This guide helps you quickly identify and fix common Skyhigh Private Access issues across connectors, clients, policies, and SAML authentication, so you can restore secure access to private applications with minimal disruption.
Connector Issues
| Challenge |
Workaround |
|
Secure App Connector Page – Status: Unreachable
|
Cause: TCP and UDP connectors’ tunnels are down.
Workaround:
- Log in to Connector CLI.
- Check Tunnel status using option #2.
- Run Diagnostics using option #5 and verify that all checks pass.
|
| Secure App Connector Page – Status: Critical |
Cause: TCP or UDP connection among PA connectors is down.
Workaround.
- Log in to Connector CLI.
- Check Tunnel status using option #2.
- Run Diagnostics using option #5 and verify that all checks pass.
|
|
CLI Tunnel Status
Symptom:
- Not connected to Gateway (TCP)
- Wiredguard Tunnel not connected (UDP)
|
Cause. The connection between the Connector and the PA-Gateway (PoP) is broken.
Workaround.
- Confirm that the Prerequisites are followed and the On-prem firewall allows traffic to the PA-Gateway.
- TCP port 443
- UDP port 443
- Log in to the respective pods using option #4 > e- > t/u, then type Bash and press Enter.
- For TCP Connector:
- Run the command
curl -v -k https://pa-wgcs.skyhigh.cloud:443
- Verify output: 200 Connection Established.
- Check Logs:
- tail -f /skyhigh/mount/logs/openvpn_client-1.log
- tail -f /skyhigh/mount/logs/postRegistration.log
- Look for errors.
- For UDP Connector:
- Run the command and verify if the connection is established (200 Connection Established.)
curl -v -k https://conect.pa-wgcs.skyhigh.cloud:443
- Run the command and verify if the status is open:
nmap -Pn -sU -p 443 traffic.pa-gateway.skyhigh.cloud
- Execute restart-scs.
- Check logs:
- tail -f /skyhigh/mount/logs/debug.log
- tail -f /skyhigh/mount/logs/postRegistration.log
|
Pods in InvalidImageName status
 |
Cause: Intermittent network connectivity prevents pod initialization.
Workaround:
- Log in to Connector CLI, choose option #4.
- Wait ~30 seconds for pods to initialize.
|
Pods in Unknown status
Description: MountVolume.Setup fails for volume or secret cache timeout.
 |
Cause: VM host is down for >24 hours, causing ECR token expiry.
Workaround: Deploy the connector on a fresh VM host. |
| Installation Failures (IAM not reachable, wrong DNS, invalid proxy, duplicate configs) |
Cause: Connector deployment script received invalid data or failed to reach required endpoints.
Workaround:
- For ESX: Redeploy connector on the same host after resolving issues.
- For others: Redeploy the connector on a fresh host.
|
Client Issues
| Challenge |
Workaround |
SCP Window Shows PA Status: Not Connected
|
Cause: The client cannot establish outbound connectivity on port 8080 or 443.
Workaround:
- Open a command prompt on the client.
- Test connectivity to the proxy:
telnet cxxxxxx.wgcs.skyhigh.cloud 8080telnet cxxxxxx.wgcs.skyhigh.cloud 443
- Use the configured secure channel port.
- Verify that the firewall allows outbound traffic on the required ports.
|
This Site Can’t Be Reached When Accessing a Private Application
 |
Cause: The application is not configured as a Private Application in the SSE UI.
Workaround:
- Add the application under SSE UI > Private Access > Private Applications.
- Confirm that the SCP policy revision on the client matches the SSE UI revision.
- Open About Skyhigh Client Proxy and verify that PA status shows Connected.
- Access the PA dashboard and confirm that the application appears:
https://api.wgcs.skyhigh.cloud/ztna/dashboard
- For on-prem applications, verify that the PA host resolves to a
100.64.x.x IP address.
- If the PA uses an IP address, ensure SCP bypass rules are not applied.
|
Host Not Resolvable
 |
Cause: The Private Application is not configured or DNS resolution fails.
Workaround:
- Verify that the connector can resolve the Private Application hostname.
- Run DNS checks from the connector using CLI options.
- If the application uses HTTP, try accessing it as HTTPS from the browser.
|
No Route Found to This Private Application
 |
Cause:
- The connector associated with the application host is down, or
- The connector cannot update routes to the PoP, or
- The PA Gateway cannot update routes to the Global PoP.
Workaround:
- Verify connector health on the Secure App Connector page.
- Log in to the TCP connector pod using CLI option #4, type Bash, and press Enter, and ensure the health update reaches the UP state.
- Log in to the SSE UI and check the Analytics > Private Access > Private Applications page.
- Log in to the gateway and review:
- /var/log/debug.log
- /var/log/error.log
- Confirm that the Global Gateway PoP is reachable.
|
Cannot Access Private Application – Not Resolvable
 |
Cause: The connector cannot resolve the Private Application.
Workaround:
- Verify DNS resolution from the connector.
- Test access from the connector: curl --noproxy "*" -vk https://<appname>.com
- For SSH-based applications: curl --noproxy "*" -vk https://appname.com:22 or attempt SSH access from the connector.
|
|
Cannot Access Private Application – Not Reachable
Failure Description: The connector resolves the host to an IP address, but the IP or port is unreachable.
|
Cause: The connector cannot reach the Private Application endpoint.
Workaround:
- Verify DNS resolution from the connector.
- Test application access from the connector:: curl --noproxy "*" -vk https://<appname>.com
- For SSH-based applications: curl --noproxy "*" -vk https://appname.com:22 or attempt SSH access from the connector or "nc -vz paapp.com 22" for non web apps.
|
Bad Gateway – Proxy Did Not Receive a Valid Response in Time
 |
Cause:
- The connector cannot reach the Private Application, or
- The PA uses SmartMatch or multiport configuration and not all connectors can reach the application.
Workaround:
- Test application reachability from the connector:
curl --noproxy "*" -vk https://<appname>.com
- If SmartMatch or multiport is configured, ensure all connectors can access the application.
- Check OpenVPN tunnel stability on the connector.
- Review Grafana logs or /skyhigh/mount/logs/openvpn_client-1.log for frequent tunnel resets.
- Verify whether the PA Gateway PoP is under maintenance or down.
- If traffic fails between the client-facing PoP and the PA Gateway PoP, check PoP health with Ops.
|
|
SSL Handshake Error – Handshake with Remote Server Failed
Failure Description: Connection refused from the ZTNA gateway or backend service.
|
Cause: The Cloud PoP may be down or unstable.
Workaround:
- Check PoP status with the Operations team.
- On the Connector CLI, run option #5 and collect diagnostic output.
- On the Connector CLI, run option #6 and collect logs.
|
|
Cannot Connect – Proxy Could Not Connect to Destination in Time
Failure Description: Connection reset or cannot connect to the destination server.
|
Cause:
- Connector tunnel resets or is down, or
- SWG is down, or
- The Private Application is not reachable.
Workaround:
- Check whether a corporate firewall drops TCP sessions or tunnels.
- Verify that the connector can resolve and reach the Private Application host.
|
SCP Client Tunnel Status: Failed to Connect (Phase 1 / Phase 2)
|
Cause: The client cannot reach the tunnel endpoint to establish a connection.
Workaround:
- Verify connectivity to:
- connect.gateway.skyhigh.cloud
- traffic.gateway.skyhigh.cloud
- Allow outbound traffic on:
- Confirm that the corporate firewall does not block tunnel traffic.
|
Policy Issues
| Challenge |
Workaround |
Private Applications Not Shown on PA Dashboard (Web Policy Tree Empty)
The PA dashboard (https://api.wgcs.skyhigh.cloud/ztna/dashboard) is empty and does not list any Private Applications. |
Cause: The Private Access section under Policy > Web Policy tree is empty.
Workaround:
- Contact the Policy team.
- Verify that Private Access policies exist and are correctly configured in the Web Policy Tree.
|
Private Applications Not Shown on PA Dashboard (SCP Proxy Bypass)
The PA dashboard (https://api.wgcs.skyhigh.cloud/ztna/dashboard) is empty and does not list any Private Applications. |
Cause:
The following domains or IP ranges are bypassed in the SCP Proxy Bypass policy:
api.wgcs.skyhigh.cloud100.64.0.0*.skyhigh.cloud
Workaround:
- Log in to the SSE UI.
- Open the SCP Proxy Bypass configuration.
- Remove the listed domains and IP ranges from the bypass list.
- Save the policy and apply changes.
|
|
Redirection to SAML Authentication Not Working
Accessing https://api.wgcs.skyhigh.cloud/ztna/dashboard does not redirect to the SAML IdP login page. Instead, it redirects to the clientless access page requesting an email address.
|
Cause:
One or more of the following conditions exist:
- SCP is not running or is unresponsive.
- The client machine time is out of sync.
api.wgcs.skyhigh.cloud or 100.64.x.x is configured in the SCP bypass list.- SCP cannot connect to SWG on port 8080.
- DNS resolution on the SCP client fails and does not resolve to the nearest SWG (
161.69.x.x).
- A proxy or firewall removes SCP headers.
Workaround:
- Log in to the SSE tenant.
- Verify that the SCP policy does not include
api.wgcs.skyhigh.cloud in the bypass list.
- Check whether the proxy or firewall blocks port 8080.
- Ping
c1234.wgcs.skyhigh.cloud and confirm it resolves to a 161.69.x.x IP address.
- Review proxy and firewall configurations for header stripping.
- Restart the SCP client.
- Open About Skyhigh Client Proxy and confirm the SCP policy name and revision are correct.
|
TLS Handshake Error 500 for RDP or SSH-Based Private Applications
The Analytics PA Usage page shows a TLS handshake error 500 for RDP or SSH-based Private Applications. |
Cause: The connector cannot reach the Private Application.
Workaround:
- From a Windows machine, run a telnet test to the RDP application port and verify connectivity.
- From the SCP machine, run
curl -vk rdpapp:<port> and check the response from SWG.
- Review
healthupdate.log for RDP or SSH-related errors.
- Verify that valid routes exist for the RDP/SSH application in the ZTNA Gateway.
- Check for error codes associated with missing or incorrect routes.
|
SAML Login Issues
| Challenge |
Workaround |
| SAML Login Failure |
Cause: SSE UI has misconfigured SAML attributes.
Workaround:
- Open the SSE UI.
- Review all configured SAML attributes.
- Correct any mismatched or missing attributes.
|
| Clientless Access Loops on Email Domain Page After SAML Authentication |
Cause: The SAML User ID attribute does not match the email entered on the email domain page.
Workaround:
- Open the browser Developer Tools.
- Capture the SAML response.
- Decode the response using a hex decoder.
- Identify the attribute used as the User ID.
- Ensure the User ID attribute matches the email value entered on the email domain page.
|
| Clientless Access Loops on Email Domain Page and Does Not Redirect to IdP Login |
Cause: The domain configured in Web Gateway SAML settings does not match the entered email domain.
Workaround:
- Verify the domain configured in Web Gateway SAML settings.
- Use the same domain when configuring SAML in the tenant UI.
- Enter an email address that matches the configured domain.
- Example: If the domain is
sky.com, use abcd@sky.com.
|
PA Dashboard Shows No Private Applications
The PA dashboard (https://api.wgcs.skyhigh.cloud/ztna/dashboard) does not list any Private Applications. |
Cause:
- No clientless applications are configured, or
- The User ID attribute in the SAML response does not match the configured value.
Workaround:
- Open the browser Developer Tools.
- Capture and decode the SAML response.
- Identify the User ID attribute in the SAML response.
- Ensure the same attribute is configured in the tenant UI SAML settings.
|
