ZTNA connector shows offline through it is running on Docker Image
search cancel

ZTNA connector shows offline through it is running on Docker Image

book

Article ID: 280505

calendar_today

Updated On:

Products

Symantec ZTNA

Issue/Introduction

ZTNA connector appears to install correctly after running script on Linux host.

ZTNA Portal shows the new connector, but the status is offline.

Restarting the connector and Linux host does not change status.

Connector running in secure environment with firewall locking down access to a handful of hosts.

No DNS server is accessible from the ZTNA connector host.

Environment

ZTNA.

Connector installed on Linux host running docker.

Connector version 2.10.14.

Cause

DNS failure.

Resolution

Make sure that connectivity to all the hosts below exists - note that the IP addresses may differ depending on region you are in.

Subnet part of a restricted closed network, without a DNS server, so we needed manual entries for the following hosts for the installation to complete successfully:

# Loopback entries; do not change.
# For historical reasons, localhost precedes localhost.localdomain:
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

#.#.#.# luminatesec.io
#.#.#.# docker.io
#.#.#.# luminatesec.com
#.#.#.# registry-1.docker.io
#.#.#.# auth.docker.io
#.#.#.# production.cloudflare.docker.com
#.#.#.# registry.access.redhat.com
#.#.#.# luminate-ws.example.luminatesec.com

Additional Information

Note: Use docker command "sudo docker ps" to get the container id of ZTNA connector.

The container logs (sudo docker logs $container_id  > ztna_container_logs.txt ) showed over 161k entries with read errors:
 
time="2024-03-05T15:01:49Z" level=warning msg="Failed to open connection" ApplicationId=control ClientSessionId=dbc6607c-ac62-44d5-867a-adaaf28c7448 Location="wss://luminate-ws.example.luminatesec.com/v1/connector-orchestrator/######-####-####-####-########/control?connector-version=2.10.14%2B5247" connectorVersion=2.10.14+5247 error="read tcp 10.1.1.1:60216->34.117.76.142:443: read: connection reset by peer" PID=13

Where 34.117.76.142 is a ZTNA public IP address published in the ZTNA firewall docs. However, the connections did not appear to be an issue

root@fedora:/home/bsnsqa# nc -z -v 34.117.76.142 443
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Connected to 34.117.76.142:443.
Ncat: 0 bytes sent, 0 bytes received in 0.09 seconds.

PCAPs taken from the connector showed requests going to docker.io failed. Only when firewall admin allowed this host through did the connector go online.

Powered by Wolken Software