Following are some commands that you can use to troubleshoot NSS:
- To start the NSS service:
sudo nss start
- To end the NSS service:
sudo nss stop
- To display the configuration file that was configured using the sudo nss configure command:
sudo nss dump-config
- To show the active connections on the service IP address:
sudo nss troubleshoot netstat
The output is similar to that of the UNIX utility "netstat"
- To show the connections and their status:
sudo nss troubleshoot connection
This command will probe the connection status over a period of time and indicate whether the connections are stable or flapping.
- To show the status of the NSS feeds:
sudo nss troubleshoot feeds
This command will probe the status of the feeds and determine if the logs are queued due to the slow consumption of logs by the SIEM.
- To check the firewall configuration:
sudo nss test-firewall
This command does active firewall configuration probing by attempting to resolve the DNS names and establishing outbound connections to the Zscaler cloud. This command resets the management IP interface; therefore, run it on the vSphere client instead of the remote SSH console.
- To generate diagnostic information to send to Zscaler Support:
sudo nss collect-diagnostics
This command collects the configuration, vital statistics regarding the health of NSS, and error statistics, and then downloads the data to a local file. This file can be emailed to Zscaler Support for troubleshooting purposes.
- To reset the network configuration
sudo nss reset-network
- If you configured a split interface and want to remove the configuration, you can enter:
sudo nss configure split-interface --wipe
- To remove the settings that were configured using the sudo nss configure command:
sudo nss configure --wipe
Enabling Remote Access
An administrator can request remote assistance and allow Zscaler Support to log in to their NSS without having to open a firewall connection for inbound traffic. This feature is disabled by default and must be enabled explicitly for the duration that remote support assistance is required.
- To enable Zscaler Support to access your NSS:
sudo nss support-access-start
This creates a long-lived SSH tunnel to the Zscaler cloud and sets up remote port forwarding. Zscaler Support can use this tunnel to log in to your NSS.
- To disable Zscaler Support access to your NSS:
sudo nss support-access-stop
This brings down the SSH tunnel and all the remote connections.
Following are error codes that you might encounter when executing an update-now command:
Error Code 96
Invalid Client Certificate
Error Code 97
Timeout to contact upgrade server
Error Code 99
A problem in downloading and installing the build. An "update-now force" needs to be explicitly issued.
What happens if the NSS goes down?
In the event of a connection loss between the NSS and the cloud Nanolog, the cloud retransmits the logs to NSS up to a maximum of one hour. If NSS is down for more than an hour, the logs falling out of the one-hour window won't be retrieved by NSS.