Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Secure App Connector V2 CLI

Connector V2 CLI enables admins to know the status, manage, run diagnostics, and troubleshoot their secure app connectors by connecting to the host using SSH (secure shell)

  • Log on to the connector host using SSH (Secure Shell) and execute the required commands to troubleshoot a connector.
  • If you are a root user or a non-root user, execute pa_connector the script from anywhere on the host. 

About Secure App Connector

Select the About option to know the Secure App Connector version.

about.JPG

Enter 0 to exit from the command console.

MicrosoftTeams-image (11).png

 

Secure App Connector V2 CLI for TCP Applications

Verification of Secure App Connector V2 for TCP Applications 

Provides the list of commands you can execute: 

  1. Run the Status option to verify the status of the connector deployment.

clipboard_e1b0cd0f50d8be97c049b528a55ea8775.png

Check tunnel status

  • The connector shows the status as Normal when the TCP tunnels are up. 
  • The connector shows the status as Critical when TCP tunnels are down. 

image

  1. Run the Diagnostics tests option to verify the connector setup.

clipboard_e740bcb68d6ad89f887904146d0d44dd1.png

Troubleshooting Secure App Connector V2 for TCP Applications 

Provides the list of commands you can execute: 

  1. Run the Troubleshooting option to help you troubleshoot the Secure App Connector-related issues. 

image (21).png

  1. Select Download Logs to download all logs and configuration details to a temp (/tmp/) folder on the host once diagnostics tests are completed.

Option 6.png

Download Logs

You can download all logs and configuration details to /tmp/Connector-logs-2023-07-12_06-32-26.tar.gz

  1. Log on to the connector host using SSH. 
  2. Execute pa_connector > enter 6.
    Downloads /tmp/Connector-logs-2023-07-12_06-32-26.tar.gz file to the temp (/tmp/) folder once the command is executed completely.
  3. You can upload the latest file /tmp/Connector-logs-2023-07-12_06-32-26.tar.gz to the support portal for review.

Resolving Host Names  

For a Connector to function, the system Domain Name Service (DNS) should be able to resolve both Skyhigh Security URLs and Private Application URLs. You can do the following to resolve host names using the system DNS:

Perform the following to check if the system DNS is resolving both Skyhigh Security and Private Application URLs:

  1. Log on to the connector host using SSH (Secure Shell). 

  1. Execute pa_connector >  enter 3 >  enter a > enter the domain name.

Resolving Host Names  .png

Test the system proxy

Perform the following to test if a private application connection is established with the connector via the system proxy:

  1. Log on to the connector host using SSH. 

  1. Execute pa_connector > enter 3 > enter b > enter the system proxy address.
    Displays if the private application connection is established with the connector via system proxy. 

image (32).png  

Test Ping

Perform the following to test ping:

  1. Log on to the connector host using SSH. 

  1. Execute pa_connector> enter 3 > enter c.

Test Ping (2).png

Test Connectivity to Private App and Capture Packets

Perform the following to check the private application connectivity:

  1. Log on to the connector host using SSH. 

  1. Execute pa_connector > enter 3 > enter d.
    Downloads .pcap file to the temp (/tmp/) folder once the command is executed completely.

  2. You can upload the latest file pa_capture-currentdate.pcap to the support portal for review. 

image (33).png

Enter command on ztna pod 

Perform the following to execute command on ztna pod:

1. Log on to the connector host using SSH. 

2. Execute pa_connector > enter 3 > enter e.

Enter command on ztna pod .png

Manage Secure App Connector V2 for TCP Applications 

Perform the following to manage connectors:

  1. Log on to the connector host using SSH. 

  1. Execute pa_connector > enter 4 > enter <g or h or i or j>.

image (23).png

Stop health update 
  1. Log on to the connector host using SSH. 

  1. Execute pa_connector > enter 4 > enter g.

Note: Stopping health updates will stop any PA app traffic coming to this connector. Effectively, the connector will be offline/standby.

Start health update 

Perform the following to start all connector services:

  1. Log on to the connector host using SSH. 

  1. Execute pa_connector > enter 4 > enter h.

Note: This action will bring the connector back online, and traffic will restart being directed to this connector

 

Restart connector services

Perform the following to restart all services that run in a connector:

  1. Log on to the connector host using SSH. 

  1. Execute pa_connector > enter 4 > enter i.

Update host DNS 

Perform the following to update host DNS:

  1. Log on to the connector host using SSH. 

  1. Execute pa_connector > enter 4 > enter j.

Secure App Connector V2 CLI for UDP Applications 

Verification of Secure App Connector V2 for UDP Application 

Provides the list of commands you can execute: 

Capture1.JPG

  1. Run the Status option to verify the status of the connector deployment.

clipboard_ef3aeaee4216a7e25fed387f6669b1748.png

Check tunnel status

  • The connector shows the status as Normal when the TCP and UDP tunnel is up. 
  • The connector shows the status as Critical when the TCP and UDP tunnel is down. 

image

  1. Run the Diagnostics tests option to verify the connector setup

clipboard_e33198e2a1bd03a1120b9a5185b73a328.png

Troubleshooting Secure App Connector V2 for UDP Applications

Provides the list of commands you can execute: 

  1. Run the Troubleshooting option to help you troubleshoot the Secure App Connector-related issues. 

  clipboard_e1ec14d47708adbe9124ff672dea46b86.png

  1. Select Download Logs to download all logs and configuration details to a temp (/tmp/) folder on the host once diagnostics tests are completed.

  clipboard_e922d4680d064507a3a5d566cf5268cbb.png

Download Logs

You can download all logs and configuration details to/tmp/Connector-logs-2024-01-10_09-51-36.tar.gz

  1. Log on to the connector host using SSH. 
  2. Execute pa_connector > enter 6.
    Downloads /tmp/Connector-logs-2024-01-10_09-51-36.tar.gz file to the temp (/tmp/) folder once the command is executed completely.
  3. You can upload the latest file /tmp/Connector-logs-2024-01-10_09-51-36.tar.gzto the support portal for review.

Resolving Host Names  

For a Connector to function, the system Domain Name Service (DNS) should be able to resolve both Skyhigh Security URLs and Private Application URLs. You can do the following to resolve host names using the system DNS:

Perform the following to check if the system DNS is resolving both Skyhigh Security and Private Application URLs:

  1. Log on to the connector host using SSH (Secure Shell). 

  1. Execute pa_connector >  enter 3 >  enter command a > enter the domain name.

image (41).png

Test the system proxy

Perform the following to test if a private application connection is established with the connector via the system proxy:

  1. Log on to the connector host using SSH. 

  1. Execute pa_connector > enter 3 > enter b > enter the system proxy address.
    Displays if the private application connection is established with the connector via system proxy.

clipboard_e924dceca8fb869110f530dbea9df10ad.png

Test Ping

Perform the following to test ping:

  1. Log on to the connector host using SSH. 

  1. Execute pa_connector > enter  3 >  enter c.

image (42).png

Test Connectivity to Private App and Capture Packets

Perform the following to check the private application connectivity:

  1. Log on to the connector host using SSH. 

  1. Execute pa_connector > enter 3 > enter d.
    Downloads .pcap file to the temp (/tmp/) folder once the command is executed completely.

  2. You can upload the latest file pa_capture-currentdate.pcap to the support portal for review. 

clipboard_e7cb6e148843fec8d0ec454fb3dd465fb.png

Enter command on ztna pod

Perform the following to execute command on ztna pod:

1. Log on to the connector host using SSH. 

2. Execute pa_connector > enter 3 > enter e.

image (43).png

Manage Secure App Connector V2 for UDP Application

Provides the list of commands you can execute: 

  1. Run the Manage option to manage (start or stop) Secure App Connector.

clipboard_e9d8cc81bd89de19191441ccf1235cab2.png

Stop health update
  1. Log on to the connector host using SSH. 

  1. Execute pa_connector > enter 4 > enter g.

Note: Stopping health updates will stop any PA app traffic coming to this connector. Effectively, the connector will be offline/standy.

Start health update

Perform the following to start all connector services:

  1. Log on to the connector host using SSH. 

  1. Execute pa_connector > enter 4 > enter h.

Note: This action will bring the connector back online, and traffic will restart being directed to this connector

Restart connector services

Perform the following to restart all services that run in a connector:

  1. Log on to the connector host using SSH. 

  1. Execute pa_connector > enter 4 > enter i.

Update host DNS

Perform the following to update host DNS:

  1. Log on to the connector host using SSH. 

  1. Execute pa_connector > enter 4 > enter j.

clipboard_ecc598164fafc001c6e6a0c48494f8c4c.png

Tips

Note: For any new /etc/hosts entries, the connector must be restarted.

  • To log into the pod, run sudo kubectl exec -it <ztna_pod_name> -n ztna -- bash
  • Login to ztna pod and monitor health Updates: Check/skyhigh/mount/logs/healthUpdate.log to ensure that the VPN tunnel is up. The health update requires the list of private applications monitored by the connector. So, check if the private application list sync is successful and /skyhigh/private_apps.json is present.

  • Proxy to private applications: Check/skyhigh/mount/logs/debug.log to ensure that an application is reachable and not blocked by the policy. Ensure that the DNS configured on the connector can access private applications and resolve their URLs.

Common Errors and Workaround

Task When  Error Workaround
Private Application list sync   Check the /.../mount/logs/paListsync.logif Skyhigh cloud API is not reachable. If this is not reachable, then ensure it is reachable to synchronize the private application list with the connector. 
Private Application is not reachable    

Run the command on the connector pod:

curl -v -k https://app-server

If curl also fails, then ensure that the IP of the connector pod and host IP are not on the same subnet (10.254.254.x)

Accessing Private Application Able to access Private Application using Firefox browser, but failed to access the same application on the Chrome browser Google Chrome - Taking Too Long to Load

Disable the Use secure DNS option on Google Chrome. 

The Use secure DNS option should be disabled to access private applications. Go to Chrome browser > Settings > Privacy and Security > Disable the Use Secure DNS option.

Dual stack VMs/Hosts Connector installation in a dual stack VM/host Pods don't come to running state If the VM/host is enabled for both IPv4 and IPv6, ensure that it gets proper IP addresses for both the IPv4 and IPv6 interfaces. If IPv6 is disabled in the network, then the IPv6 interface on the host should also be disabled.
Connector Registration

 
Connection to registration endpoint  Connection to registration endpoint - failed 
  • Check whether Skyhigh Cloud API reachable
  • Check the existence of tun0 and tun1 
Bringing up the VPN tunnel  GW or HTTP_PROXY are not reachable
  • Error while resolving hostname
  • Exception while checking Proxy
  • Exception while checking PA Gateway
  • Unable to connect to Proxy
  • Unable to connect to PA Gateway
Connector maintains an outbound VPN tunnel with PA Gateway.
  • Run ifconfig to check tun adapter and the IP address assigned by the Private Access Gateway.
  • Check whether the gateway port 443 provided to infra.sh is reachable from the connector.