Header Ads

Recently post

Home / Unlabelled / App Connector upgrade failures

App Connector upgrade failures

September 09, 2022

 App Connector upgrade failures


if App connector upgrade fail, may be below reason


  • 1-Upgrade is in a failed state for more than 24 hours.
  •  2- The image can not download since there is no disk space left.
  • 3- Image can not download due to inconsistent connection between the App
  •  Connector and co2br (App Connector to Public Service Edge endpoint).
  • 4- The Provisioning Key was deleted in the ZPA Admin Portal.


1- Upgrade is in a failed state for more than 24 hrs - we can collect below logs and check

Collect the outputs for the following:

  • sudo cat /opt/zscaler/var/version
  • sudo ls -lrta /opt/zscaler/var/version
  • sudo cat /opt/zscaler/var/updater.version
  • sudo /opt/zscaler/var/image.bin -version
  • sudo ls -lrta /opt/zscaler/var/image


2- The image can not download since there is no disk space left - 


            Check the disk space for the following directories:
    • sudo df -h /
    • sudo du -h /
    • sudo du -a/| -n -r | head -n
    • Delete any extra directories, except /opt/zscaler, to free up space. Once disk space is available, the image will download to opt/zscaler/var/image.bin
3- Image can not download due to inconsistent connection between the App
  •  Connector and co2br
             Verify the App Connector has a stable connection to ZPA Public Service Edge
               journalctl -n1000 | grep zscaler-update


 4- The Provisioning Key was deleted in the ZPA Admin Portal. 

  1. Go to the App Connector page and identify the App Connector’s group.
  2. Go to the Provisioning key page and find the App Connector group. If the group is not listed in the App Connector group column, the key is no longer in the ZPA Admin Portal.
  3. Delete the App Connector and re-enroll it, which will allow you to create a new provisioning key for the App Connector

if none of above reasons are causing the upgrade failures

use below steps - 

-->>Restart the App Connector (stop and start)
-->> we can check zscaler public service edge dns
[admin@localhost ~]$ dig +short co2br.prod.zpath.net
13.60.119.37
42.68.244.163
[admin@localhost ~]$


-->> Check if the App Connector can start a TLS connection using the openss1 command. You should receive a certificate subject string returned from the Public Service Edges

If you receive a certificate subject, proceed to the next step.

If you do not receive a subject string, there is likely an error with TLS communication


[admin@localhost ~]$ openssl s_client -servername mockcompany.com.server1.net -connect 13.60.119.37:443 2>&1 | grep subject
subject=/C=US/ST=California/L=San Jose/O=Zscaler/OU=Emerging Technologies/CN=broker1a.sjc8.prod.zpath.net 
Note- all screenshot of this blog taken by Zscaler Inc

No comments

Subscribe to: Post Comments ( Atom )