In this article, we have tried to capture the common problems encountered by customers while operating the CloudZiti network. The troubleshooting steps, and support guides. The article also covers installation steps for NetFoundry edge such as endpoints, edge routers, etc.
Installation:
Ziti Desktop Edge
This section includes support guides for the installation of ZDE for Windows and MAC and a troubleshooting guide to be followed for successful installation
Installing Ziti Desktop Edge on Windows
Ziti Edge Tunnel -
Edge Routers
Register the Edge Router VM (Ubuntu)
Troubleshooting guides / collecting logs:
Troubleshooting Windows Desktop Edge
Troubleshooting Ziti Desktop Edge for MAC
Edge Routers - Creating a Virtual Machine Support Bundle for Technical Support
Collecting logs from ziti-edge-tunnel
Known Problems & their resolution:
PROBLEM STATEMENT |
ERROR MESSAGE / ISSUE ISOLATION |
TROUBLESHOOTING STEPS |
Zscaler app throws "Endpoint FW/AV Error" under the Service Status section when ZDE is turned on. | ▪ Open Ziti Desktop Edge > Main Menu > Advanced Settings > Tunnel Configuration > Edit Values > Change IPv4 Address from 100.64.0.1 / 10 to 100.100.0.1 / 16 ▪ Restart the services afterward. | |
ZDE - Unable to add identity token |
ZDE uses the PowerShell in Windows, it has to be installed in the system and the path has to be set correctly Troubleshooting Windows Desktop Edge
|
|
Ensure that Co-existing solutions[e.g. Zscaler policies], Windows Firewall does not block NetFoundry Hosted Edge routers, Controller IPs/ Ports. Refer to firewall requirements. | ||
Identity is missing from the endpoint UI |
There is no identity in the WDE UI In the logs - Service - ziti-tunneler.log file a similar log message as the below sample is observed Request received to remove an identity |
This means that the user clicked on forget identity which removed the identity from the endpoint. |
There is no identity in the WDE UI |
The identity will be lost, if the antivirus installed in the user's laptop deletes the json file in path C:\Windows\System32\config\ Disable Laptop anti-virus and check if the restart still removes the identity. |
|
Windows ZDE did not update to the latest version. |
Make sure access to the NetFoundry GitHub URL is not blocked |
|
ZDE - Unable to access services |
Ensure that Co-existing solutions[e.g. Zscaler policies], Windows Firewall does not block NetFoundry Hosted Edge routers IPs/ Ports. Refer to firewall requirements. |
|
For server/service which is not accessible, check for the telnet access to the application server IP/port from the respective edge router hosting the service |
||
The DNS resolution should happen with the ZITI connection-specific DNS Suffix [100.64.0.0].
|
||
APPWAN configuration and Posture Check compatibility [Posture Check Failure] has to be verified. Click on the 'Endpoint' --> Data to view the posture data. The posture data should reflect all the posture checks applied on the AppWANs which the endpoint is a part of. |
||
Check if the ZDE is on the latest version. |
||
|
C:\Windows\System32\config\systemprofile\AppData\Roaming\NetFoundry Open the file - >config.json in notepad++ Search for "AddDns" Edit the value of "AddDns" to true Save the config.json file Restart the Ziti Service again Check for Service accessibility |
|
|
It is possible that the LAN IP addresses of the ISP used on the device running NetFoundry endpoint is overlapping with that of the service. The solution is to use different IPs for the service or change the ISP. |
|
Services are not being listed on the Ziti Desktop Edge (older version). |
Check the version of the endpoint in the NF console |
Please update to the latest version for the issue to resolve. |
Unable to access the services via name resolution. |
Check if PowerShell is able to add a DNS entry using the below command on cmd prompt as administrator. powershell -Command "Add-DnsClientNrptRule -Namespace '.ziti.test' -NameServers '100.64.0.2' If you see the below error
|
Update the windows version to latest and contact your IT support to fix the issue with PowerShell. |
Posture Checks
This section includes support guides to enable and set up a Posture check for endpoints.
Create and Manage Posture Checks
Multi-Factor Authentication Posture Check - MFA has to be enabled in the endpoint only if the MFA posture check is applied on the AppWANs which the endpoint is a part of.
Problem troubleshooting
PROBLEM STATEMENT |
ERROR MESSAGE |
TROUBLESHOOTING STEPS |
Posture Check Failure | Persistent warning sign on the Ziti Desktop Edge. |
APPWAN configuration and Posture Check compatibility [Posture Check Failure] has to be verified. Click on the 'Endpoint' --> Data to view the posture data. The posture data should reflect all the posture checks applied on the AppWANs which the endpoint is a part of. |
Ziti Linux Tunneler - Unable to access the services |
Check if the endpoint is failing the posture check using the logs. Logs can be collected using the below article APPWAN configuration and Posture Check compatibility [Posture Check Failure] has to be verified. Click on the 'Endpoint' --> Data to view the posture data. The posture data should reflect all the posture checks applied on the AppWANs which the endpoint is a part of.
|
|
Ziti-Edge-Tunneller in docker-compose is unable to resolve to the DNS 100.64.0.x |
|
Moving the 127.0.0.53 to the first position in /etc/resolve.conf should force the system to use the ziti resolver first. |
Multi-Factor Authentication [MFA] - Unable to get past MFA authentication after the MFA code is keyed in. |
Check if your PC firewall/ Security apps block access to the controller. Get the controller URL under Network, by clicking the ZDE identity.
To check the reachability of the controller please use the below command from Bash. Replace with actual URL $ time curl -sk https://5a2c8944-f309-4e98-967f-3e039a0270d5.production.netfoundry.io:443 |
|
Below is the guide for troubleshooting google authenticator-related issues.
|
||
Resync your Windows machine to the time server by following the steps laid out here
|
||
Org/ Network Admin users can reset MFA for endpoints in the endpoints section of the console. This will bring up a new MFA setup for the endpoint in the ZDE identity. |
||
Authenticating MFA returns an error: "Provided code could not be verified." |
The time isn't correctly synced on your Google Authenticator app. Please sync by following the steps here: https://support.google.com/accounts/answer/185834?hl=en |
|
The time on the mobile device that use to authenticate the MFA should be in sync with the time on the controller. The time sync can be checked using the URL https://time.is/ |