03/26/2020 14 People found this article helpful 456,438 Views
SMA (Secure Mobile Access) Appliance Management Console Troubleshooting: Part 1
This provides general troubleshooting instructions and discusses the troubleshooting tools available in the Appliance Management Console (AMC). Failure in core networking services (such as DHCP, DNS, or WINS) will cause unpredictable failures.
The User Sessions page in AMC can be used to monitor, troubleshoot or terminate sessions on your appliance or HA pair of appliances. You can sort through the summary of session details and, if needed, display details on how a device was classified, and why. About 24 hours worth of data is kept; even items that have been deleted or modified are displayed. See Viewing User Access and Policy Details in the SMA 11.3 Administration Guide.
SMA (Secure Mobile Access) Appliance Management Console Troubleshooting: Part 1
Topics in Part 1 will cover:
General Networking Issues
These troubleshooting tips for networking issues are grouped by type of solution. Before using the ping utility, make sure that Enable ICMP pings is enabled on the Configure Basic Network Settings page.
Troubleshooting tips for networking issues
Utility | Troubleshooting Tip |
Ping the external interface | Ping the external interface to verify the network connection. If you can ping a host's IPv4 or IPv6 address but not its fully qualified domain name, there is a problem with name resolution. You can issue the ping command from the command line or from within AMC, see the Ping Command in AMC Administration Guide |
Capture network traffic on the external interface | To verify that traffic is reaching the appliance and being returned, use the network traffic utility in AMC, which is based on tcpdump. You can send this network traffic data to Technical Support, or review it using a network protocol analyser like Wireshark. See Capturing Network Traffic in AMC Administration Guide for more information. |
Ping the network gateway(s) | Ping the external gateway and/or internal gateway. You can issue the ping command from the command line or from within AMC. For more information, see Ping Command in AMC Administration Guide |
Use ping to test DNS | If you experience DNS problems, first determine whether client DNS resolution is working:
Pinging google.com [nnn.nnn.nnn.nnn]
If basic DNS functionality is available, the IP address in square brackets is resolved by DNS lookup, demonstrating that basic DNS is functioning at the client. If DNS is not available, the ping program will pause for a few seconds and then indicate that it could not find the host google.com. |
Try to use DNS to resolve the appliance host name | If you continue to experience DNS problems, determine whether DNS can resolve the appliance host name. Repeat the ping procedure described above but replace google.com with the host name of your appliance. If ping finds no address for your host name, troubleshoot the DNS server that should be serving that host name. Try working around client connection issues by replacing the host name with the IP address of the appliance's external interface. If ping finds an address for your host name, but no replies appear ("Request timed out "), ICMP echoes may be blocked at any hop between the client and the appliance. |
Clear the ARP | If you've recently assigned a new IP address to the appliance, be sure to clear the local Address Resolution Protocol (ARP) cache from network devices such as firewalls or routers. This ensures that these network devices are not using an old IP-to-MAC address mapping. |
Troubleshooting tips for networking issues: hardware
Hardware | Troubleshooting Tip |
Cables | Check all network cables to be sure you don't have a bad cable. |
Bypass the firewall | If you're using network address translation (NAT), you might be blocked by a firewall. Temporarily bypass the firewall by connecting a laptop to the appliance on the physical interface using a cable, and then verify network connectivity. If this type of connection is impractical, try placing your laptop on the same network segment as the external interface of the appliance (to get as close to the appliance as possible). |
Configure the switch port | If you experience network latency, such as slow SCP file copying or slow performance by the Web proxy or network tunnel service, the problem may be due to configuration differences between the appliance interface settings To resolve this problem, disable auto negotiation. Instead, configure the switch port to statically assign settings that match the appliance. You must check both switch ports and both appliance interface settings (internal and external, if applicable). If even one interface/switch port is mismatched, performance suffers. If you are experiencing network latency but your appliance/switch ports are configured correctly, the problem lies somewhere else in the network. It could also be an application-level issue (such as slow name resolution on the DNS server being accessed by the Web proxy or network tunnel service). |
Troubleshooting tips for networking issues: Third-party solutions
Third-party solutions | Troubleshooting Tip |
Verify that traffic is not being filtered out | Review the contents of the log file /var/log/kern.iptables while a connection attempt is failing. If packets are reaching the appliance but are being dropped or denied by iptables (a firewall running on the appliance), review the iptables ruleset by running the following command: iptables -L -n -v
Traffic that is filtered by iptables is logged but not forwarded to an external syslog server. |
Verify a Downloaded Upgrade File
You can use AMC to install version upgrades, as described in Upgrading, Rolling Back, or Resetting the System. To make sure that the update was successfully transferred to your local computer, compare its checksum against the one in the .md5 file you extracted from the .zip file.
To verify the MD5 checksum on your PC, use a Windows- or Java-based utility. Microsoft, for example, offers an unsupported command line utility on their site named File Checksum Integrity Verifier (FCIV):
To verify the downloaded file on a PC
fciv .bin
To verify the downloaded file on the appliance
md5sum .bin
cat .md5
Troubleshooting Agent Provisioning
(Windows)
Secure Endpoint Manager (SEM) is a component that provisions Windows users with EPC and access agents when they log in to WorkPlace. If something goes wrong during provisioning, the error is recorded in a client installation log (identified by username) that you can view in AMC.
To get to the App data folder, click Start -> Run, type in %appdata% and press Enter.
Here's a broad overview of the provisioning process. At steps (2) through (6), information is appended to a file named epiBoostrapper.log (stored in Documents and SettingsApplication DataSecure Mobile AccessLogFiles)
Provisioning process
See also: