Following are some commands that you can use to troubleshoot NSS:
- To display the configuration file that was configured using the sudo nss configure command:
sudo nss dump-config
- To show the active connections on the service IP address:
sudo nss troubleshoot netstat
The output is similar to that of the UNIX utility "netstat"
- To show the connections and their status:
sudo nss troubleshoot connection
This command will probe the connection status over a period of time and indicate whether the connections are stable or flapping.
- To show the status of the NSS feeds:
sudo nss troubleshoot feeds
This command will probe the status of the feeds and determine if the logs are queued due to the slow consumption of logs by the SIEM.
- To check the firewall configuration:
sudo nss test-firewall
This command does active firewall configuration probing by attempting to resolve the DNS names and establishing outbound connections to the Zscaler cloud. This command resets the management IP interface; therefore, run it on the vSphere client instead of the remote SSH console.
- To generate diagnostic information to send to Zscaler Support:
sudo nss collect-diagnostics
This command collects the configuration, vital statistics regarding the health of NSS, and error statistics, and then downloads the data to a local file. This file can be emailed to Zscaler Support for troubleshooting purposes.
- To reset the network configuration
sudo nss reset-network
- If you configured a split interface and want to remove the configuration, you can enter:
sudo nss configure split-interface --wipe
- To remove the settings that were configured using the sudo nss configure command:
sudo nss configure --wipe
Enabling Remote Access
An administrator can request remote assistance and allow Zscaler Support to log in to their NSS without having to open a firewall connection for inbound traffic. This feature is disabled by default and must be enabled explicitly for the duration that remote support assistance is required.
- To enable Zscaler Support to access your NSS:
sudo nss support-access-start
This creates a long-lived SSH tunnel to the Zscaler cloud and sets up remote port forwarding. Zscaler Support can use this tunnel to log in to your NSS.
- To disable Zscaler Support access to your NSS:
sudo nss support-access-stop
This brings down the SSH tunnel and all the remote connections.