NetFoundry - Support Playbook

In this article, we have tried to capture the common problems encountered by customers, the troubleshooting steps, and support guides. The article also covers installation steps for NetFoundry edge such as endpoints, edge routers, etc. 

Installation:

Ziti Desktop Edge

This section includes support guides for the installation of ZDE for Windows and MAC and a troubleshooting guide to be followed for successful installation

Installing Ziti Desktop Edge on Windows

MAC Desktop Edge Installation

Edge Routers

Ubuntu Edge Router

Edge Router VM Sizing Guide

Register the Edge Router VM (Ubuntu) 

Collecting Logs - Customer Hosted Edge Router

Troubleshooting guides: 

Troubleshooting Windows Desktop Edge

Troubleshooting Ziti Desktop Edge for MAC

Edge Routers - Creating a Virtual Machine Support Bundle for Technical Support

Known Problems & their resolution:

PROBLEM STATEMENT

ERROR MESSAGE / ISSUE ISOLATION

TROUBLESHOOTING STEPS

Zscaler app throws "Endpoint FW/AV Error" under the Service Status section when ZDE is turned on.   ▪ Open Ziti Desktop Edge > Main Menu > Advanced Settings > Tunnel Configuration > Edit Values > Change IPv4 Address from 100.64.0.1 / 10 to 100.100.0.1 / 16 ▪ Restart the services afterward.
ZDE - Unable to add identity token

mceclip0.png

ZDE uses the PowerShell in Windows, it has to be installed in the system and the path has to be set correctly

Troubleshooting Windows Desktop Edge

 

  Ensure that Co-existing solutions[e.g. Zscaler policies], Windows Firewall does not block NetFoundry Hosted Edge routers, Controller IPs/ Ports. Refer to firewall requirements.
Identity is missing from the endpoint UI

There is no identity in the WDE UI

In the logs - Service - ziti-tunneler.log file a similar log message as the below sample is observed

Request received to remove an identity
request to remove identity by fingerprint: f0a0ebe328ce9f931563698e21256bda48430356
disconnecting identity: NF_Suren_Test

This means that the user clicked on forget identity which removed the identity from the endpoint.

There is no identity in the WDE UI

The identity will be lost, if the antivirus installed in the user's laptop deletes the json file in path C:\Windows\System32\config\systemprofile\AppData\Roaming\NetFoundry

Disable Laptop anti-virus and check if the restart still removes the identity.

Windows ZDE did not update to the latest version.
 

Make sure access to the NetFoundry GitHub URL is not blocked

ZDE - Unable to access services





 

Ensure that Co-existing solutions[e.g. Zscaler policies], Windows Firewall does not block NetFoundry Hosted Edge routers IPs/ Ports. Refer to firewall requirements.

 

For server/service which is not accessible, check for the telnet access to the application server IP/port from the respective edge router hosting the service

 

The DNS resolution should happen with the ZITI connection-specific DNS Suffix [100.64.0.0].

  • In cmd prompt, #ipconfig /all check for ZitiTUN adapter and Ziti suffix, 100.64.0.0/10 is being assigned.
  • Check DNS resolution of a Ziti service hostname with DNS 100.64.0.1
 

APPWAN configuration and Posture Check compatibility [Posture Check Failure] has to be verified.

Click on the 'Endpoint' --> Data to view the posture data. The posture data should reflect all the posture checks applied on the AppWANs which the endpoint is a part of.

 

Check if the ZDE is on the latest version.

https://github.com/openziti/desktop-edge-win/releases/

 

 

C:\Windows\System32\config\systemprofile\AppData\Roaming\NetFoundry Open the file - >config.json in notepad++

Search for "AddDns"

Edit the value of "AddDns" to true

Save the config.json file

Restart the Ziti Service again

Check for Service accessibility

Services are not being listed on the Ziti Desktop Edge (older version).

 Check the version of endpoint in the NF console

Please update to the latest version for the issue to resolve.

 

Posture Checks

This section includes support guides to enable and set up a Posture check for endpoints.

Create and Manage Posture Checks

Multi-Factor Authentication Posture Check - MFA has to be enabled in the endpoint only if the MFA posture check is applied on the AppWANs which the endpoint is a part of.

Problem troubleshooting

PROBLEM STATEMENT

ERROR MESSAGE 

TROUBLESHOOTING STEPS

Posture Check Failure Persistent warning sign on the Ziti Desktop Edge.

APPWAN configuration and Posture Check compatibility [Posture Check Failure] has to be verified.

Click on the 'Endpoint' --> Data to view the posture data. The posture data should reflect all the posture checks applied on the AppWANs which the endpoint is a part of.

Multi-Factor Authentication [MFA] - Unable to get past MFA authentication after the MFA code is keyed in.




 
Check if your PC firewall/ Security apps block access to the controller. Get the controller URL under Network, by clicking the ZDE identity.
To check the reachability of the controller please use the below command from Bash. Replace with actual URL
$ time curl -sk https://5a2c8944-f309-4e98-967f-3e039a0270d5.production.netfoundry.io:443
 
Below is the guide for troubleshooting google authenticator-related issues.
 
Resync your Windows machine to the time server by following the steps laid out here
 

Org/ Network Admin users can reset MFA for endpoints in the endpoints section of the console. This will bring up a new MFA setup for the endpoint in the ZDE identity.

Authenticating MFA returns an error: "Provided code could not be verified."

The time isn't correctly synced on your Google Authenticator app. Please sync by following the steps here: https://support.google.com/accounts/answer/185834?hl=en 

 

 

 

 

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.