Troubleshooting in DSG
DSG UI issues
DSG UI is not loading with an Internal Server error.
Issue: An Internal Server Error
is displayed while accessing the DSG UI from ESA.
This issue occurs due to one of the following reasons:
- All the DSGs in the TAC are deleted
- The DSG node that is used to communicate with ESA is unhealthy. ESA then attempts to connect with another healthy node in the cluster. After multiple retries, if no healthy node with which ESA can communicate is found, this error is displayed on the screen.
Resolution:
- Recreate the TAC by adding all the required DSGs to the cluster.
- Run the set ESA communication process from all the DSG nodes in the cluster.
- Run the following script on ESA.
/opt/protegrity/alliance/3.3.0.0.{build number}-1/bin/scripts/register_dsg_tac.sh
DSG UI is not loading with a certificate error.
Issue : The DSG UI does not load and a [SSL: TLSV1_ALERT_UNKNOWN_CA]
entry is displayed in the logs.
This might occur as the certificates are not synchronized. The following are the few reasons for issue.
- ESA communication is not run.
- Resolution: The TAC is deleted and recreated.
- Resolution: If the TAC is deleted and recreated, run the set ESA communication process between the DSGs and ESA.
- If the set ESA communication is run, the certificates are synchronized multiple times.
- Resolution: Run the following steps:
- On the DSG UI, navigate to Cloud Gateway > 3.3.0.0 {build number} > Transport > Manage Certificates
- Click Change Certificates. A screen with the list of certificates is displayed.
- Based on the timestamp, select only the latest CA certficate from ESA.
- Unselect the other CA certificates from ESA. Ensure that you do not unselect other certificates in the list.
- Select Next. Click Apply.
- Resolution: Run the following steps:
DSG UI not loading with a NameResolutionError.
Issue : The DSG UI does not load and a NameResolutionError
entry is displayed in the logs.
This might occur if the DSG or ESA are not accessible through their host names.
Resolution: If DNS name server is not configured, ensure that FQDN of DSG is present in the /etc/hosts directory of ESA. Also, ensure that the FQDN of ESA is present in the /etc/hosts file of DSG.
DSG UI not loading as the DNS is not configured correctly.
Issue : The DSG UI does not load and a Failed to resolve 'protegrity-cg***.ec2.internal' ([Errno -2] Name or service not known)"))
entry is displayed in the logs.
This might occur if the DSG or ESA are not accessible through their host names.
Resolution:
- Ensure that the DNS Name server is configured correctly.
DSG UI not loading with a certificate error.
Issue: An CERTIFICATE_VERIFY_FAILED
error appears DSG appears in the logs.
This might occur if the DSG or ESA are not accessible through their host names. The issue can be mitigated as follows: - Ensure that the DNS Name server is configured correctly. - If DNS name server is not configured, ensure that FQDN of DSG is present in the /etc/hosts directory of ESA. Also, ensure that the FQDN of ESA is present in the /etc/hosts file of DSG.
DSG UI not loading with a KSA host error.
Issue: An error Failed to find new KSA host from the TAC
is displayed in the logs.
The ESA reaches out to the DSG that is registered in the ksa.json file. If this DSG in not reachable, it attempts to connect with another healthy DSG in the cluster. If the attempt to connect with any healthy DSG node in the cluster fails, the issue occurs.
Resolution: Run the following steps:
- Check the health of all the nodes in the cluster.
- Check if the DSGs in the TAC are accessible.
- Check whether the set ESA communication between the DSG nodes and ESA was completed.
DSG UI not loading with a HTTP connection error
Issue: An error Request to X.X.X.X failed with error HTTPSConnectionPool(host='X.X.X.X', port=443): Max retries exceeded with url: /cpg/v1/ksa
is displayed in the logs.
The ESA is not able to reach the DSG. Resolution: Run one of the following steps:
- Re-register the ESA with appropriate online DSG node
- Increase max retry count in the ksa.json file.
Unable to register DSG on ESA
Issue: An error Unable to add ptycluster user's SSH public key, Request failed due to 'Internal Server Error'. Please make sure host(protegrity-esa***.protegrity.com) have TAC enabled.
is displayed in the logs.
Resolution: Ensure that the TAC is created on the DSG or ESA. Run the set ESA communication process for the DSG in the cluster.
Ruleset deployment
Rulesets are not deployed from ESA
Issue: When a ruleset is deployed from an ESA to DSG, the operation fails. A failure message is displayed in the logs.
This issue might occur due to one of the following reasons:
- One node in the TAC is deleted or unhealthy.
- TAC is deleted and recreated. Resolution: If the TAC is deleted and recreated, run the set ESA communication process again. Ensure that the certificates between ESA and DSG are synchronized.
Miscellaneous
Support logs are empty
Issue: When the support logs from a DSG Web UI are downloaded, the downloaded .tgz file is empty.
Resolution:
- On the ESA Web UI, ensure that the DSG Container UI service is up and running. If the service is stopped, restart the service. Download the support logs and check the entries.
- While installing a DSG patch on ESA, a details of the DSG node must be provided. Ensure that this DSG node is healthy. This DSG node must be accessible through its host name.
Common issues
Issue: The usage metrics are not forwarded to Insight.
- Reason: The /var/log partition is full.
- Recovery Action:
Perform the following steps.
- Back up the gateway.log files.
- Ensure that the partition space is cleared. To free up the space, you can remove the rotated gateway log files.
- Delete or purge the *usagemetrics.pos* file from the */opt/protegrity/usagemetrics/bin directory*.
- On the Web UI, navigate to System > Services. Restart the **Usage Metrics Parser Service**.
Issue: When SaaS is accessed through the gateway, the following error is displayed.
HTTP Response Code 599: Unknown.
- Reason 1: The SaaS server certificate is invalid.
- Recovery Action:
Perform one of the following steps.
- Ensure that the forwarding address is correct.
- Add the SaaS server certificate to the gateway’s trusted store.
- Reason 2: The system time on the DSG nodes is not in sync with the ESA.
- Synchronize the system time for all the DSG nodes performing the following steps.
- From the CLI Manager, navigate to Tools > ESA communication.
- Select **Use ESA’s NTP** to synchronize the system time of the node with ESA.
- Consider using an NTP server for system time across all DSG nodes and the ESA.
- Synchronize the system time for all the DSG nodes performing the following steps.
- Reason 3: The DNS configuration might be incorrect.
- Recovery Action:
Perform one of the following steps.
- Verify that the DNS configuration for the DSG node is set as required.
- Verify that the hostname addresses mentioned in the service configuration are accessible by the DSG node.
Issue: The SaaS web interface is not accessible through the browser. Following error is displayed.
HTTP Response Code 500: Internal Server Error.
- Reason: The DSG node is not configured to service the requested host name.
- Recovery Action: Verify if the Cloud Gateway profiles and services are configured to accept and serve the requested hostname.
Issue: The following error message appears on the client application while accessing DSG.
404 : Not Found
- Reason: The HTTP Extract Message rule configured on the DSG node cannot be invoked.
- Recovery Action:
Perform one of the following steps.
- Ensure that you have sent the request to the URI configured on the DSG. If the request is sent to the incorrect URI, then the request will not be processed.
- Verify the HTTP Method in the HTTP request.
Issue: The following error message appears in the gateway logs
Error;MountCIFSTunnel;check_for_new_files;error checking for new files, Connection timed out. Server did not respond within timeout.
- Reason: The connection between the DSG and CIFS server is interrupted.
- Recovery Action: Restart the CIFS server and process the data.
Issue: Learn mode is not working.
- Reason: Learn mode is not enabled.
- Recovery action: Perform one of the following steps.
- Enable learn mode for the required service.
- Configure the following learn mode settings while creating the service.
- Mention the contents to be included in the *includeResource* and the *includeContentType* parameters.
For example, you can include the following resources and content types:"includeResource": "\\.(css|png|gif|jpg|ico|woff|ttf|svg|eot)(\\?|\\b)",
"includeContentType": "\\bcss|image|video|svg\\b"
, - Mention the contentsto be excluded in the *excludeResource* and the *excludeContentType*parameters.
For example, you can excludethe following resources and content types:"excludeResource": "\\.(css|png|gif|jpg|ico|woff|ttf|svg|eot)(\\?|\\b)",
"excludeContentType": "\\bcss|image|video|svg\\b",
- Mention the contents to be included in the *includeResource* and the *includeContentType* parameters.
Issue: Following message is displayed in the log
WarningPolicy;missing_host_key;Unknownssh-rsa host key for
:f1b2e0bde5d34244ba104bab1ce66f96 - Reason: The gateway issues an outbound request to an SFTP server.
- Recovery action: The functionality of the DSG node is not affected. No action is required.
Set ESA communication is failing
Issue: While running the set ESA communication tool, the process fails. The following can one of the reasons for the failure:
- PIM initialization is not done on ESA. Workaround: Initialize the PIM on the ESA.
- A TAC is not created on DSG. Workaround: Create a cluster on a DSG and add the required nodes to the cluster.