:
      1. Select the IP or FQDN of the application you are trying to reach.
      2. Select the interface from which you are testing the ping.
        If you have configured your VM with a two-arm deployment, select internal to check the LAN side (port 2) of the VM and select external to check the WAN side (port 1).
      3. Select traceroute.
      4. To finish the test, Stop.
    • nslookup:
      1. Select the IP or FQDN of the application you are trying to reach.
      2. Select nslookup.
      3. To finish the test, Stop.
    • dump overview:
      1. Click Start to download a system dump click Stop to stop it.
        The dump overview provides the software version, interface and connection status, and connector identification information required for PANW troubleshooting.

Take Packet Captures

If you require packet captures for network-level troubleshooting, you can take packet captures that capture network data from specific connectors. You can also capture packets based on specific IP addresses or protocols (for example, TCP).
Taking packet captures is useful in the following use cases:
  • If you tunnel is not coming up. Capturing the IKE negotiation between the connector and ZTT would help to determine the problem. In this case, select the internet interface and use the IP address of the service connection as the source or destination interface.
  • If your app goes down, you can check the probing of the apps by getting a tcpdump using the server IP address and port and port on the data center interface.
  • If the end-to-end data plane is not working, but the tunnel is app and the app is up. In this use case, getting a tcpdump of the user traffic on the IPSec tunnel destined to the app's fabric IP address would be beneficial.
  1. Go to WorkflowsZTNA ConnectorConnectors.
  2. Select packet capture (the magnifying glass) for the connector you want to troubleshoot.
  3. Select the interface where the packets will be captured (internal, external, or tunnel.
  4. (Optional) Specify the Source or Destination IPv4 address from which packets are captured.
    If you specify this option, only packets from this IP address are captured.
  5. (Optional) Select the type of packets to capture.
    You can select packets of a specific protocol to be captured (tcp, udp, icmp, or arp), or select all to capture all packets.
  6. (Optional) Select a Port from which packets will be captured.
    If you specify this option, only packets from this port are captured.
  7. Start the packet captures.
  8. To stop the packet captures, click Stop.
    • The maximum file size for packet captures is 5 MB. If you do not stop the captures before the maximum size is reached, the file is overwritten.
    • A maximum of three packet captures are allowed on a connector at the same time. If a fourth session is initiated, the first running session is terminated.

Collect Tech Support Files

The Tech Support file contains your device configuration, system information and some logs (not traffic). Palo Alto Networks can request that you upload a tech support file to help assist with troubleshooting issues with ZTNA Connector.
  1. Go to WorkflowsZTNA ConnectorConnectors.
  2. Select tech support (the hand) for the connector you want to troubleshoot.
  3. Generate new Tech Support File.
  4. Select Complete to download the tech support file locally.