Troubleshoot
      Back to home
      1. Support Center
      2. Troubleshoot

      [ZTA] Standard Checking for Troubleshooting

      Items to Check (Depending on the possible cause of the issue): 

      1. App Gateway logs
      2. Docker-related logs
      3. OS-related logs
      4. SAN certificate
      5. Connectivity
      6. Browser trace (for issue related with portal, either user portal or admin portal)
      7. Agent-related logs (for issue related with Safous agent and network application)

      App Gateway Logs

      There are two ways to retrieve App Gateway logs:
      1. Console output
        1. Log in to App Gateway server via SSH.
        2. Run the following command: docker logs -f config-idac-1 (or config_idac_1).

      Note: Logs are not persistent and only available since the last container reboot.

      2. File output
        1. Log in to App Gateway server via SSH
        2. Identify the container ID of config-idac-1 (or config_idac_1): docker inspect config-idac-1
        3. Retrieve logs from /var/lib/docker/containers/<container_id>/<container_id>-json.log

      Note: This file contains logs from the container's entire lifecycle. If it's too large, use grep to filter relevant logs:

      grep "keyword" /var/lib/docker/containers/<container_id>/<container_id>-json.log

      Docker-Related Logs and Settings

      1. Check running containers:
        • docker ps
      2. Check container images:
        • docker images
      3. Check Docker Compose file:
        • cat /etc/cyolo/config/docker-compose.yml
      4. Check Docker logs:
        • journalctl -xu docker.service

      OS-related Logs

      1. Check OS version:
        • cat /etc/*release*
      2. Check OS firewall status:
        • ufw status
      3. Check machine resources:

        • df -h

        • lsblk

        • free -m

        • cat /proc/cpuinfo

      4. Check system time:
        • date
        • timedatectl
        • ntpq -pn
      5. Check scheduled tasks (Crontab):
        1. sudo crontab -l
        2. cat /var/log/cron.log

      Known Issue: MFA to user portal will not function properly if the App Gateway server is not synchronized with the NTP server.

      SAN Certificate

      1. Check certificate content:
        • openssl x509 -in /etc/cyolo/certs/cert.pem -text -noout
        • openssl x509 -in /etc/safous/certs/cert.pem -text -noout
      2. Check certificate file information:
        • ls -lha /etc/cyolo/certs
        • ls -lha /etc/safous/certs
      3. Check script to renew certificate:
        • cat /etc/safous/tools/certbot-renew.sh
        • (optional) try to renew the certicate by running the script: sudo bash /etc/safous/tools/certbot-renew.sh

      Note: verify that certificate DNS value is *.<tenant name>.ztna.safous.com (or .cn for China tenant) and is not expired. 

      Connectivity

      • Check the connectivity from App Gateway server to Safous' cloud components (repository, POP, certificate generator)
        • ping -c 10 repo.safous.com
        • telnet repo.safous.com 443
        • dig tcp.ztna.safous.com
        • openssl s_client -connect <dig result of tcp.ztna.safous.com>:443 -servername tcp.ztna.safous.com 
        • telnet cert-gen.ztna.safous.com 443

      Browser Trace (HAR file)

      1. Open Browser Developer Tools (DevTools).
      2. Perform the browser operation that reproduces the issue.
      3. Save the HAR file.

      For a detailed guide on capturing and saving a browser trace, refer to:

      https://support.safous.com/kb/zta-capture-a-browser-trace-for-troubleshooting

      Agent-related Logs

      1. For Agent Version 1.6.x and later:
        1. Click the Safous Agent icon.
        2. Export logs by clicking Export System Logs.
          image (3)
        3. Compress the saved logs into a .zip file.
        4. Send the compressed file to Safous support.
      2. For earlier versions:
        1. Open Windows Event Viewer
          • Select Start, type Event Viewer, and press Enter.
        2. Navigate to Windows Logs > Application.
        3. Filter the logs to show only Safous-related entries.
        4. Compress the saved logs into a .zip file.
        5. Send the compressed file to Safous support.