Introduction

This guide provides instructions and guidance for troubleshooting issues with a CoIP Access Platform deployment.

Endpoint Status and the Control Channel

Once CoIP Access Platform components (zLink agents and Gateway Proxies) come online, they maintain a control channel to the zCenter orchestrator in order to provide status indication (heartbeat), receive policy updates, send logs and telemetry to zCenter, and to set up CoIP data connectoins. This control connection is made outbound from the agent or Gateway Proxy to zCenter, through an encrypted TLS 1.3 tunnel using TCP port 443.

A properly functioning and onboarded endpoint will be displayed in the zCenter administration portal under Onboarding and Management > Applications.  When an Application object is selected, click on the endpoint hostname in the list of endpoints to display information about that endpoint and its status.

If the endpoint is online and connected correctly to the zCenter, you will see a green status indicator that shows the endpoint is online.

Green status indicator suggests there are no detected issues with CoIP running on this endpoint.

If the endpoint is offline, the indicator will be gray.  Endpoints can be in an offline status for various reasons; confirm that the endpoint is running properly and verify connectivity from the endpoint to the zCenter over 443/tcp.

 A red status indicator indicates more complex error conditions – for example, a failure in deploying security policies.  Contact Zentera support for assistance in debugging a red status indicator.

Testing Connectivity

As Access Policies specify end-to-end connectivity between endpoints based on their assigned Application role, debugging connectivity issues over complex network infrastructure is significantly simpler than with traditional infrastructure tools.  However, many of the same network debugging tools and approaches are effective in testing CoIP Access Platform.  Tools such as ping, iperf, tcpdump, and netstat can be used directly with CoIP by usng the CoIP address of the remote endpoint. Note that because CoIP Access Platform creates end-to-end connections between pairs of endpoints, other tools such as traceroute may not be informative, as all remote endpoints appear to be one hop away.

Note: debugging tools such as ping and iperf are no different from any other applications, from the CoIP perspective. If your Access Policy between two Applications is not configured to allow ICMP traffic, you will not be able to ping between two servers. For bidirectional ping, ICMP traffic must also be enabled in both directions.

In addition to standard diagnostic tools, CoIP Access Platform supports built-in ping and iperf tests accessible from API or from the zCenter Admin Portal. The API tests can be used to support automated testing, while the Admin Portal enables remote testing with a web interface; both versions set up, run, and report diagnostic results through the endpoint control channel, so administrators do not need to log into the endpoint to run a test.

Built-in ping/iperf are available in Monitoring and Reporting > Diagnostics.

The built-in tests also allow split-connection testing of a CoIP connection. To perform a split-connection test, choose a ZNS node or the zCenter as a target for the ping, this split-connection test can be useful to identify problems caused by ZNS reachability issues, or to help isolate a performance issue to a specific underlay link.

Split-connection testing can help localize connectivity or performance problems to one side of the CoIP link.

Debugging Logs

The following logs may be useful in identifying issues with a CoIP Access Platform deployment.

Client-side logs

The primary zLink and Gateway Proxy log, zasa.log, can be found at /usr/local/zasa/zasa.log on Linux machines, or at C:\Program Files\Zentera\zasa\zasa.log  on Windows machines. If an endpoint is unable to connect to zCenter, or to create/establish connections with other machines.

API support exists for retrieving zasa.log from an endpoint remotely.

Server-side logs

zCenter maintains comprehensive logs about the status of endpoints and connections that it manages. This information is stored in the file zentera.log, which can be downloaded from the zCenter Advanced Mode view, under Service Management > Appliance Logs.