Troubleshooting
This chapter describes how to troubleshoot issues.
Client-side appliance troubleshooting
This section provides suggestions for troubleshooting client-side appliances.
Verify SaaS acceleration is running
SaaS Accelerator uses a new method to classify application traffic and the client appliance needs to recognize this type of application traffic. (The SaaS Accelerator uses the DPI classification engine.)
If you do not see accelerated SaaS connections, use the show service saas-accel application cache command. SaaS acceleration will not happen until an entry appears in the output of this command.
To troubleshoot application classification, ensure the logging level is set to Info. The default level is Notice.
To set the log level to info
• Enter these commands on the SteelHead command line:
enable
configure terminal
logging local info
If you don’t want to make this change globally, you can also set the log level specifically for the application classification logs.
To set application classification logs to the info level
• From the CLI, run this command:
logging filter qosd level info
When application classification is successful, log messages for the classification service appear:
“Doing appctrl query dst:... ”
"amnesiac: Classified app for dst:..."
"amnesiac: Appid # found in cache ..."
If application classification is failing, the following message appears in the logs:
"amnesiac: Failed to resolve appctrl server..."
To correct application classification failure, make sure the client appliance can resolve hostnames and DNS is working properly. Application classification relies on the appcs.x.riverbed.cc server, and the client-side appliance must be able to resolve this hostname and reach this server.
Display SaaS service cluster peers for client-side appliances
To see details of the SaaS service cluster peered with the client-side appliance
• From the appliance web interface, choose Reports > Peers.
• From the CLI, run the show peers command.
show peers
S IP Name Model Version Licenses
- --------------- ---------------- ----- ---------- -----------------------------
O xx.xx.xx.xx XN##XXX##X###XXX SaaS- #.#.0 CIFS/MAPI/SSL
O xx.xx.xx.xx XN#XXX#####XX### SaaS- #.#.0 CIFS/MAPI/SSL
O = online, U = unknown
Total appliances: 2
Connected appliances: 2
abc-sh123 (config) #
Display available third-party proxy chaining node ranges
Run this command to see information about third-party proxy chaining nodes:
sh service saas-accel proxy-chain full
SaaS Accelerator proxy chaining interop status:
Enabled: Yes
Restriction: System managed IPs only
System-defined subnet list:
x.xxx.xx.x/##
.
.
.
No user-defined subnets.
#
Client Accelerator endpoint troubleshooting
SaaS acceleration uses a new method to classify application traffic, and the Client Accelerator endpoints need to recognize this type of application traffic. (The SaaS Accelerator service runs as part of the qosd process.)
Application classification relies on the appcs.x.riverbed.cc server, and Client Accelerator endpoints must be able to resolve this hostname and reach this server.
If you do not see accelerated SaaS connections, use the rbtdebug -f dns_table command to review the DNS mapping between hostnames and IP addresses and the rbtdebug -f app command to review the list of applications the Client Accelerator has classified.
Alerts related to third-party proxy chaining
This table lists alerts related to the third-party proxy chaining feature.
Alarm | Severity | Message | Possible cause |
Traffic blackholed | Critical | The public IP is not whitelisted with the proxy service. | SAM and/or appliance IPs are not whitelisted on the CASB. |
Proxy Hostname | Critical | The configuration service failed to resolve proxy hostnames. | Failure to resolve proxy gateway hostnames. |
PAC File Parsing | Critical | The configuration service failed to parse the PAC file at the configured URL. | Incorrect proxy auto-configuration information. |