Troubleshooting NSS

Following are some commands that you can use to troubleshoot NSS:

  • To start the NSS service:
    sudo nss start
  • To end the NSS service:
    sudo nss stop
  • To display the configuration file that was configured using the sudo nss configure command:
    sudo nss dump-config
  • To show the active connections on the service IP address:
    sudo nss troubleshoot netstat
    The output is similar to that of the UNIX utility "netstat"
  • To show the connections and their status:
    sudo nss troubleshoot connection
    This command will probe the connection status over a period of time and indicate whether the connections are stable or flapping.
  • To show the status of the NSS feeds:
    sudo nss troubleshoot feeds
    This command will probe the status of the feeds and determine if the logs are queued due to the slow consumption of logs by the SIEM.
  • To check the firewall configuration:
    sudo nss test-firewall
    This command does active firewall configuration probing by attempting to resolve the DNS names and establishing outbound connections to the Zscaler cloud. This command resets the management IP interface; therefore, run it on the vSphere client instead of the remote SSH console.
  • To generate diagnostic information to send to Zscaler Support:
    sudo nss collect-diagnostics
    This command collects the configuration, vital statistics regarding the health of NSS, and error statistics, and then downloads the data to a local file. This file can be emailed to Zscaler Support for troubleshooting purposes.
  • To reset the network configuration
    sudo nss reset-network
  • If you configured a split interface and want to remove the configuration, you can enter:
    sudo nss configure split-interface --wipe
  • To remove the settings that were configured using the sudo nss configure command:
    sudo nss configure --wipe

Enabling Remote Access

An administrator can request remote assistance and allow Zscaler Support to log in to their NSS without having to open a firewall connection for inbound traffic. This feature is disabled by default and must be enabled explicitly for the duration that remote support assistance is required.

  • To enable Zscaler Support to access your NSS:
    sudo nss support-access-start
    This creates a long-lived SSH tunnel to the Zscaler cloud and sets up remote port forwarding. Zscaler Support can use this tunnel to log in to your NSS.
  • To disable Zscaler Support access to your NSS:
    sudo nss support-access-stop
    This brings down the SSH tunnel and all the remote connections.

Error Codes

Following are error codes that you might encounter when executing an update-now command:

Error Code Description

Error Code 96

Invalid Client Certificate

Error Code 97

Timeout to contact upgrade server

Error Code 99

A problem in downloading and installing the build. An "update-now force" needs to be explicitly issued.

What happens if the NSS goes down?

In the event of a connection loss between the NSS and the cloud Nanolog, the cloud retransmits the logs to NSS up to a maximum of one hour. If NSS is down for more than an hour, the logs falling out of the one-hour window won't be retrieved by NSS.