The dashboard includes a message feed. These messages are likely to relate to the settings/configuration of the wider system. They might indicate a configuration issue within the AppGate ZTNA Collective, with a related system, or the network environment.
Source | Error Level | Message | Action to be taken |
|---|---|---|---|
ZTP | Error | Failed to communicate with Risk Engine. | One of the Controllers was not able to talk to the ZTP service. Make sure the Controllers can reach the ZTP service. |
ZTP | Error | ZTP registration has been revoked. Contact your ZTP administrator for more details. | The ZTP account is no longer valid, please check with your ZTP administrator to get valid credentials that allows you to connect to ZTP. |
Controller | Warning | Trusted Network Detection settings are defined in more than one active policy for a user. The setting from policy <Policy name> is being used because it comes first alphabetically. | This means that one or more users have a conflicting setting for Trusted Network Detection in the policies. This is most likely on a device policy or the device section in mixed policies. Check which user has the <Policy name> assigned, go to session details and run analyze policies. This will tell which items are conflicting and adapt the access criteria to make sure there is no more conflict for the policy setting. |
Controller | Warning | Identity provider <Identity Provider> does not have IP pool assigned. | The identity provider mentioned in the admin message has no IP pool assigned. This means user can authenticate against the IdP, but will get an error as the Controller is not able to assign a tunnel IP from the pool. |
Controller | Warning | Failed to allocate IP from pool <IP Pool name> : <message> | The Controller was unable to assign an IP from the pool to this user, due to the <message>. In most cases this means the IP pool is full on this Controller. If only one Controller is giving this error and the IP pool in IP pool list shows still available IPs, please make sure that the users can reach all Controllers, because each Controller is responsible for allocate its percentage of the IP pool. |
Controller | Warning | Failed to map to IP pool <IP Pool name> because it doesn't exist. Mapping is defined on Site <Site name> | The Controller was unable to map the tunnel IP of the IP pool to a mapped IP pool for Site <Site Name>. Please make sure the mapping is configured correctly on Site settings, and that the mapped IP pool still has available IPs in the pool. |
Controller | Warning | Failed to retrieve details from the identity provider <Identity Provider Name>. Please check the configuration and connectivity. | The Controller is not able to communicate with the identity provider. Please verify the identity provider settings for the mentioned identity provider, verify the configuration, the certificates, and the connectivity between the mentioned Controller and the identity provider. |
Controller | Error | Controller has failed to verify metered EC2 instance state. Failures lasting longer than one hour prevent users signing in on this Controller. Details: <AWS message> | This error will only occur when you are using a metered subscription instance from AWS. The Controller is not able to talk the metered subscription API from AWS and therefore cannot use metered license model. This error will impact users signing in in after one hour, it will not impact connected users. |
Controller | Warning | One or more of your licenses has an error. Please check your licenses and remove the ones with errors. | One of the uploaded licenses is incorrect or expired. Please sign in into the admin UI, go to Settings > Licenses and verify the licenses there are correct. If not, please contact support. |
Controller | Error | Identity Provider <Identity Provider Name> has failed to authenticate a user. Details: <Messages> | The identity provider mentioned in the admin message failed to authenticate a user. The message will show more details why the user has failed to sign in. Please verify your identity provider to investigate why this user failed to authenticate. |
Controller | Warning | Criteria script <Criteria Script Name> for Client Auto-Update is not available. Reassign it to an existing criteria script in order to fix this issue. | The criteria script used to select users for the client auto-update service is no longer available. Please go to System > Client Auto-Update and select an existing criteria script. |
Controller | Warning | Device Proxy Auto Config URL matches are defined in more than one active policy for a user. The setting from the policy <Policy name> is being used because it comes first alphabetically. | This means that one or more users have a conflicting setting for Device Proxy Auto Config URL in the policies (Most likely on device policy or the device section in mixed policies). Check which user has the <Policy name> assigned, go to session details and run analyze policies. This will show which items are conflicting and then adapt the access criteria to make sure there are no more conflicts in the policy setting. |
Controller | Warning | Client settings are defined in more than one active policy for a user. The setting from policy <Policy name> is being used because it comes first alphabetically. | This means that one or more users have a conflicting setting for client settings in the policies (Most likely on device policy or the device section in mixed policies). Check which user has the <Policy name> assigned, go to session details and run analyze policies. This will show which items are conflicting and then adapt the access criteria to make sure there are no more conflicts in the policy setting. |
Controller | Warning | Multiple active policies for a user have defined DNS settings for the same domain name <domain>. The setting from policy <Policy name> is being used because it comes first alphabetically. | This means that one or more users have a conflicting DNS domain setting in the DNS policies. Check which user has the <Policy name> assigned, go to session details and run analyze policies. This will show which items are conflicting and then adapt the access criteria to make sure there are no more conflicts in the policy setting. |
Controller | Warning | Multiple custom help URLs are defined in more than one active policy for a user. The setting from policy <Policy name> is being used because it comes first alphabetically. | This means that one or more users have a conflicting custom help URL setting in the device policies. Check which user has the <Policy name> assigned, go to session details and run analyze policies. This will show which items are conflicting and then adapt the access criteria to make sure there are no more conflicts in the policy setting. |
Controller | Warning | Client profile settings are defined in more than one active policy for a user. The setting from <Policy name> is being used because it comes first alphabetically. | This means that one or more users have a conflicting client profile setting in the device policies. Check which user has the <Policy name> assigned, go to session details and run analyze policies. This will show which items are conflicting and then adapt the access criteria to make sure there are no more conflicts in the policy setting. |
Controller | Warning | A user did not get the entitlement <Entitlement Name> because it doesn't have a Site assigned. | Go to Access > Entitlements and select the named entitlement. Make sure it has a valid Site assigned. |
Controller | Warning | A user did not get the entitlement, because its Site <Site Name> doesn't have any active Gateways assigned. | The Site that is allocated to the entitlement has no active Gateways assigned. Go to System > Appliances and either seed a new Gateway or select an existing one and assign the proper Site to it. |
Controller | Warning | A user on identity provider <Identity Provider Name> received one or more Site routes from <Site Name> that is IPv(4/6) but did not get an IP allocated for it. Consider assigning an IPv(4/6) pool to the identity provider. | If for example IPv6 entitlements are used, but identity provider has no IPv6 pool assigned, the users will not be able to reach the entitlement |
Controller | Warning | One or more policy override Sites could not be found while trying to apply to entitlement <Entitlement Name>. Please review your policies. | Check which policy has an assignment for the named entitlement either directly or via tag, and make sure that the specified override Site still exists. |
Controller | Warning | One or more policy override Sites could not be found while trying to apply to entitlement <Entitlement Name>. Please review your policies. | There is more than one policy match for the named entitlement and they have a different override Sites specified. Make sure to update the criteria scripts for all conflicting policies. |
Controller | Warning | At least one of your policies is configured with override Site using the claim <Claim Name>, but that claim could not be found. Please review your policies. | Check the claim name for policies that use 'Override using a claim'. And either fix the claim in identity provider mapping, or update the claim name in the policy for the override Site setting. |
Controller | Warning | At least one of your policies is configured with override Site using the claim <Claim Name>, but that claim does not contain a UUID. Please review your policies. | Please make sure the mentioned claim name has the correct Site UUID. The Site UUID can be found if you go to the specific Site settings and copy the UUID part form the admin UI URL. |
Controller | Warning | <Distinguished Name> was unable to sign in as admin because there was no policy match. | Please make sure you have a proper admin policy matched for this user. If there is no admin policy active at all, please see our knowledge base to remediate. |
Gateway | Warning | The client with DN: <Client DN> is showing abnormal high signalling towards the Gateway, and has been loadlimited, until: <time> | The appliance mentioned in the warning message signals a client DN that has retried a lot to connect to the same Gateway and has been load limited. Please verify the client DN client logs and search the driver logs, why it is retrying to connect to this Gateway. |
Gateway | Warning | Failed to evaluate condition <Condition Name>. It timed out after X seconds. | Please review the mentioned condition and check why it fails to evaluate in time. You can go to the specific condition and test it with an active user to see if it executes in time. |
Gateway | Warning | The following hostnames have been unresolved for at least X seconds | This displays any hostnames that could not be resolved anymore by the DNS server specified in the DNS name resolver. |