NetFoundry - Support Playbook

In this article, we have tried to capture the common problems encountered by customers while operating the CloudZiti network. The troubleshooting steps, and support guides. The article also covers installation steps for NetFoundry edge such as endpoints, edge routers, etc. 

Installation:

Ziti Desktop Edge

This section includes support guides for the installation of ZDE for Windows and MAC and a troubleshooting guide to be followed for successful installation

Installing Ziti Desktop Edge on Windows

MAC Desktop Edge Installation

Ziti Edge Tunnel - 

https://support.netfoundry.io/hc/en-us/articles/20674069349773-How-to-Install-run-ziti-edge-tunneller-as-a-Service-on-Linux 

Edge Routers

Ubuntu Edge Router

Edge Router VM Sizing Guide

Register the Edge Router VM (Ubuntu) 

Troubleshooting guides / collecting logs: 

Troubleshooting Windows Desktop Edge

Troubleshooting Ziti Desktop Edge for MAC

Edge Routers - Creating a Virtual Machine Support Bundle for Technical Support

Collecting logs from ziti-edge-tunnel 

Known Problems & their resolution:

PROBLEM STATEMENT

ERROR MESSAGE / ISSUE ISOLATION

TROUBLESHOOTING STEPS

Zscaler app throws "Endpoint FW/AV Error" under the Service Status section when ZDE is turned on.   ▪ Open Ziti Desktop Edge > Main Menu > Advanced Settings > Tunnel Configuration > Edit Values > Change IPv4 Address from 100.64.0.1 / 10 to 100.100.0.1 / 16 ▪ Restart the services afterward.
ZDE - Unable to add identity token

mceclip0.png

ZDE uses the PowerShell in Windows, it has to be installed in the system and the path has to be set correctly

Troubleshooting Windows Desktop Edge

 

  Ensure that Co-existing solutions[e.g. Zscaler policies], Windows Firewall does not block NetFoundry Hosted Edge routers, Controller IPs/ Ports. Refer to firewall requirements.
Identity is missing from the endpoint UI

There is no identity in the WDE UI

In the logs - Service - ziti-tunneler.log file a similar log message as the below sample is observed

Request received to remove an identity
request to remove identity by fingerprint: f0a0ebe328ce9f931563698e21256bda48430356
disconnecting identity: NF_Suren_Test

This means that the user clicked on forget identity which removed the identity from the endpoint.

There is no identity in the WDE UI

The identity will be lost, if the antivirus installed in the user's laptop deletes the json file in path C:\Windows\System32\config\systemprofile\AppData\Roaming\NetFoundry

Disable Laptop anti-virus and check if the restart still removes the identity.

Windows ZDE did not update to the latest version.
 

Make sure access to the NetFoundry GitHub URL is not blocked

ZDE - Unable to access services






 

Ensure that Co-existing solutions[e.g. Zscaler policies], Windows Firewall does not block NetFoundry Hosted Edge routers IPs/ Ports. Refer to firewall requirements.

 

For server/service which is not accessible, check for the telnet access to the application server IP/port from the respective edge router hosting the service

 

The DNS resolution should happen with the ZITI connection-specific DNS Suffix [100.64.0.0].

  • In cmd prompt, #ipconfig /all check for ZitiTUN adapter and Ziti suffix, 100.64.0.0/10 is being assigned.
  • Check DNS resolution of a Ziti service hostname with DNS 100.64.0.1
 

APPWAN configuration and Posture Check compatibility [Posture Check Failure] has to be verified.

Click on the 'Endpoint' --> Data to view the posture data. The posture data should reflect all the posture checks applied on the AppWANs which the endpoint is a part of.

 

Check if the ZDE is on the latest version.

https://github.com/openziti/desktop-edge-win/releases/

 

 

C:\Windows\System32\config\systemprofile\AppData\Roaming\NetFoundry Open the file - >config.json in notepad++

Search for "AddDns"

Edit the value of "AddDns" to true

Save the config.json file

Restart the Ziti Service again

Check for Service accessibility

 

It is possible that the LAN IP addresses of the ISP used on the device running NetFoundry endpoint is overlapping with that of the service. The solution is to use different IPs for the service or change the ISP.

Services are not being listed on the Ziti Desktop Edge (older version).

 Check the version of the endpoint in the NF console

Please update to the latest version for the issue to resolve. 

Unable to access the services via name resolution.

Check if PowerShell is able to add a DNS entry using the below command on cmd prompt as administrator.

powershell -Command "Add-DnsClientNrptRule -Namespace '.ziti.test' -NameServers '100.64.0.2'

If you see the below error

chrome_ix0SrVKvV2.png

 

Update the windows version to latest and contact your IT support to fix the issue with PowerShell.

Posture Checks

This section includes support guides to enable and set up a Posture check for endpoints.

Create and Manage Posture Checks

Multi-Factor Authentication Posture Check - MFA has to be enabled in the endpoint only if the MFA posture check is applied on the AppWANs which the endpoint is a part of.

Problem troubleshooting

PROBLEM STATEMENT

ERROR MESSAGE 

TROUBLESHOOTING STEPS

Posture Check Failure Persistent warning sign on the Ziti Desktop Edge.

APPWAN configuration and Posture Check compatibility [Posture Check Failure] has to be verified.

Click on the 'Endpoint' --> Data to view the posture data. The posture data should reflect all the posture checks applied on the AppWANs which the endpoint is a part of.

Ziti Linux Tunneler - Unable to access the services

JWPoXkySky.pngchrome_j6y1urCDlw.png

Check if the endpoint is failing the posture check using the logs. Logs can be collected using the below article

https://support.netfoundry.io/hc/en-us/articles/6433745330957-Collecting-Logs-ziti-edge-tunnel-Linux-Tunneler-

APPWAN configuration and Posture Check compatibility [Posture Check Failure] has to be verified.

Click on the 'Endpoint' --> Data to view the posture data. The posture data should reflect all the posture checks applied on the AppWANs which the endpoint is a part of.

 

Ziti-Edge-Tunneller in docker-compose is unable to resolve to the DNS 100.64.0.x

 

Moving the 127.0.0.53 to the first position in /etc/resolve.conf should force the system to use the ziti resolver first.

Multi-Factor Authentication [MFA] - Unable to get past MFA authentication after the MFA code is keyed in.





 
Check if your PC firewall/ Security apps block access to the controller. Get the controller URL under Network, by clicking the ZDE identity.
To check the reachability of the controller please use the below command from Bash. Replace with actual URL
$ time curl -sk https://5a2c8944-f309-4e98-967f-3e039a0270d5.production.netfoundry.io:443
 
Below is the guide for troubleshooting google authenticator-related issues.
 
Resync your Windows machine to the time server by following the steps laid out here
 

Org/ Network Admin users can reset MFA for endpoints in the endpoints section of the console. This will bring up a new MFA setup for the endpoint in the ZDE identity.

Authenticating MFA returns an error: "Provided code could not be verified."

The time isn't correctly synced on your Google Authenticator app. Please sync by following the steps here: https://support.google.com/accounts/answer/185834?hl=en 

The time on the mobile device that use to authenticate the MFA should be in sync with the time on the controller. The time sync can be checked using the URL https://time.is/ 

 

 

 

 

 

Was this article helpful?
1 out of 1 found this helpful