Prisma Access
Troubleshoot ZTNA Connector Onboarding
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- 6.0 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
- Prisma Access China
-
-
Troubleshoot ZTNA Connector Onboarding
Learn how to troubleshoot ZTNA Connector if you encounter issues while
onboarding.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
When viewing the ZTNA Connector status in Strata Cloud Manager,
the control plane and tunnel status initially display as Down, and the Config status is
empty. After the ZTNA Connector VM deploys successfully and establishes a connection
with the cloud controller, the ZTNA Connector control status changes to Up and the
onboarding and configuration process begins. The ConfigStatus displays the configuration
progress in real-time.
If there are deployment issues or issues with the Virtual Machine (VM) deployment or the
data center network that hinder a successful connection to the controller, use the
following resources to troubleshoot the ZTNA Controller connectivity issues.
- Log in to ZTNA Connector.
- Log in to ZTNA Connector VM from the serial console. You can't access
the ZTNA Connector using SSH. ZTNA Connector prompts you to login. Use
the following default credentials during bootstrapping to ZTNA
Connector:
- username: elem-admin
- password: hackle628)bags
You need these default credentials only while troubleshooting and is removed as the ZTNA Connector onboards to the ZTNA Connector service. - If you get no prompts for login, check for:
- Invalid metadata- the license token key or secret might be missing.
- VM issues with booting the platform.
- Log in to ZTNA Connector VM from the serial console. You can't access
the ZTNA Connector using SSH. ZTNA Connector prompts you to login. Use
the following default credentials during bootstrapping to ZTNA
Connector:
- Validate ZTNA Connector interface IP address.The ZTNA Connector VM initiates a connection to the cloud controller by first establishing a connection to the data center network interfaces. A one-arm ZTNA Connector has a single network interface (Port 1) for both internet and data center network access. A two-arm ZTNA Connector includes one network interface for internet network access (Port 1) and a second network interface for data center network access (Port 2). These interfaces can have DHCP or statically configured IP addresses with a default router and DNS server settings. DHCP configuration provides flexibility for dynamic IP updates. In contrast, for static IP configuration, you must correctly configure these settings before connecting to the cloud controller, as you can't modify the configuration after the onboarding process.
- Check if the port 1 interface is Up and the assigned IP address. To
proceed, the interface must be Up with the assigned IP address, a
default router, and one or more DNS
Servers.ion toolkit# dump interface status 1 Interface : 1 Device : ethr0 ID : 2 MAC Address : 00:50:56:8b:2c:12 State : up Last Change : 2025-02-13 20:48:15.891 (8m15s ago) Address : 10.16.121.167/24 Route : 0.0.0.0/0 via 10.16.121.1 metric 0 DNS Server : 10.55.66.10 DPDK Controlled : trueion toolkit# dump interface config 1 Interface : 1 Description : ID : 2 Type : port Used For : public Admin State : up Alarms : disabled Auth Type : none NetworkContextID : IpfixCollectorContextID : IpfixFilterContextID : Scope : Directed Broadcast : false MTU : 1500 IP : dhcp IPv6 : No configuration ion toolkit#
- Fix the static IP address configuration with the following command.
The same commands work on port 2 for two-arm Connectors. Complete the static IP address interface configuration before ZTNA Connector establishes the control connection with the regional cloud controller.ion toolkit# config interface 1 ip static address=10.16.121.167/24 gw=10.16.121.1 dns=10.55.66.10- Validate if ZTNA Connector can resolve DNS cloud controller.
To connect the ZTNA Connector VM to the cloud controller, DNS resolves the public DNS cloud controller FQDN. The DNS server for port 1 should resolve the public FQDN locator.cgnx.net to obtain the DNS resolved IP address required for initiating an HTTPS TCP connection to the cloud controller.ZTNA Connector won't connect if:- The DNS request sent from ZTNA Connector to the DNS server isn't routable using the default router.
- If DNS resolution to the DNS server times out, the IP connectivity
to the DNS server can be tested with the ping command if ICMP is
permitted in the data center network. Get your DNS server IP address
using the following
command:
Test the IP connectivity to the DNS server with the ping command:dump interface status 1 Interface : 1 Device : ethr0 ID : 1729635176162012096 MAC Address : 00:50:56:8b:ed:76 State : up Last Change : 2025-03-13 17:57:30.957 (1124h8m15s ago) Address : 10.16.121.160/24 Route : 0.0.0.0/0 via 10.16.121.1 metric 0 DNS Server : 10.55.66.10ping 1 10.55.66.10 PING 10.55.66.10 (10.55.66.10) from 10.16.121.160: 56 data bytes 64 bytes from 10.55.66.10: seq=0 ttl=124 time=2.189 ms 64 bytes from 10.55.66.10: seq=1 ttl=124 time=2.375 ms 64 bytes from 10.55.66.10: seq=2 ttl=124 time=2.338 ms- The DNS Server does not resolve locator.cgnx.net.
Non authoritative answer:ion toolkit# nslookup locator.cgnx.net Server: 127.0.0.1 Address:127.0.0.1#53locator.cgnx.netcanonical name = locator-elcapitan.cgnx.net. Name: locator-elcapitan.cgnx.net Address: 52.15.45.235 Name: locator-elcapitan.cgnx.net Address: 18.223.78.55 ion toolkit#- Validate the ZTNA Connector HTTPS TCP connection to cloud controller.
The ZTNA Connector VM establishes a TCP connection to the cloud controller by initiating a connection to TCP port 443 for HTTPS. The outgoing TCP port 443 connections to locator.cgnx.net and the regional cloud controller FQDNs, such as vmfg.hood.cgnx.net, controller.hood.cgnx.net, and sdwan-stats-hood-us.cgnx.net, must be permitted by the internet firewall. If ZTNA Connector is unable to TCP ping the cloud controller HTTPS port, it won't establish a connection. Check the firewall settings and troubleshoot the outgoing TCP flow to determine if the outgoing packet isn't allowed.ion toolkit# tcpping 1 locator.cgnx.net:443 tcpping connected to 18.223.78.55:443 time=60ms ion toolkit#If the connector cannot tcpping the controller port 443, you can test the subnet security rules and internet accessibility by going to another host on the subnet and try telnet to port 443 to test the subnet's accessibility to the internet.telnet locator.cgnx.net 443 Trying 18.223.78.55... Connected to locator-elcapitan.cgnx.net. Escape character is '^]'.- Validate a ZTNA Connector license token. You must get a valid token.
ion toolkit# dump token Ion Token : **************** Status: Secret missing in License metadata ion toolkit#When you run the dump token command, and the token is invalid, the Status shows that the error message. You can fix the error by using the config token command.ion toolkit# config token ion-token="<key>" secret-token="<secret>" ion toolkit#- Validate a ZTNA Connector certificate. To establish secure communication, the controller issues a certificate when a valid token, created within the last 72 hours, is used along with an HTTPS connection to the cloud controller. When a MIC and CIC are issued, Strata Cloud Manager shows that the ConfigStatus is in-progress. ZTNA Connector reboots and the default credentials are removed.
You can further troubleshoot ZTNA Connector:- Go to WorkflowsZTNA ConnectorConnectors and select ActionsDiagnostics.
- Run the nslookup diagnostic tools and generate a dump
overview.ion toolkit# dump overview Software : 6.2.5-ztna-connector-b1 Hardware Model : ion 200v Time Now : 2025-02-13 21:34:43 Uptime : 58m1.75s Last Reboot Reason : manufacture Device ID : 420b2b24-9246-70b6-e83c-c4879b356723 Registration State : UnClaimed HA State : active Element State : active Simple State : disabled Controller Connection : controller.hood.cgnx.net [52.32.167.5] Stats Connection : Down Flows Connection : Down MIC Certificate : valid until 2035-02-11 21:34:01 +0000 UTC Claim Certificate : not presentoperational interfaces 1 : addr 10.16.121.167/24 gw 10.16.121.1 ion toolkit#
- The DNS Server does not resolve locator.cgnx.net.
- Fix the static IP address configuration with the following command.
- Check if the port 1 interface is Up and the assigned IP address. To
proceed, the interface must be Up with the assigned IP address, a
default router, and one or more DNS
Servers.