Troubleshoot ZTNA Connector Onboarding
Focus
Focus
Prisma Access

Troubleshoot ZTNA Connector Onboarding

Table of Contents

Troubleshoot ZTNA Connector Onboarding

Learn how to troubleshoot ZTNA Connector if you encounter issues while onboarding.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • We require a minimum version of Prisma Access 5.0 to enable ZTNA Connector support.
  • Prisma Access license includes 10 connectors, 10,000 FQDNs, and 1024 IP subnets. This functionality is provided for the purpose of trying out ZTNA Connectors in your environment.
  • The Private App add-on license includes 200 ZTNA Connectors, 10,000 FQDNs, and 1024 IP subnet functionality.
When viewing the ZTNA Connector status in Strata Cloud Manager, the control plane and tunnel status initially display as Down, and the Config status is empty. After the ZTNA Connector VM deploys successfully and establishes a connection with the cloud controller, the ZTNA Connector control status changes to Up and the onboarding and configuration process begins. The ConfigStatus displays the configuration progress in real-time.
If there are deployment issues or issues with the Virtual Machine (VM) deployment or the data center network that hinder a successful connection to the controller, use the following resources to troubleshoot the ZTNA Controller connectivity issues.
  1. Log in to ZTNA Connector.
    1. Log in to ZTNA Connector VM from the serial console. You can't access the ZTNA Connector using SSH. ZTNA Connector prompts you to login. Use the following default credentials during bootstrapping to ZTNA Connector:
      • username: elem-admin
      • password: hackle628)bags
      You need these default credentials only while troubleshooting and is removed as the ZTNA Connector onboards to the ZTNA Connector service.
    2. If you get no prompts for login, check for:
      • Invalid metadata- the license token key or secret might be missing.
      • VM issues with booting the platform.
  2. Validate ZTNA Connector interface IP address.
    The ZTNA Connector VM initiates a connection to the cloud controller by first establishing a connection to the data center network interfaces. A one-arm ZTNA Connector has a single network interface (Port 1) for both internet and data center network access. A two-arm ZTNA Connector includes one network interface for internet network access (Port 1) and a second network interface for data center network access (Port 2). These interfaces can have DHCP or statically configured IP addresses with a default router and DNS server settings. DHCP configuration provides flexibility for dynamic IP updates. In contrast, for static IP configuration, you must correctly configure these settings before connecting to the cloud controller, as you can't modify the configuration after the onboarding process.
    1. Check if the port 1 interface is Up and the assigned IP address. To proceed, the interface must be Up with the assigned IP address, a default router, and one or more DNS Servers.
      ion toolkit# dump interface status 1 Interface : 1 Device : ethr0 ID : 2 MAC Address : 00:50:56:8b:2c:12 State : up Last Change : 2025-02-13 20:48:15.891 (8m15s ago) Address : 10.16.121.167/24 Route : 0.0.0.0/0 via 10.16.121.1 metric 0 DNS Server : 10.55.66.10 DPDK Controlled : true
      ion toolkit# dump interface config 1 Interface : 1 Description : ID : 2 Type : port Used For : public Admin State : up Alarms : disabled Auth Type : none NetworkContextID : IpfixCollectorContextID : IpfixFilterContextID : Scope : Directed Broadcast : false MTU : 1500 IP : dhcp IPv6 : No configuration ion toolkit#
    2. Fix the static IP address configuration with the following command.
      The same commands work on port 2 for two-arm Connectors. Complete the static IP address interface configuration before ZTNA Connector establishes the control connection with the regional cloud controller.
      ion toolkit# config interface 1 ip static address=10.16.121.167/24 gw=10.16.121.1 dns=10.55.66.10
  3. Validate if ZTNA Connector can resolve DNS cloud controller.
    To connect the ZTNA Connector VM to the cloud controller, DNS resolves the public DNS cloud controller FQDN. The DNS server for port 1 should resolve the public FQDN locator.cgnx.net to obtain the DNS resolved IP address required for initiating an HTTPS TCP connection to the cloud controller.
    ZTNA Connector won't connect if:
    • The DNS request sent from ZTNA Connector to the DNS server isn't routable using the default router.
    • If DNS resolution to the DNS server times out, the IP connectivity to the DNS server can be tested with the ping command if ICMP is permitted in the data center network. Get your DNS server IP address using the following command:
      dump interface status 1 Interface : 1 Device : ethr0 ID : 1729635176162012096 MAC Address : 00:50:56:8b:ed:76 State : up Last Change : 2025-03-13 17:57:30.957 (1124h8m15s ago) Address : 10.16.121.160/24 Route : 0.0.0.0/0 via 10.16.121.1 metric 0 DNS Server : 10.55.66.10
      Test the IP connectivity to the DNS server with the ping command:
      ping 1 10.55.66.10 PING 10.55.66.10 (10.55.66.10) from 10.16.121.160: 56 data bytes 64 bytes from 10.55.66.10: seq=0 ttl=124 time=2.189 ms 64 bytes from 10.55.66.10: seq=1 ttl=124 time=2.375 ms 64 bytes from 10.55.66.10: seq=2 ttl=124 time=2.338 ms
    • The DNS Server does not resolve locator.cgnx.net.
      ion toolkit# nslookup locator.cgnx.net Server: 127.0.0.1 Address:127.0.0.1#53
      Non authoritative answer:
      locator.cgnx.netcanonical name = locator-elcapitan.cgnx.net. Name: locator-elcapitan.cgnx.net Address: 52.15.45.235 Name: locator-elcapitan.cgnx.net Address: 18.223.78.55 ion toolkit#
  4. Validate the ZTNA Connector HTTPS TCP connection to cloud controller.
    The ZTNA Connector VM establishes a TCP connection to the cloud controller by initiating a connection to TCP port 443 for HTTPS. The outgoing TCP port 443 connections to locator.cgnx.net and the regional cloud controller FQDNs, such as vmfg.hood.cgnx.net, controller.hood.cgnx.net, and sdwan-stats-hood-us.cgnx.net, must be permitted by the internet firewall. If ZTNA Connector is unable to TCP ping the cloud controller HTTPS port, it won't establish a connection. Check the firewall settings and troubleshoot the outgoing TCP flow to determine if the outgoing packet isn't allowed.
    ion toolkit# tcpping 1 locator.cgnx.net:443 tcpping connected to 18.223.78.55:443 time=60ms ion toolkit#
    If the connector cannot tcpping the controller port 443, you can test the subnet security rules and internet accessibility by going to another host on the subnet and try telnet to port 443 to test the subnet's accessibility to the internet.
    telnet locator.cgnx.net 443 Trying 18.223.78.55... Connected to locator-elcapitan.cgnx.net. Escape character is '^]'.
  5. Validate a ZTNA Connector license token. You must get a valid token.
    ion toolkit# dump token Ion Token : **************** Status: Secret missing in License metadata ion toolkit#
    When you run the dump token command, and the token is invalid, the Status shows that the error message. You can fix the error by using the config token command.
    ion toolkit# config token ion-token="<key>" secret-token="<secret>" ion toolkit#
  6. Validate a ZTNA Connector certificate. To establish secure communication, the controller issues a certificate when a valid token, created within the last 72 hours, is used along with an HTTPS connection to the cloud controller. When a MIC and CIC are issued, Strata Cloud Manager shows that the ConfigStatus is in-progress. ZTNA Connector reboots and the default credentials are removed.
    You can further troubleshoot ZTNA Connector:
    • Go to WorkflowsZTNA ConnectorConnectors and select ActionsDiagnostics.
    • Run the nslookup diagnostic tools and generate a dump overview.
      ion toolkit# dump overview Software : 6.2.5-ztna-connector-b1 Hardware Model : ion 200v Time Now : 2025-02-13 21:34:43 Uptime : 58m1.75s Last Reboot Reason : manufacture Device ID : 420b2b24-9246-70b6-e83c-c4879b356723 Registration State : UnClaimed HA State : active Element State : active Simple State : disabled Controller Connection : controller.hood.cgnx.net [52.32.167.5] Stats Connection : Down Flows Connection : Down MIC Certificate : valid until 2035-02-11 21:34:01 +0000 UTC Claim Certificate : not present
      operational interfaces 1 : addr 10.16.121.167/24 gw 10.16.121.1 ion toolkit#