- 06 Nov 2024
- 5 Minutes to read
- Print
- DarkLight
- PDF
How to Troubleshoot ZPE Cloud Environment
- Updated on 06 Nov 2024
- 5 Minutes to read
- Print
- DarkLight
- PDF
Overview
This document provides information on essential commands used in troubleshooting environment for ZPE Cloud services on Nodegrid Devices. The most common troubleshooting involves similar checks, as they typically relate to disk, network, date or time settings, and other environmental factors. However, each section may have specific checks relevant to that area.
The document includes steps to check the following:
Enrollment status
Device status
Online
Offline
Never connected
Failover (Pending)
Remote access
ZTP (Zero Touch Provisioning)
Profiles
Backup
Basic Environment Checks
These are the essential system checks that must be functioning properly before troubleshooting the applications. The listed commands are run on diagnostic data, allowing you to identify and address minor environmental issues. If these commands fail, it indicates that the environment needs to be fixed before proceeding.
Execute the following with api.zpecloud.com and google.com.
Ensure the service is configured:
sudo su - admin -c cli <<< "show /settings/zpe_cloud"
sudo su - admin -c cli <<< "show /settings/zpe_cloud enable_zpe_cloud"
sudo su - admin -c cli <<< "show /settings/zpe_cloud enable_remote_access"
Ensure date and time are accurate:
chronyc tracking - provides detailed information about the system time synchronization.
chronyc ntpdata - displays information about the network time protocol (NTP).
date - shows the current system date and time.
Ensure network access is up and running.
NOTE
DNS and TCP are required, ping as network metric are optional.
nmcli c
nslookup api.zpecloud.com;
ping api.zpecloud.com;
ping -4 -I wwan0 api.zpecloud.com;
ping -4 -I eth0 api.zpecloud.com;
ping -6 -I wwan0 api.zpecloud.com;
ping -6 -I eth0 api.zpecloud.com;
telnet api.zpecloud.com 443;
traceroute api.zpecloud.com;
Ensure TLS/SSL works.
NOTE
Use TLS version >1.1 as these versions are supported in ZPE Cloud.
openssl s_client -showcerts -servername api.zpecloud.com -connect api.zpecloud.com:443;
ls -lah /etc/ssl/certs | wc -l;
ls -lah /etc/ssl/certs/ca-certificates.crt;
NOTE
The IPv6 connections require a proxy to IPv4.
Operating System and Hardware Checks
Check Disk and File System:
df -h /var- Verify disk usage
cat /var/log/fsck.log - Review file system check log
ls -lah /var/zpe-cloud - List contents and permissions in /var/zpe-cloud
du -h -d 1 /var/ - Check disk usage for directories under /var
Ensure Daemons are running:
Network processes
ps -ef | grep Network;
TPM processes
TPM1: ps -ef | grep tcsd;
TPM2: ps -ef | grep tpm2;
ZPE Cloud
ps -ef | grep zpe_cloud_forwarder;
ps -ef | grep zpe_cloud_connect;
ps -ef | grep zpe_cloud_agent;
Verify service states:
Network access
nmcli c;
TPM
TPM1: tpm_version;
TPM2: tpm2_getcap properties-variable;
Device Enrollment Verification
Ensure network access is up and running.
NOTE
DNS and TCP are required, ping as network metric are optional.
ping api.zpecloud.com;
telnet api.zpecloud.com 443;
traceroute api.zpecloud.com;
Ensure TLS/SSL works.
NOTE
Use TLS version >1.1 as these versions are supported in ZPE Cloud.
openssl s_client -showcerts -servername api.zpecloud.com -connect api.zpecloud.com:443;
Verify service states:
Enrollment is successful:
zpe_cloud_enroll --enroll-status -u https://zpecloud.com; (-u defaults to https://zpecloud.com);
zpe_cloud_enroll --enroll-list (new versions only);
Enroll secret remains valid:
zpe_cloud_enroll --pairing-status -u https://zpecloud.com; (new versions only); (-u defaults to https://zpecloud.com);
Device Status Online/Offline Status Checks
Pair:
Ensure the service is configured:
sudo su - admin -c cli <<< "show /settings/zpe_cloud"
sudo su - admin -c cli <<< "show /settings/zpe_cloud enable_zpe_cloud"
Ensure network access is up and running.
NOTE
DNS and TCP are required, ping as network metric are optional.
ping api.astarte.zpecloud.com;
telnet api.astarte.zpecloud.com 443;
traceroute api.astarte.zpecloud.com;
Ensure TLS/SSL works.
NOTE
Use TLS version >1.1 as these versions are supported in ZPE Cloud.
openssl s_client -showcerts -servername api.astarte.zpecloud.com -connect api.astarte.zpecloud.com:443;
Verify service states:
Enroll secret remains valid and can pair:
zpe_cloud_enroll --pairing-status -u https://zpecloud.com; (new versions only); (-u defaults to https://zpecloud.com);
zpe_cloud_enroll --pairing-request -u https://zpecloud.com; (new versions only); (-u defaults to https://zpecloud.com);
Broker:
Ensure network access is up and running.
NOTE
DNS and TCP are required, ping as network metric are optional.
telnet broker.astarte.zpecloud.com 443;
traceroute broker.astarte.zpecloud.com;
Ensure TLS/SSL works.
NOTE
Use TLS version >1.1 as these versions are supported in ZPE Cloud.
openssl s_client -showcerts -servername broker.astarte.zpecloud.com -connect broker.astarte.zpecloud.com:443;
Ensure service states are functional.
CRT remains valid and was paired:
zpe_cloud_enroll --pairing-status-u https://zpecloud.com; (new versions only); (-u defaults to https://zpecloud.com);
zpe_cloud_enroll --pairing-request -u https://zpecloud.com; (new versions only); (-u defaults to https://zpecloud.com);
Ensure can connect to broker;
TPM 1.2
openssl s_client -showcerts -servername broker.astarte.zpecloud.com -connect broker.astarte.zpecloud.com:443 -engine tpm -keyform engine -key /var/zpe-cloud/astarte/persistencycrypto/astartekey.pem -cert /var/zpe-cloud/astarte/persistency/endpoint/api.astarte.zpecloud.com/mqtt_broker.crt;
TPM2.0
openssl s_client -showcerts -servername broker.astarte.zpecloud.com -connect broker.astarte.zpecloud.com:443 -engine tpm2tss -keyform engine -key /var/zpe-cloud/astarte/persistency/crypto/astartekey.pem -cert /var/zpe-cloud/astarte/persistency/endpoint/api.astarte.zpecloud.com/mqtt_broker.crt;
openssl s_client -showcerts -servername broker.astarte.zpecloud.com -connect broker.astarte.zpecloud.com:443 -engine libtpm2tss -keyform engine -key /var/zpe-cloud/astarte/persistency/crypto/astartekey.pem -cert /var/zpe-cloud/astarte/persistency/endpoint/api.astarte.zpecloud.com/mqtt_broker.crt;
Remote Access Check
This section is applicable for the Nodegrid devices running versions 5.10.0 and higher version.
Ensure the service is configured:
sudo su - admin -c cli <<< "show /settings/zpe_cloud"
sudo su - admin -c cli <<< "show /settings/zpe_cloud enable_zpe_cloud"
sudo su - admin -c cli <<< "show /settings/zpe_cloud enable_remote_access"
Ensure network access is up and running.
NOTE
DNS and TCP are required, ping as network metric are optional.
ping access.zpecloud.com;
telnet access.zpecloud.com 443;
traceroute access.zpecloud.com;
Ensure TLS/SSL works.
NOTE
Use TLS version >1.1 as these versions are supported in ZPE Cloud.
openssl s_client -showcerts -servername access.zpecloud.com -connect access.zpecloud.com:443;
Verify service states:
Device is Connected:
sudo su - admin -c cli <<< “show /system/zpe_cloud";
sudo su - admin -c cli <<< “show /system/zpe_cloud status";
sudo su - admin -c cli <<< “show /system/zpe_cloud url";
Has certificates signed:
ls -lah /var/zpe-cloud/.crypto/zpecloud.com/;
ls -lah /var/zpe-cloud/.crypto/zpecloud.com/access.crt;
Certificate is valid
openssl x509 -noout -in /var/zpe-cloud/.crypto/zpecloud.com/access.crt -text -dates -issuer;
Ensure can connect to access
openssl s_client -showcerts -servername access.zpecloud.com -connect access.zpecloud.com:443 -key /var/zpe-cloud/.crypto/zpecloud.com/access.pem -cert /var/zpe-cloud/.crypto/zpecloud.com/access.crt < /dev/null;
NOTE
You can also replace with with curl command.
curl --key /var/zpe-cloud/.crypto/zpecloud.com/access.pem --cert /var/zpe-cloud/.crypto/zpecloud.com/access.crt --tlsv1.3 https://access.zpecloud.com;
ZTP Check
Profile download
Ensure the service is configured:
sudo su - admin -c cli <<< "show /settings/zpe_cloud"
sudo su - admin -c cli <<< "show /settings/zpe_cloud enable_zpe_cloud"
sudo su - admin -c cli <<< "show /settings/zpe_cloud enable_file_protection"
sudo su - admin -c cli <<< "show /settings/zpe_cloud enable_file_encryption"
Ensure date and time are accurate.
NOTE
ZTP schedule for profiles could be between 10 minutes to few hours for software upgrade.
During ZTP, upload of files may fail if the date and time are incorrect and not in sync with the actual date and time.
chronyc tracking;
chronyc ntpdata;
date;
Ensure network access is up and running.
NOTE
DNS and TCP are required, ping as network metric are optional.
ping device-api.zpecloud.com;
telnet device-api.zpecloud.com 443;
traceroute device-api.zpecloud.com;
Ensure TLS/SSL works
NOTE
Use TLS version >1.1 as these versions are supported in ZPE Cloud.
openssl s_client -showcerts -servername device-api.zpecloud.com -connect device-api.zpecloud.com:443;
Verify service states.
Device is Connected:
sudo su - admin -c cli <<< “show /system/zpe_cloud";
sudo su - admin -c cli <<< “show /system/zpe_cloud status";
sudo su - admin -c cli <<< “show /system/zpe_cloud url";
Ensure can connect to access
Backup and Profile output upload
Ensure date and time.
NOTE
ZTP schedule for profiles could be between 10 minutes to few hours for software upgrade.
During ZTP, upload of files may fail if the date and time are incorrect and not in sync with the actual date and time.
chronyc tracking;
chronyc ntpdata;
date;
Ensure network access is up and running.
NOTE
DNS and TCP are required, ping as network metric are optional.
telnet device-apiv2.zpecloud.com 443;
traceroute device-apiv2.zpecloud.com;
Ensure TLS/SSL works.
NOTE
Use TLS version >1.1 as these versions are supported in ZPE Cloud.
openssl s_client -showcerts -servername device-apiv2.zpecloud.com -connect device-apiv2.zpecloud.com:443;
Verify service states.
Device is Connected:
sudo su - admin -c cli <<< “show /system/zpe_cloud";
sudo su - admin -c cli <<< “show /system/zpe_cloud status";
sudo su - admin -c cli <<< “show /system/zpe_cloud url";
Ensure can connect to access
openssl s_client -showcerts -servername device-apiv2.zpecloud.com -connect device-apiv2.zpecloud.com:443 -key /var/zpe-cloud/.crypto/zpecloud.com/access.pem -cert /var/zpe-cloud/.crypto/zpecloud.com/access.crt < /dev/null;
NOTE:
You can replace it with curl as well.
curl --key /var/zpe-cloud/.crypto/zpecloud.com/access.pem --cert /var/zpe-cloud/.crypto/zpecloud.com/access.crt --tlsv1.3 https://device-apiv2.zpecloud.com;