Skip to content

Troubleshooting

Setup

The 'Launch stack' link for the gateway doesn't work

Issue

When you add an AWS gateway, the 'Launch stack' link to AWS doesn't work.

What to do

In your site settings, select "Allow" for pop-up windows. By default the setting is "Block".

Gateway on ESXi doesn't show as ready to approve

Issue

Gateway hosted on ESXi doesn't show an "Approve" button in Sophos Central after deployment.

What to do

  1. Check whether your gateway can connect to these URLs. If it can't, allow them. Use port 443 unless otherwise stated.

    • sophos.jfrog.io
    • *.amazonaws.com
    • production.cloudflare.docker.com
    • *.docker.io
    • *.sophos.com
    • login.microsoftonline.com
    • graph.microsoft.com
    • ztna.apu.sophos.com (Port 22)
    • sentry.io
    • *.okta.com (If you use Okta as an identity provider)
  2. Make sure that ESXi has the latest firmware version.

  3. Make sure that the time is set correctly (GMT 0) on ESXi.

  4. Ensure that the CD-ROM is attached. If it isn't, power the VM off and reattach it. If that fails, recreate the gateway VM.

  5. Run a TCP probe on internal interface:6443 to ensure K3S is running.

  6. If your gateway is behind Sophos Firewall, sign in to the firewall, go to Diagnostics > Packet Capture and turn packet capturing on, or set up web filtering, to see which requests fail. You can also do this on a third-party firewall.

Gateway on AWS doesn't show as ready to approve

Issue

After you complete gateway setup in AWS, you don't see an Approve button on the Gateways page in Sophos Central.

What to do

Allow up to an hour for the gateway to become available. After that, check for stack creation failures. To do this, go to the CloudFormation Resources list in the AWS Management Console.

No user groups are available to be given access to resources

Issue

When you add a resource to ZTNA, there are no user groups that you can allow to access it.

What to do

Check that your directory service (Azure AD or Active Directory) has user groups and that they're synchronized in Sophos Central.

The certificates aren't shown on the 'Edit gateway' page

Issue

When you open the Edit gateway page, you don't see the certificates you uploaded when you added the gateway.

What to do

This is as designed. You can't view the current certificates there.

ZTNA on endpoints

ZTNA is shown as 'Not Configured' on endpoints

Issue

When you open Sophos Endpoint on a device managed by Sophos Central, the Status page shows "Zero Trust Network Access: Not configured".

What to do

Go to Devices > Computers (or Servers). Check whether the ZTNA agent is installed on the device. If it's installed, you see a green checkmark. If it isn't, you see a plus sign. Click to install ZTNA.

ZTNA is shown with the warning 'Zero Trust Network Access: Error' on endpoints

Issue

When you open Sophos Endpoint on a device managed by Sophos Central, the Status page shows "Zero Trust Network Access: Error". This indicates that there's a connection problem.

What to do

  1. Check that a ZTNA policy has been set up in Central.

  2. Check that the gateway FQDN can be resolved.

  3. Check whether Sophos TAP adapter configuration failed.

Access for user groups

User groups lose access

Issue

Users in an Azure AD user group that previously had access to an app can no longer access it.

Cause

If you change the name of an Azure AD user group that's been given access to an app, the Assigned User Groups list in ZTNA isn't updated to reflect the change. Users won't be able to access the app.

What to do

  1. Go to Zero Trust Network Access > Resources & Access.

    Resources & access menu

  2. On the Resources & Access page, find the app and click it to edit its details.

    Resources list

  3. In the Edit Resource dialog, do as follows:

    1. Go to the Assign User Groups section.
    2. In Available User Groups, find the renamed user group and select the checkbox next to it.
    3. Move the group to Assigned User Groups and select the checkbox next to it.
    4. Click Save.

    Edit Resource dialog

User's been added to an allowed user group but can't access the app

Issue

You've added a user to an allowed user group for an app but the user sees a 403 Access Denied error.

What to do

If the user's been added recently, ask them to try again later. Changes to user groups can take up to an hour to take effect.

Alternatively, if it's a web app, tell the user to go into Incognito or Private mode in their browser and then try again.

User's been removed from an allowed user group but can still access the app

Issue

You've removed the user from an allowed user group for an app but they can still access it.

What to do

Check again later. Changes to the allowed user group can take up to an hour to take effect.

Access to agentless apps

User sees a 404 Not Found error when they try to access an agentless app.

Issue

When the user tries to access an app that's been set up for agentless access, they see a 404 Not Found error.

What to do

In your DNS management settings, do as follows:

  1. Check that you have a CNAME record for the app that points to the gateway's FQDN.

  2. Make sure you don't have a CNAME record for any app that's accessed via a ZTNA agent.

User sees a 403 Access Denied error when they try to access an agentless app

Issue

The user sees a 403 Access Denied error when they try to access an agentless app.

What to do

  1. Check that you've enabled all the required API Permissions for your identity provider.

    • Azure Active Directory Graph (5)
    • Directory.Read.All Delegated
    • Directory.Read.All Application
    • Group.Read.All Delegated
    • User.Read Delegated
    • User.Read.All Delegated

    • Microsoft Graph (2)

    • openid Delegated
    • profile Delegated
  2. Check that the ZTNA policy allows access to the app.

  3. Check that the user is in an assigned user group for the app.

  4. Check that you have network connectivity to the identity provider:

    For Azure:

    • login.microsoftonline.com
    • graph.microsoft.com

    For Okta:

    • *.okta.com
User sees an upstream request error when they try to access an agentless app

Issue

User sees an upstream request error when they try to access an agentless app.

What to do

  1. Check that the application is accessible from the network that the ZTNA gateway is on.

  2. Check that the application is still running.

  3. If the internal FQDN or IP address is shown, make sure it resolves to the app.

  4. If you use a private DNS Server, check that it's running and resolves to the app's external FQDN.

  5. Check that the port numbers specified for the app are correct.

Access to apps that need an agent

User is authenticated but can't access an app that needs ZTNA agent

Issue

The user is authenticated but can't access an app.

What to do

  1. Check the SNTP logs for errors.

  2. Check the certificates are valid in heartbeat.xml.

User loses access to an app accessed via ZTNA agent

Issue

The user could previously access an app but can't do so anymore.

What to do

  1. Check the SNTP logs for errors.

  2. Check the certificates are valid in heartbeat.xml

  3. Check whether ZTNA is shown with "red" health status in the Sophos Endpoint UI.

User doesn’t see the IDP sign-in screen the first time they try to access apps

Issue

The IDP should prompt the user to sign in the first time they try to access apps. If this doesn't happen, the user can't access apps.

What to do

Check that the user's device can contact the ZTNA gateway.

User doesn't see a sign-in popup when they try to access an app that needs the agent

Issue

The user should see a popup that prompts them to sign in when they try to access an app that needs the ZTNA agent. If they don't, they can't access the app.

What to do

  1. Check the SNTP logs for errors.

  2. Check the DNS settings. The DNS server must not have a CNAME record for the app.

  3. Check the ZTNA agent process is running.

ZTNA user portal

User can't see apps in the ZTNA user portal

Issue

The user can't see any apps in the ZTNA user portal

What to do

  1. Go to Resources & Access and click an app to edit its settings.

  2. Check that the user is in assigned user groups for the apps they need. Users can only see apps that they are authorized to access.

  3. Check that the admin selected Show resource in user portal when they added the apps.

User signs in but isn't given access to the ZTNA user portal

Issue

The user tries to access the ZTNA user portal and is shown the identity provider's sign-in screen. After they sign in, they're not returned to the user portal.

What to do

Check that you've specified the correct redirect URI in the identity provider settings.

If Azure AD is the identity provider, you specified the Redirect URI when you registered the ZTNA app. See Register the ZTNA app in Set up directory service.

If Okta is the identity provider, you specified the Sign-in redirect URI when you created an app integration in Okta. See the Okta instructions in Set up an identity provider.

Back to top