App Connector upgrade failures
App Connector upgrade failures
if App connector upgrade fail, may be below reason
- 1-Upgrade is in a failed state for more than 24 hours.
- 2- The image can not download since there is no disk space left.
- 3- Image can not download due to inconsistent connection between the App
- Connector and co2br (App Connector to Public Service Edge endpoint).
- 4- The Provisioning Key was deleted in the ZPA Admin Portal.
1- Upgrade is in a failed state for more than 24 hrs - we can collect below logs and check
Collect the outputs for the following:
- sudo cat /opt/zscaler/var/version
- sudo ls -lrta /opt/zscaler/var/version
- sudo cat /opt/zscaler/var/updater.version
- sudo /opt/zscaler/var/image.bin -version
- sudo ls -lrta /opt/zscaler/var/image
2- The image can not download since there is no disk space left -
Check the disk space for the following directories:
- sudo df -h /
- sudo du -h /
- sudo du -a/| -n -r | head -n
- Delete any extra directories, except
/opt/zscaler
, to free up space. Once disk space is available, the image will download toopt/zscaler/var/image.bin
3- Image can not download due to inconsistent connection between the App
- Connector and co2br
Verify the App Connector has a stable connection to ZPA Public Service Edge
journalctl -n1000 | grep zscaler-update
4- The Provisioning Key was deleted in the ZPA Admin Portal.
- Go to the App Connector page and identify the App Connector’s group.
- Go to the Provisioning key page and find the App Connector group. If the group is not listed in the App Connector group column, the key is no longer in the ZPA Admin Portal.
- Delete the App Connector and re-enroll it, which will allow you to create a new provisioning key for the App Connector
if none of above reasons are causing the upgrade failures
use below steps -
-->>Restart the App Connector (stop and start)
-->> we can check zscaler public service edge dns
[admin@localhost ~]$ dig +short co2br.prod.zpath.net
13.60.119.37
42.68.244.163
[admin@localhost ~]$
-->> Check if the App Connector can start a TLS connection using the openss1 command. You should receive a certificate subject string returned from the Public Service Edges
If you receive a certificate subject, proceed to the next step.
If you do not receive a subject string, there is likely an error with TLS communication
[admin@localhost ~]$ openssl s_client -servername mockcompany.com.server1.net -connect 13.60.119.37:443 2>&1 | grep subject
subject=/C=US/ST=California/L=San Jose/O=Zscaler/OU=Emerging Technologies/CN=broker1a.sjc8.prod.zpath.net
Note- all screenshot of this blog taken by Zscaler Inc
No comments