Troubleshooting App Connectors Zscaler

 

When troubleshooting App Connectors, consider the following:

--->>> App Connector Not Connected to the Cloud <<----

If the App Connector was previously working and now shows an error about not being connected to the cloud

you will get error like below screen shot 

Resolve this issue to  use below step:

1- Log in to the App Connector console using your admin credentials.

2-Enter the below command to stop the zpa-connector service :-

3 - Enter the following command to delete the App Connector :

4 - Restart the service -

5 - Now re-configure App connector again 

-->> DNS Failure, But App Connector Successful <<--

If you have a DNS failure and the ZPA App Connector “root” process is successful

This issue only happen due to some permission issue of zscaler account.

his means the “root” process is able to read /etc/resolve.conf, but the “zscaler” user account can not.

Resolution of this issue - correct the file permission on /etc/resolve.conf for the “zscaler” user account

-->> App Connector ID is zero, --<<

If the Central Authority can not determine an application or resolve the connection to the App Connector for the user, it will display the App Connector ID as zero.

This error come because of following issue -

• APP_NOT_REACHABLE.
• INVALID_DOMAIN
• NO_CONNECTOR_AVAILABLE

-->> Frequent Disconnections to the ZPA Cloud --<<

If you see frequent disconnections between an App Connector to the ZPA Cloud, the problem may come due to following reason-

There are some question to understand the issue exactly.

• Is there an App Connector restart involved?
• Is the disconnect only on the control or data connection?
• Is there a pattern emerging out of the disconnection in data and control connection?
• Could there be a routing issue? Is only a specific set of ZPA Public Service Edge IPs having the problem?
• Could the firewall have an out of memory state? If so, could the firewall do a TCP RST of the existing connection to claim more memory?

use below point to solve this issue  -

1. Go to Administration > Diagnostics
2. Choose Connector Status under Log Type.
3. Apply the Disconnected status filter:Click Add Filters and select the Connection: Status Code filter from the drop-down menu.
   1. 3.1Select the Equals Boolean operator from the drop-down menu.
   2. Select the Disconnected status.
   3. Click Apply.
4. Check the times in the Disconnect Time column to identify the correct App Connector.
5. Find the name in the Service Edge column to identify the Public Service Edge name or Private Service Edge.

-->> App Connector Upgrade Fail<<--

There are different possible reasons for App Connector upgrade failures:

• 1- Upgrade is in a failed state for more than 24 hours.
• 2- Image can not download since there is no disk space left.
• 3- Image can not download due to inconsistent connection between the App 
• 4 -Connector and co2br (App Connector to Public Service Edge endpoint).
• 5- The Provisioning Key was deleted in the ZPA Admin Portal.

if none of the above reasons are causing the upgrade failures, use below step to fix this issue -

1- Restart the App Connector --

     Stop the App Connector.

     Verify no processes are running 

Start the App Connector 

Return to the App Connectors page to see if the Update Status changes from Failure to Success

2- Check the logs and network connectivity by addressing any issues if identified

   Test connectivity to the upstream ZPA Public Service Edge by querying the DNS address co2br.prod.zpath.net from the server that is running the App Connector software

3- Wipe and rebuild the App Connector configuration -

   

• Identify the App Connector group for the App Connector
• Identify the Provisioning Key of the App Connector group
• On the Connector Provisioning Key page, verify the number of provisioning keys in the # of Enrolled Connectors column is less than the number in the Maximum # of Connectors column for the provisioning key.