Lab 6: Troubleshooting Unified Access Gateway and Edge Services

Objective and Tasks

Troubleshoot Content Gateway connectivity and export troubleshooting logs:
1. Collect Logs from Unified Access Gateway
2. Troubleshoot Content Gateway Edge Service Connectivity

Task 1: Collect Logs from Unified Access Gateway

Scenario: Recently, users at Techseals have reported intermittent Omnissa Secure Email Gateway connectivity problems and random timeout problems with Omnissa Tunnel. An Omnissa support engineer asked you to send the latest Unified Access Gateway logs to further troubleshoot these issues.
 

You export the Unified Access Gateway log from the Unified Access Gateway administration console.

  1. From the lab environment interface, log in to the uem-01a VM.
    • Username: techseals\administrator
    • Password: Pa$$w0rd
  2. Open the Unified Access Gateway administration console.
    1. On the uem-01a Windows taskbar, click the Google Chrome icon.
    2. On the bookmarks bar, click UAG.
    3. Log in to Unified Access Gateway.
      • User name: admin
      • Password: Pa$$w0rdPa$$w0rd
  3. Under Configure Manually, click Select.
  4. Scroll down to Support Settings.
  5. Next to Log Archive, click the Download icon.  This will start the downloading process.
NOTE
The Log Archive utility might take up to 10 minutes to prepare the log bundle.
  1. On the uem-01a Windows taskbar, click the File Explorer icon.
  2. Navigate to the Downloads folder.
  3. Extract the Unified Access Gateway log bundle.
    1. Right-click the UAG-uag.techseals.co-<date_and_time>.zip file.
    2. Select Extract All...
    3. Accept the default extraction destination and click Extract.
      When the ZIP file extracts, a UAG-uag.techseals.co-<date_and_time> folder is created in the Downloads folder. After file extraction, the UAG-log-archive folder automatically opens.
      You can see the log files collected from the Unified Access Gateway instance.
  4. Close File Explorer.
  5. Return to the Unified Access Gateway administration console.
  6. Next to Log Level Settings, click the settings icon.
    The settings icon resembles a gear.
NOTE
You use the Log Level Settings drop-down menu to modify the logging level for the Unified Access Gateway logs.
  1. Click Cancel

Task 2: Troubleshoot Content Gateway Edge Service Connectivity

Scenario: Omnissa Beans hosts servers at two sites, the primary site and the disaster recovery (DR) site. The two sites have identical setups, and the data is backed up between the sites daily. Whenever the primary site fails, the network team modifies the service IP addresses to use the DR site's fully qualified domain name (FQDN) and IP addresses (172.16.50.0/32). When the services are recovered at the primary site, the network team changes the service IP addresses back to use the primary site's FQDN and IP addresses (172.16.10.0/32).

Recently, Omnissa Teachseals failed over all services to the DR site because the primary site experienced a complete power loss as a result of severe weather conditions. Even after the services were restored to the primary site, the Content Gateway edge service connectivity continues to fail.

Root cause: After examining the network connectivity, you discover that the Content Gateway FQDN was not updated with the primary site's FQDN and IP addresses.

You resolve the Content Gateway connectivity problem by correcting the host name and IP addresses.

  1. Open the Workspace ONE UEM administration console.
    1. On the uem-01a VM Windows taskbar, click the Google Chrome icon.
    2. From the bookmarks bar, select UEM .
      You can also enter https://wsone.techseals.co in the address bar to access the UEM console.
    3. Log into Workspace ONE UEM.
      • Username: admin
      • Password: Pa$$w0rd
  2. On the Workspace ONE UEM console top menu bar, verify Techseals is selected from the Organization Group drop-down menu.
  3. In the navigation pane on the left, select Groups & Settings > All Settings > System > Enterprise Integration > Content Gateway.
  4. In the Techseals Content row, select the radio button above the edit (pencil) icon.
    A TEST CONNECTION button appears above the Techseals Content row.
  5. Click TEST CONNECTION.
    The test fails.
IMPORTANT
Because the Content Gateway instance is deployed as an edge service on the Unified Access Gateway appliance, you must review the Content Gateway configuration and status in the Unified Access Gateway administration console.
  1. Click x in the upper-right corner to close the Content Gateway test connection dialog box.
  2. Open a new tab in Chrome and click UAG on the bookmarks bar.
  3. Log in to Unified Access Gateway.
    • User name: admin
    • Password: Pa$$w0rd
  4. Under Configure Manually, click Select.
  5. Turn on the Edge Service Settings toggle.
    The list of edge services appears.
  6. Next to the Content Gateway Settings, click the settings icon.
    The Content Gateway Settings dialog box appears.
  7. Review the configuration and verify that the settings have the correct values.
    • API Server URL: https://wsone.techseals.co
    • API Server Username: APIAdmin
    • Content Gateway Hostname: content.techseals.co
    • Content Gateway Configuration GUID: b3c00218-13a2-4ae2-95c6-24a949e490fc
  8. Compare the Content Gateway Configuration GUID value in the Workspace ONE UEM console and the Unified Access Gateway console.
    1. Click the Workspace ONE UEM Console browser tab.
      The Settings dialog box should still be open on the Content Gateway page.
    2. In the Techseals Content row, scroll to the right until the Content Gateway Configuration GUID column is visible.
    3. Verify that the Content Gateway Configuration GUID value is the same as the value configured in the Unified Access Gateway console.
NOTE
Because the Content Gateway Configuration GUID value is the same in both administration consoles, the Content Gateway connectivity problem is most likely related to networking.
  1. Connect to the ControlCenter VM and log into the VM.
  2. On the ControlCenter VM Windows taskbar search box, type cmd.  Then click Command Prompt in the Best match section.
  3. Type ping content.techseals.co then Enter to run the command that pings the Content Gateway URL.
    The ping resolves to 172.16.50.222 and then times out.
NOTE
The 172.16.50.0/32 subnet was designed to be the failover site for DR. The failover site was shut down after failing back to the main site.
  1. On the ControlCenter Windows taskbar, click the DNS Manager icon.
    The DNS Manager icon resembles a pyramid with a globe above it.
  2. In the DNS Manager window, in the navigation pane on the left, navigate to DNS > CONTROLCENTER > Forward Lookup Zones > techseals.co.
  3. In the center pane, right-click the content record and select Properties.
    The FQDN for the target host is set to uagDR.techseals.co.
NOTE
The uagDR.techseals.co domain name is the Unified Access Gateway FQDN in the failover site. The failover site server FQDNs all end with DR (for example, uagDR.techseals.co) which stands for Disaster Recovery.
You must change the target host destination to the Unified Access Gateway FQDN in the primary site, which is uag without DR (for example, uag.techseals.co).
  1. Next to the uagDR.techseals.co., click Browse.
  2. Modify the content record to point to the correct target host.
    1. Under Records, double-click ControlCenter in the Name column.
    2. In the Name column, double-click Forward Lookup Zones.
    3. In the Name column, double-click techseals.co.
    4. In the Name column, select uag.
    5. Click OK.
    6. Click Apply. Then click OK.
NOTE
If you receive a DNS error message 'The record cannot be updated. Refused', click OK. And then select another target host from Forward Lookup Zones > techseals.co > uag, and click Apply.
  1. Close the DNS Manager window.
  2. On the ControlCenter VM Windows taskbar, click the Command Prompt icon.
  3. Run the ipconfig /flushdns command to flush the DNS resolver cache.
  4. Close the Command Prompt window.
  5. Go to the uem-01a VM
  6. On the uem-01a VM Windows taskbar, search box, type cmd.  Then click Command Prompt in the Best match section.
  7. Enter Command Prompt in the search box.
  8. From the search results, select Command Prompt.
  9. Run the ipconfig /flushdns command to flush the DNS resolver cache.
  10. Close the Command Prompt window.
  11. On the uem-01a desktop, open Chrome to return to the Workspace ONE UEM console.
    The Settings dialog box should still be open on the Content Gateway page.
  12. At the top of the Settings dialog box, verify that Techseals is selected from the Organization Group drop-down menu.
  13. On the Content Gateway page, verify that the button for the Techseals Content row is selected.
  14. Click Test Connection.
    The test is successful.
NOTE
Allow up to 30 minutes for the Content Gateway edge service to restore connectivity.
  1. Close the Test Connection Result dialog box.
  2. Close the Settings dialog box.
  3. Click OK to discard the changes.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.