Troubleshooting the DSG

Errors and issues faced in the DSG and their resolution.

TAC issues

Issue : Deleting registered DSG node from the ESA cluster screen (TAC) causes:

ESA to point to the alternate DSG node.
Secondary ESA will still reference the deleted DSG node, so node details won’t be visible.

Resolution: Run the ESA-ESA TAC replication job to restore cluster visibility.

For more information about TAC replication job, refer to the section TAC Replication Job.

Issue : If two different cluster operations are performed without any wait time, the changes may not be properly reflected in the ESAs and DSGs.

Resolution:

Ensure a short interval between two distinct cluster operations for proper synchronization of changes.
If changes are not properly synchronized, even after a short wait time, install the Consul service to resolve the issue. For more information about installing the Consul service, refer to the section Add/Remove Services.

DSG UI issues

DSG UI is not loading with an Internal Server error.

Issue: An Internal Server Error is displayed while accessing the DSG UI from ESA.

This issue occurs due to one of the following reasons:

All the DSGs in the TAC are deleted
The DSG node that is used to communicate with ESA is unhealthy. ESA then attempts to connect with another healthy node in the cluster. After multiple retries, if no healthy node with which ESA can communicate is found, this error is displayed on the screen.

Resolution:

Run the ESA communication process on one DSG node.
For more information, refer to Setting up ESA communication.
Register the DSG node.
For more information, refer to Registering the DSG.
Add the DSG nodes to the cluster.
For more information, refer to Adding a DSG node

DSG UI is not loading with a certificate error.

Issue : The DSG UI does not load and a [SSL: TLSV1_ALERT_UNKNOWN_CA] entry is displayed in the logs.

This might occur as the certificates are not synchronized. The following are the few reasons for issue.

ESA communication is not run.
- Resolution: The TAC is deleted and recreated.
- Resolution: If the TAC is deleted and recreated, run the set ESA communication process between the DSGs and ESA.
If the set ESA communication is run, the certificates are synchronized multiple times.
- Resolution: Run the following steps:
  1. On the DSG UI, navigate to Cloud Gateway > {DSG Version} > Transport > Manage Certificates
  2. Click Change Certificates. A screen with the list of certificates is displayed.
  3. Based on the timestamp, select only the latest CA certficate from ESA.
  4. Unselect the other CA certificates from ESA. Ensure that you do not unselect other certificates in the list.
  5. Select Next. Click Apply.

DSG UI not loading with a NameResolutionError.

Issue : The DSG UI does not load and a NameResolutionError entry is displayed in the logs. This might occur if the DSG or ESA are not accessible through their host names.

Resolution: If DNS name server is not configured, ensure that FQDN of DSG is present in the /etc/hosts directory of ESA. Also, ensure that the FQDN of ESA is present in the /etc/hosts file of DSG.
For more information, refer to Update Host Details

DSG UI not loading as the DNS is not configured correctly.

Issue : The DSG UI does not load and a Failed to resolve 'protegrity-cg***.ec2.internal' ([Errno -2] Name or service not known)")) entry is displayed in the logs. This might occur if the DSG or ESA are not accessible through their host names.

Resolution:

Ensure that the DNS Name server is configured correctly.

DSG UI not loading with a certificate error.

Issue: An CERTIFICATE_VERIFY_FAILED error appears DSG appears in the logs.

This might occur if the DSG or ESA are not accessible through their host names. The issue can be mitigated as follows:

Ensure that the DNS Name server is configured correctly.
If DNS name server is not configured, ensure that FQDN of DSG is present in the /etc/hosts directory of ESA. Also, ensure that the FQDN of ESA is present in the /etc/hosts file of DSG.
For more information, refer to Update Host Details

DSG UI not loading with a KSA host error.

Issue: An error Failed to find new KSA host from the TAC is displayed in the logs.

The ESA reaches out to the DSG that is registered in the ksa.json file. If this DSG in not reachable, it attempts to connect with another healthy DSG in the cluster. If the attempt to connect with any healthy DSG node in the cluster fails, the issue occurs.

Resolution: Run the following steps:

Check the health of all the nodes in the cluster.
Check if the DSGs in the TAC are accessible.
Check whether the set ESA communication between the DSG nodes and ESA was completed.

DSG UI not loading with a HTTP connection error

Issue: An error Request to X.X.X.X failed with error HTTPSConnectionPool(host='X.X.X.X', port=443): Max retries exceeded with url: /cpg/v1/ksa is displayed in the logs.

The ESA is not able to reach the DSG. Resolution: Run one of the following steps:

Re-register the ESA with appropriate online DSG node
Increase max retry count in the ksa.json file.

Unable to register DSG on ESA

Issue: An error Unable to add ptycluster user's SSH public key, Request failed due to 'Internal Server Error'. Please make sure host(protegrity-esa***.protegrity.com) have TAC enabled. is displayed in the logs.

Resolution: Ensure that the TAC is created on the DSG or ESA. Run the set ESA communication process for the DSG in the cluster.

Ruleset deployment

Rulesets are not deployed from ESA

Issue: When a ruleset is deployed from an ESA to DSG, the operation fails. A failure message is displayed in the logs.

This issue might occur due to one of the following reasons:

One node in the TAC is deleted or unhealthy.
TAC is deleted and recreated. Resolution: If the TAC is deleted and recreated, run the set ESA communication process again. Ensure that the certificates between ESA and DSG are synchronized.

Miscellaneous

Support logs are empty

Issue: When the support logs from a DSG Web UI are downloaded, the downloaded .tgz file is empty.

Resolution:

On the ESA Web UI, ensure that the DSG Container UI service is up and running. If the service is stopped, restart the service. Download the support logs and check the entries.
While installing a DSG patch on ESA, a details of the DSG node must be provided. Ensure that this DSG node is healthy. This DSG node must be accessible through its host name.

Other issues

Issue: An error [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:2546) is displayed in the logs.
- Reason: Different CA certificates are present in the ESA nodes.
- Recovery Action: Ensure that all ESA nodes have the same CA certificates.
Issue: The following screen appears while installing the DSG.

Couldn't retrieve any matching DSG Host Address from xx.xx.xx.xx's server certificate
- ip-xx-xx-xx-xx.ec2.internal [absent from server certificate]
- protegrity-esaxxx.ec2.internal [absent from server certificate]
- protegrity-esaxxx [absent from server certificate]
- xx.xx.xx.xx [absent from server certificate]

Reason: The IP Address, Host Name, or FQDN is not found in the CA or SAN field of the CA certicate.
Recovery Action: Generate new certificates and check if the IP Address, Host Name, or FQDN is present in the CA certificate.
Issue: An error HTTP Error 596: source is not whitelisted is displayed on the ESA container logs.
- Reason: The issue occurs if the Update Host Settings for DSG step is not completed while performing ESA communication.
- Recovery Action: Ensure the Update Host Settings for DSG step is selected when performing ESA communication.
  For more information about ESA Communication, refer to Setting up ESA communication.
Issue: The usage metrics are not forwarded to Insight.
- Reason: The /var/log partition is full.
- Recovery Action: Perform the following steps.
  1. Back up the gateway.log files.
  2. Ensure that the partition space is cleared. To free up the space, you can remove the rotated gateway log files.
  3. Delete or purge the *usagemetrics.pos* file from the */opt/protegrity/usagemetrics/bin directory*.
  4. On the Web UI, navigate to System > Services. Restart the **Usage Metrics Parser Service**.
Issue: When SaaS is accessed through the gateway, the following error is displayed. HTTP Response Code 599: Unknown.
- Reason 1: The SaaS server certificate is invalid.
- Recovery Action: Perform one of the following steps.
  - Ensure that the forwarding address is correct.
  - Add the SaaS server certificate to the gateway’s trusted store.
- Reason 2: The system time on the DSG nodes is not in sync with the ESA.
  - Synchronize the system time for all the DSG nodes performing the following steps.
    1. From the CLI Manager, navigate to Tools > ESA communication.
    2. Select **Use ESA’s NTP** to synchronize the system time of the node with ESA.
  - Consider using an NTP server for system time across all DSG nodes and the ESA.
- Reason 3: The DNS configuration might be incorrect.
- Recovery Action: Perform one of the following steps.
  - Verify that the DNS configuration for the DSG node is set as required.
  - Verify that the hostname addresses mentioned in the service configuration are accessible by the DSG node.
Issue: The SaaS web interface is not accessible through the browser. Following error is displayed. HTTP Response Code 500: Internal Server Error.
- Reason: The DSG node is not configured to service the requested host name.
- Recovery Action: Verify if the Cloud Gateway profiles and services are configured to accept and serve the requested hostname.
Issue: The following error message appears on the client application while accessing DSG. 404 : Not Found
- Reason: The HTTP Extract Message rule configured on the DSG node cannot be invoked.
- Recovery Action: Perform one of the following steps.
  - Ensure that you have sent the request to the URI configured on the DSG. If the request is sent to the incorrect URI, then the request will not be processed.
  - Verify the HTTP Method in the HTTP request.
Issue: The following error message appears in the gateway logs Error;MountCIFSTunnel;check_for_new_files;error checking for new files, Connection timed out. Server did not respond within timeout.
- Reason: The connection between the DSG and CIFS server is interrupted.
- Recovery Action: Restart the CIFS server and process the data.
Issue: Learn mode is not working.
- Reason: Learn mode is not enabled.
- Recovery action: Perform one of the following steps.
  - Enable learn mode for the required service.
  - Configure the following learn mode settings while creating the service.
    - Mention the contents to be included in the *includeResource* and the *includeContentType* parameters.
      For example, you can include the following resources and content types:
      "includeResource": "\\.(css|png|gif|jpg|ico|woff|ttf|svg|eot)(\\?|\\b)",
      "includeContentType": "\\bcss|image|video|svg\\b",
    - Mention the contentsto be excluded in the *excludeResource* and the *excludeContentType*parameters.
      For example, you can excludethe following resources and content types:
      "excludeResource": "\\.(css|png|gif|jpg|ico|woff|ttf|svg|eot)(\\?|\\b)",
      "excludeContentType": "\\bcss|image|video|svg\\b",
Issue: Following message is displayed in the log
WarningPolicy;missing_host_key;Unknownssh-rsa host key for:f1b2e0bde5d34244ba104bab1ce66f96
- Reason: The gateway issues an outbound request to an SFTP server.
- Recovery action: The functionality of the DSG node is not affected. No action is required.

Set ESA communication is failing

Issue: While running the set ESA communication tool, the process fails. The following can one of the reasons for the failure:

PIM initialization is not done on ESA. Workaround: Initialize the PIM on the ESA.
A TAC is not created on DSG. Workaround: Create a cluster on a DSG and add the required nodes to the cluster.

Feedback

Was this page helpful?

Last modified : September 03, 2025