Troubleshoot connectors

Connector deployment and connectivity issues may limit or block access to applications, directories, and identity providers (IdPs).

Troubleshoot connector installation

VMware ESXi error: Failed to deploy VM: postNFCData failed

After you install a VMware ESXi hypervisor and try to deploy an EAA connector with the vSphere Web Access, you may get VMware ESXi error message:

Failed to deploy VM: postNFCData failed
  1. Upgrade the VMware ESXi Embedded Host Client to the latest version. In a new browser window open https://labs.vmware.com/flings/esxi-embedded-host-client and follow VMware's instructions.

  2. Instruct the ESXi Embedded Host Client to download and apply the VIB file available from the previous step. To learn more see the VMware product documentation.

  3. In the VMware ESXi Embedded Host Client select Help > Check for updates.

  4. Try to deploy VMware vSphere Client again.

VMware ESXi error: VMware ESXi Embedded Host Client compressed disk image error

After you troubleshoot the VMware ESXi error Failed to deploy VM: postNFCData failed and upgrade the VMware ESXi Embedded Host Client to the most recent version, you may get an additional error message in the VMware Embedded Host Client when you select storage:

The VM you are trying to deploy contains compressed disk images. Host client is currently not able to deploy VMs that contain compressed disk images. Please consider using OVFTool or vCenter Server to deploy this VM.
  1. Use the VMware Open Virtual Machine Format (OVF) tool to import virtual machines (VMs) with compressed disk images.

  2. In the OVF tool enter:

    ovftool.exe --acceptAllEulas -ds="<your-datastore-name>" -dm="<thick|thin>" --net:"VM Network"="<your-portgroup-name>" agent.ovf "vi://<your-esxi-ip>"`. For example, `ovftool.exe --acceptAllEulas -ds="datastore1" -dm="thick" --net:"VM Network"="VM Network" agent.ovf "vi://172.25.228.134"
    
  3. Use the OVF tool to deploy the connector.

  4. Try to deploy VMware vSphere Client again.

Amazon Web Services connector

If you installed a connector in Amazon Web Services but are not able to approve the connector in EAA, the connector did not deploy properly from AWS. Try to make changes to the Amazon Machine Image (AMI) in your AWS account:

  1. Log in to your AWS account.

  2. Locate the connector instance.

  3. Make sure that the AWS network address translation (NAT) instance is correct in AWS.

    1. Verify the Instance type is correct. For the minimum NAT instance type, see Install a connector in Amazon Web Services.

    2. Verify the Public IP is correct. If this is incorrect, it affects whether traffic can flow in and out of the Amazon Virtual Private Cloud (VPC).

    3. Validate permission for AWS CloudFormation. To learn more about the AWS and access see Amazon's Controlling Access with AWS Identity and Access Management.

  4. Make sure that the outbound TCP port 443 is open on both the edge firewall and the VPC NAT gateway.

Connector check-in failure

If connectivity between the connector and the EAA service is impaired, there are few common reasons for this issue to check:

  • The security groups or access lists are preventing the connector from reaching the Internet.

  • The connector IP belongs to a subnet that is not allowed to send traffic out to the Internet. Review the routing policies for the subnet.

  • The DNS server configured for the VPC is incorrect and cannot resolve the EAA service.

  • A forward proxy in the data path that is impacting the connectivity. Contact your networking team to setup an allow rule for the connector source internal IP address.

Connector health monitoring

Load indicator helps to assess the health of connector based on performance metrics like disk, CPU, memory, traffic and active dialouts.

The EAA connector card helps you troubleshoot the connector issues, and directly access applications, directories associated with the connector. If your connector has high load, you can improve its health by reducing the load. A connector card in the Enterprise Center, under Connectors gathers the basic information:

connector_health_monitoringconnector_health_monitoring

  • Version. The EAA connector's version.

  • OS version. The OS version of the server it is installed on.

  • Geo IP. EAA infers the geographical location of the connector from the IP address and displays it in the connector card. Choose the connector closest to the application's EAA Cloud zone location. This improves the performance of your apps as it reduces the latency.

  • Apps (Up/Down). Apps Up are the applications that are deployed and running. Apps Down are the applications in ready to deploy or deployment failed state. Click on applications up down link to filter only applications associated with this connector. You can make any configuration changes like adding another connector, change the connector and redeploy the application.

  • Directories (Up/Down). Directories Up are the directories that are reachable and have network connectivity. Directories Down are the directories that are unreachable and have no network connectivity. Click on the directories up down link to filter only directories associated with this connector. You can make any configuration changes to the directory like adding another connector, change the connector.

  • Load. The load on the connector is indicated by a thermometer. It is based on performance metrics like System - CPU, memory, disk utilization, traffic and the number of active dialouts. The active dialouts are the total number of outbound connections from all applications and directories associated with the connector.

The below table interprets the load based on performance metrics like System resources (CPU, memory, disk, traffic) and active dialouts.

LoadPerformance metrics interpretationPerformance metrics base
Red thermometer> 70%Any of the System resources or active dialouts > 70%
Orange thermometer50% to 70%Any of the System resources or active dialouts 50% - 70%
Green thermometer< 50%All of the System resources and active dialouts < 50%

Click on the Connector Performance to see the different performance metrics for a selected time frame (from one hour to seven days). For longer period you choose it takes longer to load data.

  • System. The chart shows the values for CPU, memory, disk and traffic in the time frame. Click on the legend for any of the System resources to deselect it and remove it from the graph.

  • Resource. Shows the total number of dialouts of all access applications (web, SSH, RDP), and directories. The total dialout is a sum of active dailout and idle dialout. Active dailout is when there is active traffic between the connector and the Enterprise Application Access Cloud when the application is in use. Idle dialout is the dialout when the application is idle and is not in use.

  • Applications. Shows the average active concurrent connections per application for the top five apps or all the applications associated with the connector, that are used by the users of the organization. Deselect any of the applications to remove it from the graph. The concurrent active connections are recorded at regular intervals, which changes based on the performance metrics duration that you select (Last 1 hour, 4 hour, 1 day, or 7 days), and its average value is the Average Active Concurrent Connections.

Save any of these graphs as a gif image, share them with ‚ÄčAkamai‚Äč support when you see any unusual behavior.

Troubleshoot high load issues

When the connector load is high (>70 %), for optimal performance for users, it is best to reduce the load on your connector.

  1. Click the performance icon on the connector card where the red thermometer indicates high load to see the system, resource, and applications graphs.

  2. Check which performance metric is above 70%.

    1. If it is caused by CPU, Memory, or Disk values, check connector requirements and add additional hardware if required. If it does not fix the problem, contact support.

    2. If it is caused by too much traffic in the System graph or too many total active dialouts of all applications and directories in the resource graph, check the applications graph. Disable each application at a time and find the application causing the highest dialout.

    3. Add another connector for the application and see if the traffic reduces, dialouts reduce, and the load changes to medium. If it does not fix the problem, contact support.

ūüďė

RDP applications, TCP-type client-access applications, and tunnel-type client-access applications may show higher dialouts than other apps like web, SSH, or VNC apps.

Troubleshoot connectivity issues

The connection issues between your ‚ÄčAkamai‚Äč connector and application may limit or block access to an application.

Enable or disable remote debugging

In order to test connector connectivity to applications with troubleshooting tools enable remote debugging for a connector.
This is different function from the service and debug mode.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Clients & Connectors > Access and Identity Connectors.

  3. To configure your connector click Edit Connector.

  4. Enable Remote debugging is enabled in the Debugging column. To disable it, move it to Remote debugging is disabled.

    ūüďė

    After you resolve the issue, deselect the option to disable it again, which is the default value. This option must be unchecked unless you are working with support to solve connector issues.

  5. Click Save connector.

Troubleshoot an unreachable connector

Connectors are reachable, or connected, when a Connector is running message displays next to it. If a Connector is unreachable error message displays, the connector is unreachable or down.

The Connector is unreachable error message means that there are network problems that do not let the connector establish a connection to the EAA Cloud. To troubleshoot:

  1. Verify that the connector is on and that it has Internet access.

  2. Make sure the virtual machine (VM) is up and running.

  3. Make sure the VM instance has network connectivity on port 443 to the Internet.

  4. Check to see if the VM is reporting the correct IP address associated with the connector.

Test connector connectivity to apps with troubleshooting tools

Prerequisite:

ūüďė

If a connector is unreachable or remote debugging is not enabled, the troubleshooting tools are not visible for a connector.

The EAA connectors have common networking tools that allow to troubleshoot connectivity issues between a connector and its associated applications. Each tool includes a field where you enter information. A terminal window is embedded in the EAA to show query results.
Troubleshooting tools are gathered in the table below.

Troubleshooting tool utilityDescription
digQueries the DNS server and retrieves information about a hostname such as its resolvable IP address.
PingDetermines if the application host or IP address is reachable from the connector and available to accept requests.
TraceRouteTracks the route that IP packets take from the connector to the application host or IP address.
LFTTraces the route from the connector to the application host or IP address and retrieves additional routing and network information such as the autonomous system (AS) number and detected firewalls.
cURLChecks if the application URL is reachable from the connector. To troubleshoot application reachability issues, you can use cURL to execute GET and POST requests and inject or add headers to the request.
FiddlerA third-party tool that is useful for capturing HTTP/HTTPS traffic and saving as a log file to trace traffic issues.

Next, run a connector troubleshooting utility.

Run a connector troubleshooting utility

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Clients & Connectors > Access and Identity Connectors.

  3. Click the Open Diagnostic Options next to your connector.

  4. Select the tool: Dig, Ping, TraceRoute, LFT, or cURL.

  5. Enter your application hostname or IP address.

  6. Click Run.
    Pending status appears until the query or test is complete.
    When the query is complete, success message and information on the hostname appears.

Self-upgrade of connectors

Enterprise Application Access (EAA) connectors are automatically upgraded to pick up the latest version available in the EAA repository.

Your deployed EAA connectors check the connector repository. When a new version is available, it is automatically uploaded and the new version of a connector has the Last updated time stamp. The download and upgrade process takes about 15 minutes.

If your connector inside the data center is shut down or is unable to reach the EAA service, the upgrade fails after three attempts. Also, there's no automatic upgrade if the connector has custom configuration. To update connector manually contact support.

Gather a Fiddler trace

Download and use Fiddler to capture HTTP/HTTPS traffic. Save the data as a log file. This data is useful for troubleshooting traffic issues.

  1. Download and install Fiddler.

  2. Run Fiddler and go to Tools > Fiddler Options.

  3. On the HTTPS page, verify that Capture HTTPS Connects is enabled.

  4. Verify that Decrypt HTTPS traffic is enabled with the ...from all processes option.

  5. Minimize Fiddler to your tray.

  6. Replicate the reported issue.

  7. In Fiddler, go to File > Save > All Sessions and save the archive.
    Archive the file and share it with support.