Troubleshoot Common Issues

Connector Issues

Challenge	Workaround
Secure App Connector Page – Status: Unreachable	Cause: TCP and UDP connectors’ tunnels are down. Workaround: Log in to Connector CLI. Check Tunnel status using option #2. Run Diagnostics using option #5 and verify that all checks pass.
Secure App Connector Page – Status: Critical	Cause: TCP or UDP connection among PA connectors is down. Workaround. Log in to Connector CLI. Check Tunnel status using option #2. Run Diagnostics using option #5 and verify that all checks pass.
CLI Tunnel Status Symptom: Not connected to Gateway (TCP) Wiredguard Tunnel not connected (UDP)	Cause. The connection between the Connector and the PA-Gateway (PoP) is broken. Workaround. Confirm that the Prerequisites are followed and the On-prem firewall allows traffic to the PA-Gateway. TCP port 443 UDP port 443 Log in to the respective pods using option #4 > e- > t/u, then type Bash and press Enter. For TCP Connector: Run the command`curl` `-v -k https://pa-wgcs.skyhigh.cloud:443` Verify output: 200 Connection Established. Check Logs: tail -f /skyhigh/mount/logs/openvpn_client-1.log tail -f /skyhigh/mount/logs/postRegistration.log Look for errors. For UDP Connector: Run the command and verify if the connection is established (200 Connection Established.) `curl -v -k https://conect.pa-wgcs.skyhigh.cloud:443` Run the command and verify if the status is open: `nmap -Pn -sU -p 443 traffic.pa-gateway.skyhigh.cloud` Execute restart-scs. Check logs: tail -f /skyhigh/mount/logs/debug.log tail -f /skyhigh/mount/logs/postRegistration.log
Pods in InvalidImageName status	Cause: Intermittent network connectivity prevents pod initialization. Workaround: Log in to Connector CLI, choose option #4. Wait ~30 seconds for pods to initialize.
Pods in Unknown status Description: MountVolume.Setup fails for volume or secret cache timeout.	Cause: VM host is down for >24 hours, causing ECR token expiry. Workaround: Deploy the connector on a fresh VM host.
Installation Failures (IAM not reachable, wrong DNS, invalid proxy, duplicate configs)	Cause: Connector deployment script received invalid data or failed to reach required endpoints. Workaround: For ESX: Redeploy connector on the same host after resolving issues. For others: Redeploy the connector on a fresh host.

Client Issues

Challenge Workaround

SCP Window Shows PA Status: Not Connected

Cause: The client cannot establish outbound connectivity to the Skyhigh proxy service on the required ports (typically 8080 or 443).

Workaround:

Verify that outbound traffic to the proxy FQDN is allowed on ports 8080 and/or 443.
Open a command prompt on the client.
Test connectivity to the proxy:
- telnet cxxxxxx.wgcs.skyhigh.cloud 8080
- telnet cxxxxxx.wgcs.skyhigh.cloud 443

NOTE: In SCP 5.x, the client intercepts traffic locally, so telnet and packet capture tools may not show any results.

Ensure the client is configured to use the correct secure channel port.
If connectivity still fails, validate firewall, proxy chaining, or ISP restrictions on outbound HTTPS traffic.

This Site Can’t Be Reached When Accessing a Private Application

Cause: The application is not configured as a Private Application in the SSE UI.

Workaround:

Add the application under SSE UI > Private Access > Private Applications.
Confirm that the SCP policy revision on the client matches the SSE UI revision.
Open About Skyhigh Client Proxy and verify that PA status shows Connected.
Access the PA dashboard and confirm that the application appears:
- https://api.wgcs.skyhigh.cloud/ztna/dashboard
For on-prem applications, verify that the PA host resolves to a 100.64.x.x IP address.
If the PA uses an IP address, ensure SCP bypass rules are not applied.

Host Not Resolvable

Cause: The Private Application is not configured or DNS resolution fails.

Workaround:

Verify that the connector can resolve the Private Application hostname.
Run DNS checks from the connector using CLI options.
If the application uses HTTP, try accessing it as HTTPS from the browser.

No Route Found to This Private Application

Cause:

The connector associated with the application host is down, or
The connector cannot update routes to the PoP, or
The PA Gateway cannot update routes to the Global PoP.

Workaround:

Verify connector health on the Secure App Connector page.
Log in to the TCP connector pod using CLI option #4, type Bash, and press Enter, and ensure the health update reaches the UP state.
Log in to the SSE UI and check the Analytics > Private Access > Private Applications page.
Log in to the gateway and review:
- /var/log/debug.log
- /var/log/error.log
Confirm that the Global Gateway PoP is reachable.

Cannot Access Private Application – Not Resolvable

Cause: The connector cannot resolve the Private Application.

Workaround:

Verify DNS resolution from the connector.
Test access from the connector: curl --noproxy "*" -vk https://<appname>.com
For SSH-based applications: curl --noproxy "*" -vk https://appname.com:22 or attempt SSH access from the connector.

Cannot Access Private Application – Not Reachable

Failure Description: The connector resolves the host to an IP address, but the IP or port is unreachable.

Cause: The connector cannot reach the Private Application endpoint.

Workaround:

Verify DNS resolution from the connector.
Test application access from the connector:: curl --noproxy "*" -vk https://<appname>.com
For SSH-based applications: curl --noproxy "*" -vk https://appname.com:22 or attempt SSH access from the connector or "nc -vz paapp.com 22" for non web apps.

Bad Gateway – Proxy Did Not Receive a Valid Response in Time

Cause:

The connector cannot reach the Private Application, or
The PA uses SmartMatch or multiport configuration and not all connectors can reach the application.

Workaround:

Test application reachability from the connector: curl --noproxy "*" -vk https://<appname>.com
If SmartMatch or multiport is configured, ensure all connectors can access the application.
Check OpenVPN tunnel stability on the connector.
Review Grafana logs or /skyhigh/mount/logs/openvpn_client-1.log for frequent tunnel resets.
Verify whether the PA Gateway PoP is under maintenance or down.
If traffic fails between the client-facing PoP and the PA Gateway PoP, check PoP health with Ops.

SSL Handshake Error – Handshake with Remote Server Failed

Failure Description: Connection refused from the ZTNA gateway or backend service.

Cause: The Cloud PoP may be down or unstable.

Workaround:

Check PoP status with the Operations team.
On the Connector CLI, run option #5 and collect diagnostic output.
On the Connector CLI, run option #6 and collect logs.

Cannot Connect – Proxy Could Not Connect to Destination in Time

Failure Description: Connection reset or cannot connect to the destination server.

Cause:

Connector tunnel resets or is down, or
SWG is down, or
The Private Application is not reachable.

Workaround:

Check whether a corporate firewall drops TCP sessions or tunnels.
Verify that the connector can resolve and reach the Private Application host.

SCP Client Tunnel Status: Failed to Connect (Phase 1 / Phase 2)

Cause: The client cannot reach the tunnel endpoint to establish a connection.

Workaround:

Verify connectivity to:
- connect.gateway.skyhigh.cloud
- traffic.gateway.skyhigh.cloud
Allow outbound traffic on:
- TCP 443
- UDP 443
Confirm that the corporate firewall does not block tunnel traffic.

Policy Issues

Challenge	Workaround
Private Applications Not Shown on PA Dashboard (Web Policy Tree Empty) The PA dashboard (`https://api.wgcs.skyhigh.cloud/ztna/dashboard`) is empty and does not list any Private Applications.	Cause: The Private Access section under Policy > Web Policy tree is empty. Workaround: Contact the Policy team. Verify that Private Access policies exist and are correctly configured in the Web Policy Tree.
Private Applications Not Shown on PA Dashboard (SCP Proxy Bypass) The PA dashboard (`https://api.wgcs.skyhigh.cloud/ztna/dashboard`) is empty and does not list any Private Applications.	Cause: The following domains or IP ranges are bypassed in the SCP Proxy Bypass policy: `api.wgcs.skyhigh.cloud` `100.64.0.0` `*.skyhigh.cloud` Workaround: Log in to the SSE UI. Open the SCP Proxy Bypass configuration. Remove the listed domains and IP ranges from the bypass list. Save the policy and apply changes.
Redirection to SAML Authentication Not Working Accessing `https://api.wgcs.skyhigh.cloud/ztna/dashboard` does not redirect to the SAML IdP login page. Instead, it redirects to the clientless access page requesting an email address.	Cause: One or more of the following conditions exist: SCP is not running or is unresponsive. The client machine time is out of sync. `api.wgcs.skyhigh.cloud` or `100.64.x.x` is configured in the SCP bypass list. SCP cannot connect to SWG on port 8080. DNS resolution on the SCP client fails and does not resolve to the nearest SWG (`161.69.x.x`). A proxy or firewall removes SCP headers. Workaround: Log in to the SSE tenant. Verify that the SCP policy does not include `api.wgcs.skyhigh.cloud` in the bypass list. Check whether the proxy or firewall blocks port 8080. Ping `c1234.wgcs.skyhigh.cloud` and confirm it resolves to a `161.69.x.x` IP address. Review proxy and firewall configurations for header stripping. Restart the SCP client. Open About Skyhigh Client Proxy and confirm the SCP policy name and revision are correct.
TLS Handshake Error 500 for RDP or SSH-Based Private Applications The Analytics PA Usage page shows a TLS handshake error 500 for RDP or SSH-based Private Applications.	Cause: The connector cannot reach the Private Application. Workaround: From a Windows machine, run a telnet test to the RDP application port and verify connectivity. From the SCP machine, run`curl` `-vk rdpapp:<port>` and check the response from SWG. Review `healthupdate.log` for RDP or SSH-related errors. Verify that valid routes exist for the RDP/SSH application in the ZTNA Gateway. Check for error codes associated with missing or incorrect routes.

SAML Login Issues

Challenge	Workaround
SAML Login Failure	Cause: SSE UI has misconfigured SAML attributes. Workaround: Open the SSE UI. Review all configured SAML attributes. Correct any mismatched or missing attributes.
Clientless Access Loops on Email Domain Page After SAML Authentication	Cause: The SAML User ID attribute does not match the email entered on the email domain page. Workaround: Open the browser Developer Tools. Capture the SAML response. Decode the response using a hex decoder. Identify the attribute used as the User ID. Ensure the User ID attribute matches the email value entered on the email domain page.
Clientless Access Loops on Email Domain Page and Does Not Redirect to IdP Login	Cause: The domain configured in Web Gateway SAML settings does not match the entered email domain. Workaround: Verify the domain configured in Web Gateway SAML settings. Use the same domain when configuring SAML in the tenant UI. Enter an email address that matches the configured domain. Example: If the domain is `sky.com`, use `abcd@sky.com`.
PA Dashboard Shows No Private Applications The PA dashboard (https://api.wgcs.skyhigh.cloud/ztna/dashboard) does not list any Private Applications.	Cause: No clientless applications are configured, or The User ID attribute in the SAML response does not match the configured value. Workaround: Open the browser Developer Tools. Capture and decode the SAML response. Identify the User ID attribute in the SAML response. Ensure the same attribute is configured in the tenant UI SAML settings.