Skip to main content
Skip table of contents

Troubleshooting the gateway

When troubleshooting issues on the Blue Cedar gateway, there is an overall approach for determining the cause of the issue and how to resolve it. The following list summarizes the general flow for troubleshooting the gateway. The remaining topics in this section describe what paths to pursue if the initial debugging does not resolve the issue:

  1. Check the gateway logs (such as how to save logs, rotate them). (See Checking the gateway logs.)

    Note: If the logs do not contain any data about an issue, then move onto step 2.

  2. Check for connectivity issues. 

    1. Check the network connections during the initial setup of the gateway. (See Checking the initial setup of the gateway for connectivity issues.)

    2. Check the firewall ports that are open for the gateway and any backend resource that the gateway needs.

    3. Check the connectivity of the gateway's ports. (See Checking the connectivity of the gateway's interfaces.)

      • Public port

      • Private port

  3. Check the error code for specific troubleshooting information. (See Checking error codes.)

  4. Check for a specific condition.

    1. Check the operational state of IKE—if down, change it to up. (See Checking the operational state of IKE.)

    2. Check the identity certificate (if using certificates for authentication).

    3. Check the configuration of the root certificate (if using certificates for authentication).

  5. Check the FAQs. (See FAQs.)

Checking the gateway logs

The logs provide information that is useful for diagnosing issues with the gateway. Use these CLI commands to enable the saving, viewing, and rotation of the logs.

  • To display the logs on the gateway console:

    BASH 
    > log show

  • To save logs to a file:

    BASH 
    > log dump filename_assigned_by_CLI_User

  • To view the saved logs:

    BASH 
    > file show filename_assigned_by_CLI_User

  • To show logs generated by syslog:

    BASH 
    > file show syslog-generated-filename


    This an example of a log entry that alerts the administrator to configure the gateway to join a new Active Directory domain:

    TEXT 
    Slot:    CB1, SubCls: 999, EID:       0, Type:Genera, Sev:  Info
 [AAA]: New Active Directory provider "region" for domain "region.win.company.com". Use 'request join-active-directory-domain' 
 join domain if not already joined.

  • To rotate logs:

    CODE 
    % set system logging services-logs target console, log, syslog


    Once this command is executed and committed, the gateway automatically rotates the logs.

Checking the initial setup of the gateway for connectivity issues

To ensure that the basic network connections have been configured and the gateway is receiving data traffic, check these components:

  • Ping a server on your local area network 

    BASH 
    > network ping IP_address_of_server


    Note: While the CLI's network ping command works similarly to its Unix or Linux counterparts, it does not have all the options that the standard ping has. To get help, enter network ping -h.

  • Check that the proper firewall ports are open so traffic can pass to and from the gateway.

    If the gateway sits behind a public-facing firewall or in front of a private firewall (which protects an enterprise's backend resources), the appropriate ports in your firewall configuration must be open so that the required data traffic can freely travel between the gateway and the enterprise infrastructure. If a necessary port for the gateway is not opened in the firewall, this can block data traffic.

    For details about the firewall settings, see Configure the firewall ports for the Gateway and Active Directory.

  • Take a packet capture. To capture traffic and write it to a file, use this template. This command captures all traffic that is coming from the gateway (such as Active Directory, LDAP, Certificate Revocation List, or management interface traffic) or from an IPSec tunnel (traffic from mobile clients that hits the public interface and traverses to the private interface of the gateway).

    BASH 
    > network capture start -i interface -w filename


    OptionDescription
    startReserved word that indicates which interface to begin the packet capture.
    -i interfaceMandatory argument that specifies the name of the interface to capture on (such as ethernet0).
    -w filenameName of the file that captured packets are written to.

    Note: There are additional options for this template (such as "print available network interfaces" or "don't verify checksums"). To view the entire list, enter network capture start -help .

    Example

    BASH 
    > network capture start –i ethernet0 –w cap.pcap

  • Check the routers along the path to the domain you're trying to reach:

    BASH 
    > network traceroute host

  • If you are joining a domain, run dns-lookup on the hostname and the IP address of that domain to make sure they can be resolved.

    BASH 
    > network dns-lookup hostname
> network dns-lookup IP-address

For more options for ping, traceroute, and dns-lookup, see Network testing and diagnostic procedures.

If you can connect and pass traffic to and from the gateway, then you have confirmed that the gateway does not have any connectivity issues. However, if the gateway cannot make any connections, then follow the next steps for troubleshooting the connections.

Checking the connectivity of the gateway's interfaces

If troubleshooting the initial setup of the gateway does not debug the connectivity issues, the next area to examine is the connectivity of the gateway's interface ports. As mentioned in Quick start configuration steps, one of the first setup tasks for the gateway was configuring the ports that handle the data traffic between the gateway and its clients. Use the following "show" commands to display operational information for each port that can help you debug the connectivity issues: 

  • To debug the Public Interface port (handles the traffic for creating an IPSec tunnel, which allows a Blue Cedar-secured app to connect to the gateway)

    BASH 
    > show status operational context default ports-operational ethernet1

  • To debug the Private Interface port (handles the forwarding of mobile app data to the appropriate network port)

    BASH 
    > show status operational context default ports-operational ethernet0


    Example

    BASH 
    > show status operational context default ports-operational
Possible completions:
 ethernet0
 ethernet1

Checking the operational state of IKE

If the connections between Blue Cedar-secured apps and the gateway are failing, it could be that the gateway's Internet Key Exchange (IKE) is not working. This would prevent the creation of the IPSec tunnels for establishing a Security Association and exchanging keys to secure the connection between the gateway and its secured clients.

There are several useful CLI commands for troubleshooting the operational state of IKE:

  • To turn on IKE debugging, use these commands:

    BASH 
    % set system logging ike severity debug 
% commit

  • To check the IKE operational state, use this CLI command:

    BASH 
    > show status operational context default servers ike-state 1 oper-state

  • If IKE operational state is down, switch to configure mode and reset the admin-state element by toggling it to restart IKE:

    BASH 
    % set security ike ike-name admin-state down 
% commit  
% set security ike ike-name admin-state up  
% commit 
Commit succeeded.

  • If the IKE operational state is down and certificates are used for authentication (auth-type=certs or auth-type=hybrid_or_certs), use this command to check the identity-certificate for the gateway:

    BASH 
    > show config configuration context default aaa pki identity-certificate


    Note: Check that the value for the identity certificate is named "ike". This is the only valid value for setting the IKE identity certificate on the gateway. Also, makes sure that the data for the p12-pem-data element and the contents of the passphrase are also displayed. The content of the identity-certificate is unreadable because it is encrypted.

  • If IKE Certificate authentication is failing, enter this command to check the configuration of the Root Certificate Authority:

    BASH 
    > show status operational context default aaa-operational trusted-certificate


    This command shows how the gateway has parsed all the encrypted information for a trusted-certificate-authority parameter into actual data. It is useful for checking that the data for your trusted certificate is the correct data. You match up the Common Name and expiration dates with what is on your certificate.

  • To determine if the Blue Cedar-secured app connection attempts with the gateway are succeeding or failing, use this command:

    BASH 
    > show status operational context default servers ike-state 1 ike-counters-table


    Scroll down the data until you find the tables named "Conn Attempted", "Conn Active", "Conn Success", and "Conn Deleted". These tables display the counters that indicate the successful or failed connection attempts.

    BASH 
    ike-counters-table 7 {
 ctr-name "Conn Success";
 ctr-action "Count and Trigger";
 ctr-level Info;
 ctr-count 0;
 ctr-trigger-count 0;
 ctr-help Help...;
}
 
ike-counters-table 8 {
 ctr-name "Conn Deleted";
 ctr-action "Count and Trigger";
 ctr-level Info;
 ctr-count 0;
 ctr-trigger-count 0;
 ctr-help Help...;
}
 
ike-counters-table 9 {
 ctr-name "Conn Active";
 ctr-action Count;
 ctr-level Debug;
 ctr-count 0;
 ctr-trigger-count 0;
 ctr-help Help...;
}
 
ike-counters-table 10 {
 ctr-name "Conn Attempted";
 ctr-action Count;
 ctr-level Debug;
 ctr-count 0;
 ctr-trigger-count 0;
 ctr-help Help...;
}

On this page

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close