System Maintenance

Using the System Maintenance Pages

You can use the System > Maintenance pages to perform the following tasks:

Enable system maintenance options, such as software version monitoring and disk clean-up.

Upgrade, downgrade, or rollback the system software.

Download client installer files so that you can distribute them in out-of-band methods to end users.

Test network connectivity between the system and servers that have been configured to be used with it.

Display hardware status.

Configuring System Maintenance Options

You can use the maintenance options page to enable various system maintenance features.

To enable various system maintenance features:

1.Select Maintenance > System > Options to display the maintenance options page.

2.Select options as described in the following table.

3.Save the configuration.

The following table lists the System Maintenance Options Configuration GuidelinesE:

Options

Guidelines

Automatic version monitoring

If you enable this option, the system reports to Ivanti the following data:

Machine identifier.

Information describing your current software, including:

Software build number and build name.

An MD5 hash of your license settings.

An MD5 hash of the internal interface IP address.

If this node is in a cluster, the number of nodes within that cluster.

Current state of the node.

Cluster type (active/active, active/passive).

Total number of unique subnets on the cluster nodes.

Version of Ivanti Secure Access Client.

Version of ESAP.

Cluster log synchronization status.

Total number of concurrent users on the device.

Number of Ivanti tunnels.

We strongly recommend that you enable this service.

Gzip compression

Connect Secure only. Use gzip compression to reduce the amount of data sent to browsers that support HTTP compression. This can result in faster page downloads for some users.

Kernel Watchdog

Enables the kernel watchdog that automatically restarts the system under kernel deadlock or when kernel runs low on some key resources.

Enable the kernel watchdog only when instructed by Technical Support.

Resource throttling

Enables system resource throttling in the system that gives system processes higher priority. High priority processes will get high resources under system load. Changing this option will cause a system reboot.

File System Auto-clean

Enables the system to automatically clean up the file system when disk utilization reaches 90%.

The clean-up operation deletes files that might be relevant in debugging-for example, debug logs, core files, and snapshots might be deleted.

Web installation and automatic upgrade of Ivanti Secure Access Client

After you deploy Ivanti Secure Access Client software to endpoints, software updates occur automatically. A Ivanti Secure Access Client can receive updates from the server. If you upgrade the Ivanti software on your Ivanti server, updated software components are pushed to a client the next time it connects.

A bound endpoint receives connection set options and connections from its binding server, but it can have itsIvanti Secure Access Client software upgraded from any Ivanti server that has the automatic upgrade option enabled. During a client software upgrade the client loses connectivity temporarily.

Enable Ivanti Secure Access ClientComponents removal Tool for Cert issue Remediation

Provides an option for the Admin to enable users to download the Ivanti Secure Access Client Components removal (Ivanti Upgrade Helper) tool on Windows End User machines upon Browser access and remediates the certificate expiry issue. For more information, refer KB44781 and KB44810.

Virtual Terminal console

Enables the virtual terminal on a virtual appliance. Clear this check box to use the serial console. Changing this setting will restart the system.

Java instrumentation caching

Connect Secure only. Caches the Java instrumentation to improve the performance of Java applications.

Show Auto-allow

Connect Secure only. The auto-allow option provides the means to automatically add bookmarks for a given role to an access control policy, for example, Web bookmarks with auto-allow set are added to the Web access control policy. You only use this feature if you also use Resource Policies. We recommend that you use Resource Profiles instead.

Do not show Task Guidance/Help page on admin login

This option is applicable only in case there are no licenses installed. When enabled, Task Guidance/Help page does not appear automatically upon administrator login.

Clear all configuration data at this device

This option clears all keys and triggers a configuration reset and reboots the device.

Prevent system overload

Disallows user login, user login via Ivanti Secure Access Client, HTML5 connection or connection to a web resource when the CPU load is above a certain threshold. By default, this option is disabled for ICS upgrades and enabled for new installation.

Exception: Admin logins, DMI and inbound REST calls are not blocked due to CPU overload.

When a login to the HTML5 connection or connection to a web resource is blocked and when a user tries to log in, the login page will display an appropriate system busy message.

To configure log events for User Access, in the System > Log/Monitoring > User Access > Settings tab, select the System Too Busy check box. By default, this option is enabled.

Select System > Log Monitoring > User Access > Log to view the logs.

Auto reboot the system

This option automatically reboots the system when the appliance is in kernel panic state.

Monitor SAML server processes

Enabling this checkbox, saml-server instance(s) gets monitored for high memory usage and kills if it consumes more than 3.5GB of virtual memory.

Sample Event IDs:
id='SYS32217' or id='SYS32218' or id='SYS32219' or id='SYS32220'

Monitor WEB server processes

Enabling this checkbox, web server instance(s) gets monitored for high memory usage and kills if it consumes more than 3.5GB of virtual memory.

Sample Event and IDs:
id='SYS32251' or id='SYS32252' or id='SYS32253' or id='SYS32254'

Enable Browser Extension

Enabling this PSAL, follows browser Extension path.

PSAL State Timeout

Specify timeout in minutes max is 9 minutes, min is 2 minutes.

End-user Localization

Select one of the following options:

Automatic (based on browser settings)

English (U.S.)

Chinese (Simplified)

Chinese (Traditional)

French

German

Japanese

Korean

Spanish

External User Records Management

Persistent user records limit

Specify the maximum number of user records.

This feature is useful when system performance is affected due to a large number of user records. We highly recommend you consult Technical Support prior to using this feature. Deleting a user record removes all persistent cookies, SSO information, and other resources for that user. It does not remove the user record from the external or internal authentication server. If you delete a user record and that user logs back in to the authentication server, new user records are created. Records are not removed if that user is currently logged in.

Number of records to delete when the limit is exceeded

Specify a number. Older records are removed first. A user record is not deleted if that user is currently logged in.

Delete records now

Check whether the persistent user records limit has been exceeded. If it is, delete the number of user records specified in the option above.

Automatic deletion of user records periodically

Check whether the persistent user records limit will be exceeded whenever a new user record is about to be created. If true, delete the records prior to creating the user new record.

Upgrading the System Software

This topic describes how to upgrade, downgrade, and rollback the system software.

Downloading a Software Package

To download a software package:

1.Go to https://forums.ivanti.com/s/product-downloads?language=en_US and browse to the software download page for your product.

2.When prompted, log in with your Ivanti customer username and password.

3.Accept the license agreement.

4.When prompted, save the software package to your local host.

Uploading a Software Package

You can upload a software package to the system without immediately initiating the upgrade process. This is known as staging the upgrade. You can stage one package. Uploading a second package overwrites the previous staging.

To upload a software package:

1.Select Maintenance > System > Upgrade/Downgrade to display the system software maintenance page.

The following figure shows Ivanti Connect Secure.

2.Under Managed Staged Service Package, select Upload new package into staging area and use the Browse button to locate and select the service package file.

3.Click Submit to upload the file.

The Upload Status window shows the progress of the upload operation.

Software Upgrade Page

 Software Upgrade Page

If you have enabled logging for Administrator changes (System > Log/Monitoring > Admin Access > Settings page), a log is written to the Admin Access logs page.

Upgrading the System Software

Installing a service package can take several minutes and requires the system to reboot. Because existing system data is backed up during this process, you can decrease installation time by clearing your system log before trying to install a service package.

When the system software is upgraded:

latest set of Trusted Server CAs are uploaded. These new set of Trusted Server CAs will be seen in the System > Configuration > Certificates > Trusted Server CAs page.

Any expired certificates in the default Trusted Server CA store are removed from the system.

When the system software is upgraded to 22.x, it automatically upgrades Ivanti Connect Secure to OpenSSL version 1.1.1.

To upgrade the operating system:

1.Select Maintenance > System > Upgrade/Downgrade to display the system software maintenance page.

Software Upgrade Status Page  shows the system software maintenance page.

2.Under Install Service Package, select one of the following options to proceed:

From File-Use the Browse button to locate and select the service package file.

From Staged Package-Select the service package file that was previously uploaded.

Do not select the Deletes option when you are upgrading software. The Deletes option is available to support downgrading software.

3.Click Install.

The system displays the Service Package Installation Status page, which provides a summary of the integrity checks and compatibility checks and other status indicators.

Software Upgrade Status Page 

Software Upgrade Status Page

If you have enabled logging for Administrator changes (System > Log/Monitoring > Admin Access > Settings page), a log is written to the Admin Access logs page. If you have enabled logging for System Status (System > Log/Monitoring > Events > Settings page), logs are written to the Events logs page.

Downgrading the System Software

If necessary, you can downgrade to an earlier version of the system software. When you downgrade, you must clear the system and configuration data to avoid unexpected behavior that can occur when the system has data that relates to the newer software.

If you downgrade the system, you must reestablish network connectivity before you can reconfigure it.

To downgrade the operating system:

1.Select Maintenance > System > Upgrade/Downgrade to display the system software maintenance page.

System Maintenance Platform Page shows the system software maintenance page.

2.Under Install Service Package, select one of the following options to proceed:

From File-Use the Browse button to locate and select the service package file.

From Staged Package-Select a service package file that was previously uploaded.

3.Select the Deletes option to delete all system and user configuration data before installing the service package, restoring the member to an unconfigured state.

4.Click Install.

Rolling Back the System Software

If necessary, you can roll back the system to the previous software version and configuration state. The system is rebooted and unavailable for a few minutes when you roll back.

To roll back the operating system:

1.Select Maintenance > System > Platform to display the system maintenance platform page.

System Maintenance Platform Page shows the system maintenance platform page for Ivanti Connect Secure.

2.Click Rollback.

System Maintenance Platform Page

System Maintenance Platform Page

  • The rollback option appears only if you have previously upgraded the system software.
  • If you have enabled logging for System Status (System > Log/Monitoring > Events > Settings page), logs are written to the Events logs page.

Downloading Client Installer Files

You can use the system maintenance client installers page to download client installer files. The downloadable files include .exe and .msi files for use installing clients on Windows platforms, and .dmg files for installing clients on Macintosh platforms.

To download client installer files:

1.Select Maintenance > System > Installers to display the client installer files page.

System Maintenance Client Installers Page -Ivanti Connect Secure shows the client installer files for Ivanti Connect Secure.

2.Click Download to download the file to your local host.

System Maintenance Client Installers Page -Ivanti Connect Secure

System Maintenance Client Installers Page

Restarting, Rebooting, and Shutting Down the System

You can use the admin console to perform restart, reboot, and shut down operations. The following items explain these terms:

Restart-Kills all processes and restarts the system. The system is available again after a few minutes.

Reboot-Power cycles and reboots the system. The system is available again after a few minutes.

Shut Down-Shuts down the system. The system is not available again until the physical power button on the physical device is used to restart the system.

The restart, reboot, and shutdown operations are applied to all enabled members of a cluster. If you do not want to apply the operations to all members of the cluster, use the System > Clustering > Status page to disable members; then perform the restart, reboot, or shut down operation.

To restart, reboot, or shut down the system:

1.Select Maintenance > System > Platform to display the system maintenance platform page

System Maintenance Platform Page shows the system maintenance platform page for Ivanti Connect Secure.

2.Click the desired node operation:

Restart Services

Reboot

Shut Down

System Maintenance Platform Page

System Maintenance Platform Page

If you have enabled logging for Administrator changes (System > Log/Monitoring > Admin Access > Settings page), a log is written to the Admin Access logs page. If you have enabled logging for System Status (System > Log/Monitoring > Events > Settings page), logs are written to the Events logs page.

Testing Network Connectivity

You can use the admin console to test network connectivity to all the servers with which the system is configured to communicate, for example network services or AAA servers.

To test network connectivity:

1.Select Maintenance > System > Platform to display the system maintenance platform page.

System Maintenance Platform Page shows the system maintenance platform page for Ivanti Connect Secure.

2.Click Test Connectivity.

Server connectivity results are highlighted in the figure.

System Maintenance Platform Page

 System Maintenance Platform Page