Skip to main content

Standard Checking for Troubleshooting

Items to Check (Depending on the possible cause of the issue): ​

  1. App Gateway logs
  2. Docker-related logs
  3. OS-related logs
  4. SAN certificate
  5. Connectivity
  6. Browser trace (for issue related with portal, either user portal or admin portal)
  7. Agent-related logs (for issue related with Safous agent and network application)

App Gateway Logs​

There are two ways to retrieve App Gateway logs:

  1. Console output

    1. Log in to App Gateway server via SSH.
    2. Run the following command: docker logs -f config-idac-1 (or config_idac_1).
    note

    Logs are not persistent and only available since the last container reboot.

  2. File output

    1. Log in to App Gateway server via SSH
    2. Identify the container ID of config-idac-1 (or config_idac_1): docker inspect config-idac-1
    3. Retrieve logs from /var/lib/docker/containers/<container_id>/<container_id>-json.log. 
    note

    This file contains logs from the container's entire lifecycle. If it's too large, use grep to filter relevant logs:

    grep "keyword" /var/lib/docker/containers/<container_id>/<container_id>-json.log

  1. Check running containers:
    • docker ps
  2. Check container images:
    • docker images
  3. Check Docker Compose file:
    • cat /etc/cyolo/config/docker-compose.yml
  4. Check Docker logs:
    • journalctl -xu docker.service

  1. Check OS version:

    • cat /etc/*release*

  2. Check OS firewall status:

    • ufw status

  3. Check machine resources:

    • df -h

    • lsblk

    • free -m

    • cat /proc/cpuinfo

  4. Check system time:

    • date
    • timedatectl
    • ntpq -pn

  5. Check scheduled tasks (Crontab):

    1. sudo crontab -l
    2. cat /var/log/cron.log
Known Issue

MFA to user portal will not function properly if the App Gateway server is not synchronized with the NTP server.

SAN Certificate​

  1. Check certificate content:

    • openssl x509 -in /etc/cyolo/certs/cert.pem -text -noout
    • openssl x509 -in /etc/safous/certs/cert.pem -text -noout

  2. Check certificate file information:

    • ls -lha /etc/cyolo/certs
    • ls -lha /etc/safous/certs

  3. Check script to renew certificate:

    • cat /etc/safous/tools/certbot-renew.sh
    • (optional) try to renew the certicate by running the script: sudo bash /etc/safous/tools/certbot-renew.sh
note

Verify that certificate DNS value is *.(tenant name).ztna.safous.com (or .cn for China tenant) and is not expired. 

Connectivity​

  • Check the connectivity from App Gateway server to Safous' cloud components (repository, POP, certificate generator)
    • ping -c 10 repo.safous.com
    • telnet repo.safous.com 443
    • dig tcp.ztna.safous.com
    • openssl s_client -connect <dig result of tcp.ztna.safous.com>:443 -servername tcp.ztna.safous.com 
    • telnet cert-gen.ztna.safous.com 443

Browser Trace (HAR file)​

  1. Open Browser Developer Tools (DevTools).
  2. Perform the browser operation that reproduces the issue.
  3. Save the HAR file.

For a detailed guide on capturing and saving a browser trace, refer to:

Capture a Browser Trace for Troubleshooting

  1. For Agent Version 1.6.x and later:

    1. Click the Safous Agent icon.
    2. Export logs by clicking Export System Logs.
      image (3)
    3. Compress the saved logs into a .zip file.
    4. Send the compressed file to Safous support.

  2. For earlier versions:

    1. Open Windows Event Viewer
      • Select Start, type Event Viewer, and press Enter.
    2. Navigate to Windows Logs > Application.
    3. Filter the logs to show only Safous-related entries.
    4. Compress the saved logs into a .zip file.
    5. Send the compressed file to Safous support.

Last updated on