After an Appliance has been configured and seeded, the next step is to register the appliance with the Controller. This should happen automatically, except when there are networking issues that may prevent the new appliance from registering correctly. This section provides guidance on troubleshooting appliances that do not register automatically.
Before you start
You will need SSH access to the Controller and the new appliance.
Troubleshooting registration issues
The Appliances page (System > Appliances) displays the state of all appliances. When a new appliance has been configured, it will appear on the Appliances list as Not Active until it is activated. If the appliance is showing status information, a version number, and statistics, then it is correctly registered. If your new appliance remains Not Active after several minutes, try the following steps to identify where the issue lies.
Why has my appliance not Activated?
The usual causes of registration failure are networking, firewall, and DNS problems. Open the Appliances page and look at the appliance’s status to see if it is active yet.
All new appliances must connect to the Controller to be activated. So if an appliance is Not Active then either the appliance does not know where “home” is (it is not seeded) or the new appliance cannot make an outbound connection on port 443 to the Controller.
Contacting the new appliance
The first thing to do is to SSH to the new appliance using its IP address and DNS name. For example:
$ ssh -i ~/keys/my-key my-controller.uksouth.cloudapp.azure.com
$ ssh -i ~/keys/my-key cz@52.243.40.102
If you cannot connect using the DNS name, then there is a DNS registration problem with the new appliance.
Once logged in you should see the following:
Authorized uses only. All activity may be monitored and reported.
Last login: Wed Jul 22 09:01:11 2020
Welcome to Appgate SDP (GNU/Linux 5.3.0-61-generic x86_64)
appgate 5.2.0-21363-release (image1)
Hint: run 'sudo cz-setup' for appliance management.
Check if the appliance is seeded
To check if the appliance is seeded, enter:
$ cat /mnt/state/last-state
Once the appliance is in a steady state you should get:
waiting_config - this means the seed file has not been found. See manual seeding of an appliance.
appliance_ready - this means the appliance is seeded and ready to talk to the Controller. May show other states if it is a Controller.
Check if the Controller is reachable
To see if you can contact the Controller, use the nc command. For example:
$ nc -z -v my-controller.uksouth.cloudapp.azure.com 443
$ nc -z -v 51.140.54.245 443
If you cannot connect using the DNS name then there is a DNS registration problem with the Controller appliance.
If all is well then you should get:
Connection to my-controller.uksouth.cloudapp.azure.com 443 port [tcp/snpp] succeeded!
If you cannot connect at all, then you need to check the outbound firewall rules at the Gateway and the inbound rules at the Controller.
Once activated, the appliance will show on the dashboard within a short time and indicate its health status. If it is not reporting as Healthy then it is possible that it is only partially connected. This might be the case with Controllers that are required to make connections in both directions.
Why does my appliance status display as Warning?
If the dashboard displays a Warning status, it may not have registered correctly and there are still some networking, firewall, or DNS issues remaining:
An appliance may have registered but can connect to only 1 one of two Controllers
An appliance might be having issues connecting to the LogServer or LogForwarders
NOTE
Unlike Gateways, Portals, and Connectors that only make outbound 443 connections, Controllers, LogForwarders, the LogServer, and the Metrics Aggregator need to be able to receive traffic on 443 from other members of the Collective.
If you do not get a correctly registered appliance within a few minutes of activation, try following the steps below to identify where the issue lies.
Check if the new appliance is reachable
To see if you can contact the appliance, SSH in to the relevant appliances and then use the nc command. For example:
$ nc -z -v myserver.mycompany.com 443
$ nc -z -v 52.243.40.102 443
If you cannot connect using the DNS name then there is a DNS registration problem with the new appliance.
If all is well then you should get:
Connection to myserver.mycompany.com port 443 [tcp/snpp] succeeded!
You should also try this from your own PC. If you cannot connect at all, check the inbound firewall rules at the Gateway. If you can connect from your PC but not the Controller, check the outbound rules at the Controller. If the appliance is showing a Healthy status, then the problem is no longer with port 443 nor with DNS. For more information, see the section about how to fix any issues with both the set-up and maintenance of HA Controllers.