SMA (Secure Mobile Access) Appliance Management Console Troubleshooting: Part 1
03/26/2020 
8 
12707
DESCRIPTION:
SMA (Secure Mobile Access) Appliance Management Console Troubleshooting: Part 1
This provides general troubleshooting instructions and discusses the troubleshooting tools available in the Appliance Management Console (AMC). Failure in core networking services (such as DHCP, DNS, or WINS) will cause unpredictable failures.
The User Sessions page in AMC can be used to monitor, troubleshoot or terminate sessions on your appliance or HA pair of appliances. You can sort through the summary of session details and, if needed, display details on how a device was classified, and why. About 24 hours worth of data is kept; even items that have been deleted or modified are displayed. See Viewing User Access and Policy Details in the SMA 11.3 Administration Guide.
SMA (Secure Mobile Access) Appliance Management Console Troubleshooting: Part 1
Topics in Part 1 will cover:
- General Networking Issues
- Verify a Downloaded Upgrade File
- Troubleshooting Agent Provisioning (Windows)
RESOLUTION:
General Networking Issues
These troubleshooting tips for networking issues are grouped by type of solution. Before using the ping utility, make sure that Enable ICMP pings is enabled on the Configure Basic Network Settings page.
Troubleshooting tips for networking issues
| Utility | Troubleshooting Tip |
| Ping the external interface | Ping the external interface to verify the network connection. If you can ping a host's IPv4 or IPv6 address but not its fully qualified domain name, there is a problem with name resolution. You can issue the ping command from the
command line or from within AMC, see the Ping Command in AMC Administration Guide |
Capture network traffic on the
external interface | To verify that traffic is reaching the appliance and being returned, use the network traffic utility in AMC, which is based on tcpdump. You can send this network traffic data to Technical Support, or review it using a network protocol analyser like Wireshark. See Capturing Network Traffic in AMC Administration Guide for more information. |
| Ping the network gateway(s) | Ping the external gateway and/or internal gateway. You can issue the ping command from the command line or from within AMC. For more information, see Ping Command in AMC Administration Guide |
| Use ping to test DNS | If you experience DNS problems, first determine whether client DNS resolution is working: - Make sure that the client machine has Internet access.
- At a DOS command prompt, type ping google.com. You should see
a response like this:
Pinging google.com [nnn.nnn.nnn.nnn] If basic DNS functionality is available, the IP address in square brackets is resolved by DNS lookup, demonstrating that basic DNS is functioning at the client. If DNS is not available, the ping program will pause for a few seconds and then indicate that it could not find the host google.com. |
Try to use DNS to resolve the
appliance host name | If you continue to experience DNS problems, determine whether DNS can resolve the appliance host name. Repeat the ping procedure described above but replace google.com with the host name of your appliance. If ping finds no address for your host name, troubleshoot the DNS server that should be serving that host name. Try working around client connection issues by replacing the host name with the IP address of the appliance's external interface. If ping finds an address for your host name, but no replies appear ("Request timed out "), ICMP echoes may be blocked at any hop between the client and the appliance. |
Clear the ARP | If you've recently assigned a new IP address to the appliance, be sure to clear the local Address Resolution Protocol (ARP) cache from network devices such as firewalls or routers. This ensures that these network devices are not using an old IP-to-MAC address mapping. |
Troubleshooting tips for networking issues: hardware
| Hardware | Troubleshooting Tip |
| Cables | Check all network cables to be sure you don't have a bad cable. |
| Bypass the firewall | If you're using network address translation (NAT), you might be blocked by a firewall. Temporarily bypass the firewall by connecting a laptop to the appliance on the physical interface using a cable, and then verify network connectivity. If this type of connection is impractical, try placing your laptop on the same network segment as the external interface of the appliance (to get as close to the appliance as possible). |
| Configure the switch port | If you experience network latency, such as slow SCP file copying or slow performance by the Web proxy or network tunnel service, the problem may be due to configuration differences between the appliance interface settings
and the switch ports to which the appliance is connected. It's possible for a switch to improperly detect duplex-mode settings (for example, the appliance is configured at full duplex but the switch detects half duplex). has documented such problems with its switches. To resolve this problem, disable auto negotiation. Instead, configure the switch port to statically assign settings that match the appliance. You must check both switch ports and both appliance interface settings (internal and external, if applicable). If even one interface/switch port is mismatched, performance suffers. If you are experiencing network latency but your appliance/switch ports are configured correctly, the problem lies somewhere else in the network. It could also be an application-level issue (such as slow name resolution on the DNS server being accessed by the Web proxy or network tunnel service). |
Troubleshooting tips for networking issues: Third-party solutions
| Third-party solutions | Troubleshooting Tip |
Verify that traffic is not being
filtered out | Review the contents of the log file /var/log/kern.iptables while a connection attempt is failing. If packets are reaching the appliance but are being dropped or denied by iptables (a firewall running on the appliance), review the iptables ruleset by running the following command: iptables -L -n -v Traffic that is filtered by iptables is logged but not forwarded to an external syslog server. |
Verify a Downloaded Upgrade File
You can use AMC to install version upgrades, as described in Upgrading, Rolling Back, or Resetting the System. To make sure that the update was successfully transferred to your local computer, compare its checksum against the one in the .md5 file you extracted from the .zip file.
To verify the MD5 checksum on your PC, use a Windows- or Java-based utility. Microsoft, for example, offers an unsupported command line utility on their site named File Checksum Integrity Verifier (FCIV):
To verify the downloaded file on a PC
- At the DOS command prompt, type the following, which returns a checksum for the downloaded file:
fciv .bin
- Open the associated .md5 file (which you downloaded from the MySonicWall Web site) using Notepad or another text editor:
notepad .bin.md5
- Compare the two check sums. If they match, you can safely continue with your update. If they differ, try the download again and compare the resulting check sums. If they still don't match, contact Technical Support.
To verify the downloaded file on the appliance
- Type the following command, which returns a checksum for the downloaded file:
md5sum .bin
- Open the associated .md5 file:
cat .md5
- Compare the two checksums.
Troubleshooting Agent Provisioning
(Windows)
Secure Endpoint Manager (SEM) is a component that provisions Windows users with EPC and access agents when they log in to WorkPlace. If something goes wrong during provisioning, the error is recorded in a client installation log (identified by username) that you can view in AMC.
To get to the App data folder, click Start -> Run, type in %appdata% and press Enter.
Here's a broad overview of the provisioning process. At steps (2) through (6), information is appended to a file named epiBoostrapper.log (stored in Documents and SettingsApplication DataSecure Mobile AccessLogFiles)
Provisioning process
- Micro-interrogation (JavaScript is used to get basic platform and browser information): Is this a Microsoft OS? Is ActiveX enabled? If not, is Java enabled? If neither is available, the user sees an error message.
- Fetch epiBootstrapper.exe, a self-extracting executable in MSI (Microsoft Windows Installer) format; the executable also includes the macro-interrogator used in step (5).
- Fetch the list of Advanced EPC agents and install it. At a minimum, OPSWAT.msi is installed.
- Fetch additional Advanced EPC agents as required by the community.
- Macro-interrogation: Search for both Advanced EPC and other device profile attributes, such as a particular file name, or a Windows registry key.
- Provision agents (for example, data protection, or OnDemand Tunnel).
See also:
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
