Checkpoints before starting the connector and accessing ZTNA Applications

If the network segment access is enabled, check for the below flags:

Check if IP forwarding is enabled:
```
sysctl net.ipv4.ip_forward
```
Output:
```
net.ipv4.ip_forward = 1
```
If the value is not 1, use the below command to set the value:
```
sysctl -w net.ipv4.ip_forward=1
```

Check if iptables are set up correctly:

sudo iptables -t nat -L

Output: The MASQUERADE rule needs to be present:

ubuntu@ip-10-153-2-154:~$ sudo iptables -t nat -L Chain PREROUTING (policy ACCEPT)
target prot opt source destination Chain INPUT (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy ACCEPT)
target prot opt source destination Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere mark match 0x5065

If the MASQUERADE rule is not there, execute the below command to update the Iptable:
```
iptables -t nat -A POSTROUTING -m mark --mark 0x5065 -j MASQUERADE
```

Run the following commands to start the Node Server::

sudo service node-server start sudo service strongswan start

Check if the connector process is loaded correctly.
Three processes need to be loaded (agent, sdpc, upgrade). Use the below command to verify:
```
ps -ef|grep java
```

Check if the Ipsec Tunnel Configurations are loaded, use below command:

[ubuntu@localhost home]#sudo swanctl -L
ubuntu@ip-10-XXX-2-XXX:/opt/ciphercloud/node-server/logs$ sudo swanctl -L
ztna-http-pri-3@q1stage1: IKEv2, no reauthentication, rekeying every 14400s
   local: 10.XXX.X.XXX 
   remote: 204.77.168.149
local pre-shared key authentication:
   id: ztnahttp-q1stage1-3.ciphercloud.io 
remote pre-shared key authentication:
   id: %any
ztna-http-pri-3@q1stage1: TUNNEL, rekeying every 3600s 
   local: 10.XXX.X.XXX/32
   remote: 0.0.0.0/0
ztna-nonhttp-pri-3@q1stage1: TUNNEL, rekeying every 3600s 
   local: 10.XXX.7.0/24 10.XXX.2.0/24 10.XXX.3.0/24
   remote: 0.0.0.0/0

Verify if the IPsec Tunnel is established using the following command:

[ubuntu@localhost home]# sudo swanctl -l

Sample output: You should see status as ESTABLISHED.

ubuntu@ip-10-XXX-2-XXX:/opt/ciphercloud/node-server/logs$ sudo swanctl -l 
ztna-http-pri-3@q1stage1: #1, ESTABLISHED, IKEv2, 4bd289d26e28c0bb_i* f34ccd2cffb58417_r
   local 'ztnahttp-q1stage1-3.ciphercloud.io' @ 10.153.2.153[4500]
   remote 'bgw001-us-west-2.sasestage.flexilis.com' @ 204.77.168.149[4500]
   AES_GCM_16-256/PRF_HMAC_SHA2_256/MODP_2048
   established 146s ago, rekeying in 13600s
   ztna-http-pri-3@q1stage1: #1, reqid 1, INSTALLED, TUNNEL-in-UDP,
ESP:AES_GCM_16-256/ESN
     installed 146s ago, rekeying in 3247s, expires in 3814s in c32337e6, 0 bytes, 0 packets
     out cdab18bb, 0 bytes, 0 packets, 45s ago local 10.153.2.153/32
     remote 172.16.1.5/32
   ztna-nonhttp-pri-3@q1stage1: #2, reqid 2, INSTALLED, TUNNEL-in-UDP,
ESP:AES_GCM_16-256/MODP_2048/ESN
     installed 146s ago, rekeying in 3378s, expires in 3814s in ce86f3ee, 0 bytes, 0 packets
     out c95df3bd, 0 bytes, 0 packets
     local 10.153.2.0/24 10.153.3.0/24 10.153.7.0/24
     remote 10.1.0.0/16
   ztna-http-pri-3@q1stage1: #3, reqid 1, INSTALLED, TUNNEL-in-UDP,
ESP:AES_GCM_16-256/MODP_2048/ESN
     installed 146s ago, rekeying in 3182s, expires in 3814s
     in c6df8366, 5141 bytes, 15 packets, 45s ago 
     out cf29f58f, 8547 bytes, 15 packets, 45s ago
     local 10.153.2.153/32 
     remote 172.16.1.5/32

Incase of any restrictions in accessing SWANCTL commands and if you do not see any output while executing SWANCTL commands, enter into aa-complain mode as shown below:

sudo aa-complain /usr/sbin/swanctl
ubuntu@ip-10-XXX-2-XXX:/opt/ciphercloud/node-server/logs$ sudo swanctl -L 
ztna-http-pri-3@q1stage1: IKEv2, no reauthentication, rekeying every 14400s
   local: 10.XXX.X.XXX remote: 204.77.168.149
   local pre-shared key authentication:
      id: ztnahttp-q1stage1-3.ciphercloud.io 
   remote pre-shared key authentication:
      id: %any
   ztna-http-pri-3@q1stage1: TUNNEL, rekeying every 3600s 
      local: 10.XXX.X.XXX/32
      remote: 0.0.0.0/0
   ztna-nonhttp-pri-3@q1stage1: TUNNEL, rekeying every 3600s 
      local: 10.XXX.7.0/24 10.XXX.2.0/24 10.XXX.3.0/24
      remote: 0.0.0.0/0



   sudo swanctl -l

ubuntu@ip-10-XXX-2-XXX:/opt/ciphercloud/node-server/logs$ sudo swanctl -l 
   ztna-http-pri-3@q1stage1: #1, ESTABLISHED, IKEv2, 4bd289d26e28c0bb_i* f34ccd2cffb58417_r
      local 'ztnahttp-q1stage1-3.ciphercloud.io' @ 10.153.2.153[4500]
      remote 'bgw001-us-west-2.sasestage.flexilis.com' @ 204.77.168.149[4500]
      AES_GCM_16-256/PRF_HMAC_SHA2_256/MODP_2048
      established 146s ago, rekeying in 13600s
   ztna-http-pri-3@q1stage1: #1, reqid 1, INSTALLED, TUNNEL-in-UDP,
ESP:AES_GCM_16-256/ESN
      installed 146s ago, rekeying in 3247s, expires in 3814s 
      in c32337e6, 0 bytes, 0 packets
      out cdab18bb, 0 bytes, 0 packets, 45s ago 
      local 10.153.2.153/32
      remote 172.16.1.5/32
   ztna-nonhttp-pri-3@q1stage1: #2, reqid 2, INSTALLED, TUNNEL-in-UDP,
ESP:AES_GCM_16-256/MODP_2048/ESN
      installed 146s ago, rekeying in 3378s, expires in 3814s 
      in ce86f3ee, 0 bytes, 0 packets
      out c95df3bd, 0 bytes, 0 packets
      local 10.153.2.0/24 10.153.3.0/24 10.153.7.0/24
      remote 10.1.0.0/16

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Checkpoints before starting the connector and accessing ZTNA Applications

lookout-footer