>
    Troubleshoot ZTNA Connector Onboarding
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access ZTNA Connector
    5. Onboard the ZTNA Connector VM in Your Data Center
    6. Troubleshoot ZTNA Connector Onboarding
    Download PDF
    Prisma Access

    Troubleshoot ZTNA Connector Onboarding

    Table of Contents

    Troubleshoot ZTNA Connector Onboarding

    Learn how to troubleshoot ZTNA Connector if you encounter issues while onboarding.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • We require a minimum version of Prisma Access 5.0 to enable ZTNA Connector support.
    • Prisma Access license includes 10 connectors, 10,000 FQDNs, and 1024 IP subnets. This functionality is provided for the purpose of trying out ZTNA Connectors in your environment.
    • The Private App add-on license includes 200 ZTNA Connectors, 10,000 FQDNs, and 1024 IP subnet functionality.
    When viewing the ZTNA Connector status in Strata Cloud Manager, the control plane and tunnel status initially display as Down, and the Config status is empty. After the ZTNA Connector VM deploys successfully and establishes a connection with the cloud controller, the ZTNA Connector control status changes to Up and the onboarding and configuration process begins. The ConfigStatus displays the configuration progress in real-time.
    If there are deployment issues or issues with the Virtual Machine (VM) deployment or the data center network that hinder a successful connection to the controller, use the following resources to troubleshoot the ZTNA Controller connectivity issues.
    1. Log in to ZTNA Connector.
      1. Log in to ZTNA Connector VM from the serial console. You can't access the ZTNA Connector using SSH. ZTNA Connector prompts you to login. Use the following default credentials during bootstrapping to ZTNA Connector:
        • username: elem-admin
        • password: hackle628)bags
        You need these default credentials only while troubleshooting and is removed as the ZTNA Connector onboards to the ZTNA Connector service.
      2. If you get no prompts for login, check for:
        • Invalid metadata- the license token key or secret might be missing.
        • VM issues with booting the platform.
    2. Validate ZTNA Connector interface IP address.
      The ZTNA Connector VM initiates a connection to the cloud controller by first establishing a connection to the data center network interfaces. A one-arm ZTNA Connector has a single network interface (Port 1) for both internet and data center network access. A two-arm ZTNA Connector includes one network interface for internet network access (Port 1) and a second network interface for data center network access (Port 2). These interfaces can have DHCP or statically configured IP addresses with a default router and DNS server settings. DHCP configuration provides flexibility for dynamic IP updates. In contrast, for static IP configuration, you must correctly configure these settings before connecting to the cloud controller, as you can't modify the configuration after the onboarding process.
      1. Check if the port 1 interface is Up and the assigned IP address. To proceed, the interface must be Up with the assigned IP address, a default router, and one or more DNS Servers.
        ion toolkit# dump interface status 1
Interface       : 1
Device          : ethr0
ID              : 2
MAC Address     : 00:50:56:8b:2c:12
State           : up
Last Change     : 2025-02-13 20:48:15.891 (8m15s ago)
Address         : 10.16.121.167/24
Route           : 0.0.0.0/0 via 10.16.121.1 metric 0
DNS Server      : 10.55.66.10
DPDK Controlled : true
        ion toolkit# dump interface config 1
Interface               : 1
Description             :
ID                      : 2
Type                    : port
Used For                : public
Admin State             : up
Alarms                  : disabled
Auth Type               : none
NetworkContextID        :
IpfixCollectorContextID :
IpfixFilterContextID    :
Scope                   :
Directed Broadcast      : false
MTU                     : 1500
IP                      : dhcp
IPv6                    : No configuration

ion toolkit#
      2. Fix the static IP address configuration with the following command.
        The same commands work on port 2 for two-arm Connectors. Complete the static IP address interface configuration before ZTNA Connector establishes the control connection with the regional cloud controller.
        ion toolkit# config interface 1 ip static address=10.16.121.167/24 gw=10.16.121.1 dns=10.55.66.10
    3. Validate if ZTNA Connector can resolve DNS cloud controller.
      To connect the ZTNA Connector VM to the cloud controller, DNS resolves the public DNS cloud controller FQDN. The DNS server for port 1 should resolve the public FQDN locator.cgnx.net to obtain the DNS resolved IP address required for initiating an HTTPS TCP connection to the cloud controller.
      ZTNA Connector won't connect if:
      • The DNS request sent from ZTNA Connector to the DNS server isn't routable using the default router.
      • If DNS resolution to the DNS server times out, the IP connectivity to the DNS server can be tested with the ping command if ICMP is permitted in the data center network. Get your DNS server IP address using the following command:
        dump interface status 1
Interface   : 1
Device      : ethr0
ID          : 1729635176162012096
MAC Address : 00:50:56:8b:ed:76
State       : up
Last Change : 2025-03-13 17:57:30.957 (1124h8m15s ago)
Address     : 10.16.121.160/24
Route       : 0.0.0.0/0 via 10.16.121.1 metric 0
DNS Server  : 10.55.66.10
        Test the IP connectivity to the DNS server with the ping command:
        ping 1 10.55.66.10
PING 10.55.66.10 (10.55.66.10) from 10.16.121.160: 56 data bytes
64 bytes from 10.55.66.10: seq=0 ttl=124 time=2.189 ms
64 bytes from 10.55.66.10: seq=1 ttl=124 time=2.375 ms
64 bytes from 10.55.66.10: seq=2 ttl=124 time=2.338 ms
      • The DNS Server does not resolve locator.cgnx.net.
        ion toolkit# nslookup locator.cgnx.net
Server:    127.0.0.1
Address:127.0.0.1#53
        Non authoritative answer:
        
locator.cgnx.netcanonical name = locator-elcapitan.cgnx.net.
Name:        locator-elcapitan.cgnx.net
Address: 52.15.45.235
Name:    locator-elcapitan.cgnx.net
Address: 18.223.78.55

ion toolkit#
    4. Validate the ZTNA Connector HTTPS TCP connection to cloud controller.
      The ZTNA Connector VM establishes a TCP connection to the cloud controller by initiating a connection to TCP port 443 for HTTPS. The outgoing TCP port 443 connections to locator.cgnx.net and the regional cloud controller FQDNs, such as vmfg.hood.cgnx.net, controller.hood.cgnx.net, and sdwan-stats-hood-us.cgnx.net, must be permitted by the internet firewall. If ZTNA Connector is unable to TCP ping the cloud controller HTTPS port, it won't establish a connection. Check the firewall settings and troubleshoot the outgoing TCP flow to determine if the outgoing packet isn't allowed.
      ion toolkit# tcpping 1 locator.cgnx.net:443
tcpping connected to 18.223.78.55:443 time=60ms
ion toolkit#
      If the connector cannot tcpping the controller port 443, you can test the subnet security rules and internet accessibility by going to another host on the subnet and try telnet to port 443 to test the subnet's accessibility to the internet.
      telnet locator.cgnx.net 443
Trying 18.223.78.55...
Connected to locator-elcapitan.cgnx.net.
Escape character is '^]'.
    5. Validate a ZTNA Connector license token. You must get a valid token. 
      ion toolkit# dump token
Ion Token : ****************
Status: Secret missing in License metadata
ion toolkit#
      When you run the dump token command, and the token is invalid, the Status shows that the error message. You can fix the error by using the config token command.
      ion toolkit# config token ion-token="<key>" secret-token="<secret>"
ion toolkit#
    6. Validate a ZTNA Connector certificate. To establish secure communication, the controller issues a certificate when a valid token, created within the last 72 hours, is used along with an HTTPS connection to the cloud controller. When a MIC and CIC are issued, Strata Cloud Manager shows that the ConfigStatus is in-progress. ZTNA Connector reboots and the default credentials are removed.
      You can further troubleshoot ZTNA Connector:
      • Go to WorkflowsZTNA ConnectorConnectors and select ActionsDiagnostics.
      • Run the nslookup diagnostic tools and generate a dump overview.
        ion toolkit# dump overview
Software                 : 6.2.5-ztna-connector-b1
Hardware Model           : ion 200v
Time Now                 : 2025-02-13 21:34:43
Uptime                   : 58m1.75s
Last Reboot Reason       : manufacture
Device ID                : 420b2b24-9246-70b6-e83c-c4879b356723
Registration State       : UnClaimed
HA State                 : active
Element State            : active
Simple State             : disabled
Controller Connection    : controller.hood.cgnx.net [52.32.167.5]
Stats Connection         : Down
Flows Connection         : Down
MIC Certificate          : valid until 2035-02-11 21:34:01 +0000 UTC
Claim Certificate        : not present
        operational interfaces
1    : addr 10.16.121.167/24 gw 10.16.121.1
ion toolkit#

    © 2025 Palo Alto Networks, Inc. All rights reserved.