16.4 Troubleshooting Different States

CloudAccess displays indicators for the current state of the different appliance components. The display refreshes every five minutes. CloudAccess might not immediately display the change.

The following sections list the different components, the possible states, and troubleshooting steps you can take when the state changes.

16.4.1 Master Node Health

The master node is responsible for all administration functions in CloudAccess. If the master node is not running, the following functions do not work: provisioning or deleting user accounts, mapping authorizations, system roles, approving requests, and reporting. Other nodes in the cluster continue to capture and cache events, but they do not send those events to the master node until it is running again. Similarly, event forwarding to Sentinel does not work as long as the master node is down.

16.4.2 Front Panel of the Node

The indicator on the front panel of the node displays the health state of the node.

Figure 16-1 Front Panel

The states are:

Green: The node is healthy.

Yellow: The node cannot communicate with the other nodes within the five minute refresh.

Red: The node cannot communicate with the other nodes within two of the five minute refresh cycles.

Clear: The node is initializing or the state of the node is unknown.

Perform the following troubleshooting steps in the order listed if the state is anything but green:

  1. Wait at least five minutes for the display to refresh and display the current state.

  2. Click the node, then select Show health.

    Show Health displays which part of the appliance is having issues.

  3. If Show Health displays a problem, use the troubleshooting tools to gather logs.

    For more information, see Using Troubleshooting Tools.

  4. Restart the appliance, then wait at least another five minute cycle for all nodes to display the current state.

16.4.3 Top of the Node

The indicator on the top of the node shows whether the Apply commands completed successfully.

Figure 16-2 Top of the Node

The states are:

Green: All Apply commands completed successfully.

Red: The Apply commands did not complete successfully.

Perform the following troubleshooting steps in the order listed if the state is red:

  1. Mouse over the top of the node to see the status of the last Apply command made on the node.

  2. If there is not enough information in the summary, click Enter troubleshooting mode on the node, then mouse over the node again.

    The troubleshooting mode displays a detailed summary of the last Apply command made on the node.

  3. Restart the appliance, then wait at least another five minute cycle for all nodes to display the current state.

16.4.4 Identity Source

The health indicator for the identity source is the small icon in the lower left corner.

Figure 16-3 Identity Source Indicator

The states are:

Green: The connector to the identity source is healthy.

Yellow: The connector has communication problems with the identity source.

Red: The connector to the identity source is unhealthy or contains errors.

Question mark: The state of the connector to the identity source is unknown.

Perform the following troubleshooting steps in the order listed:

  1. If the connector is green, but the CloudAccess interface is not displaying users, verify that the identity source servers are running and communicating properly.

  2. Use the troubleshooting tools to gather logs, then look at the identity source provisioning logs listed in Table 16-1 for errors. The ConnectorLogs.txt file maps the display name of the connector with the log name of the connector, if there is more than one identity source connector.

  3. Click Show health on the master node, then expand Operational.

    If these items are yellow or red, the interface displays helpful information to help troubleshoot the issue.

  4. If you are using LDAPS to communicate with the identity source, verify that the LDAP certificates are not expired. You refresh the certificates as follows:

    1. Log in to the CloudAccess administration console, then click Configure on the identity source.

    2. Click the Refresh icon next to the identity source server.

16.4.5 Applications

The health indicator for an application connector is the small icon in the lower left corner.

Figure 16-4 Application Indicator

The states are as follows:

Green: The connector to the application is healthy.

Yellow: The connector to the application contains warnings.

Red: The connector to the application contains errors or cannot communicate with the application.

Question mark: The connector to the application is in an unknown state.

Perform the following troubleshooting steps in the order listed:

  1. Click Show health on the master node, then expand Operational, and check the status of Provisioning.

    If Provisioning is yellow or red, CloudAccess displays helpful information to help troubleshoot the issue.

  2. Use the troubleshooting tools to gather logs, then look at the provisioning logs listed in Table 16-1 for errors.

  3. Make a cosmetic change to the application connector configuration, then click Apply.

    By forcing an Apply, the appliance refreshes the application connector state and this can resolve the issue.

16.4.6 Tools

The health indicator for a tool is the small icon in the lower left corner. Only tools that report health have an indicator. The following tools do not have a health indicator: Google Analytics, Mobile, and Time-Based One-Time Password (TOTP).

Figure 16-5 Tool Indicator

For all tools, the Question Mark icon indicates that the tool is in an unconfigured state.

Advanced Authentication: The states for the Advanced Authentication tool are as follows:

  • Green circle: The connection to the Advanced Authentication appliance is healthy, and only Active Directory identity sources exist in the configuration.

  • Yellow triangle: The connection to the Advanced Authentication appliance is healthy. The triangle indicator serves as a warning that identity source types other than Active Directory exist in the configuration and are not supported with the Advanced Authentication authentication providers.

  • Red circle: The connection to the Advanced Authentication appliance is not working. The Advanced Authentication server is unreachable.

Forward Proxy: The states for the Forward Proxy tool are as follows:

  • Yellow triangle: The connection to or through the proxy is healthy. The triangle indicator serves as a warning that use of Forward Proxy is intended for test environments only.

  • Red circle: The connection to or through the proxy is not working. The proxy device is unreachable.

Google reCAPTCHA: The states for the Google reCAPTCHA tool are as follows:

  • Green circle: All of the configured identity sources are valid for use with reCAPTCHA.

  • Yellow triangle: One or more of the configured identity sources are not valid for use with reCAPTCHA. For more information, see Requirements for reCAPTCHA.

  • Red circle: None of the configured identity sources are valid for use with reCAPTCHA.

Sentinel and Syslog: The states for the Sentinel and Syslog tools are as follows:

  • Green circle: The connection to the specified address:port is healthy.

  • Red circle: The connection to the specified address:port is not working.