22.7R2 (ICS Gateway)

Symptom: TCP Dump size is 0 when captured from nSA.

Condition: Capture TCP Dump from nSA and verfiy its size.

Workaround: Capture TCP Dump from ICS Gateway.

22.6R1.2

Symptom: The configuration upload to nSA or Pulse one will be initiated again incase there are additional users logging in. If there are constant new users logging in, the full configuration upload will take longer.

Workaround: None

22.6R1

Symptom: SAML dependencies check does not include all checks, while creating the config sync rule.

Condition: When any configuration is dependent on the SAML Auth server, whether it is being used as a service provider or identity provider.

Workaround: Manually select all the SAML dependencies.

Symptom: HTTP error 500 after PUT and Unknown errors in Gateway Events Access logs

Condition: Observed during Gateway rollback.

Workaround: No functional impact. Config upload works fine upon retrying.

Symptom: Analytics Dashboard and Gateway logs are not synced with nSA.

Condition: ICS Gateways running on cloud with version 22.5R2 or above.

Workaround: NA

Symptom: 'Unsupported attribute type 0' errors in Gateway Admin Access logs during config sync operation.

Condition: Observed when config sync operation is performed where source gateway is running on R1 build (FIPS) and target gateway is running R2 build (Non FIPS)

Workaround: Exclude security settings from config sync rule.

Symptom: Config rule push status for the failed gateway will be in "pending" state in nSA Admin UI.

Condition: Config sync rule might fail for one of the target gateways, if entire config sync is pushed to multiple gateways.

Workaround: Delete the failed gateway entry from the config rule and create new config rule for the failed gateway only.

Symptom: Config sync push fails if /configuration/system/maintenance/options/gro-on-off is selected.

Condition: This issue can be seen for both Hardware appliances as well Virtual appliances.

Workaround: Avoid selecting this option while creating a config sync rule.

22.5R1

Symptom: Dependency check for resources policies.

Condition: When resource policies are part of config sync rule.

Workaround: Do not include resource policies in selective config sync rule or skip dependency check.

Symptom: HTTP PUT errors observed in logs.

Condition: When Gateway is registered with nSA sometimes HTTP put errors observed in Events logs.

Workaround: NA

22.4R3

Symptom: When RBAC user navigates to Config Sync rule page, you may not see config sync rules properly.

Condition: While creating RBAC role with connect secure Gateway permissions, user does not select GW's under selected Gateways list which are part of Config Sync rule.

Workaround: Make sure to select all GW's under selected Gateways which are part of config sync rule while creating RBAC role.

22.4R2

Symptom: Program unityConfigSpli fails after gateway reboot.

Condition: When gateway is registered with nSA and upon gateway reboot.

Workaround: NA

22.4R1

Symptom: Config upload post Gateway reboot fails when configurations with resource profile name containing unicode characters. For example but not limited to : ¯, ß, ð, ƒ, ©, þ.

Workaround: Identify the unicode characters in resource profile and remove them from gateway.

Symptom: Admin may not find all application names in the sanky chart which are listed in the access trend chart.

Workaround:NA

Symptom: Admin may see some text and labels in lower case and some in upper case

Workaround: NA

Symptom: When multiple client packages are present in gateway, errors are seen while uploading configurations to nSA.

Workaround: It is recommended to have only one client package in Gateway.

Symptom: Binary config import from a Gateway, which is registered to a different nSA, client certificates are getting replaced. After the import is successful, as the client certificates are getting replaced GW is trying to communicate to a different nSA due to which GW is going to "not ready" state.

Workaround: After the binary configuration import is successful, we need to remove the client certificates and re-register the GW.

Symptom: If one of the gateways goes down in a cluster, nSA is not showing the active session with another gateway, it still shows connected with the gateway which is down.

Workaround: NA

22.3R4

Symptom: Failure logs are seen multiple times during config sync operation.

Condition: When config sync rule fails, it is observed that failure logs are seen multiple times.

Workaround: Skip configuration, which is failing from config sync rule and trigger same rule again.

22.3R1

Symptom: Uploaded device certificate is not visible on the nSA.

Condition: When using nSA to import device certificate onto the ICS gateway.

Workaround: Wait for at least 10 seconds, and then refresh the page.

Symptom: ICS not sending logs to nSA and sessions are not reported.

Condition: When Admin configures the JSON filter.

Workaround: Remove JSON filter, which was created manually.

Symptom: Upgrade of cluster node fails with "Unable to extract installer" error message.

Condition: When upgrade triggered on a cluster:

•Node-1 upgrades successfully to 22.3R1 and prompts Node-2 to upgrade.

•Node-2 copies the package from Node-1, but fails to extract the installer.

•This is due to free disk space constraints on Node-2.

Workaround:

Follow the below procedure:

1.Power cycle Node-2.

2.Press Tab and boot into Standalone mode.

3.Access the UI and follow the procedure mentioned in https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44877/?kA13Z000000L3Z5 to clean up space.

4.Reboot and join the cluster.

Upgrade should now go through fine.

22.2R1

Symptom: Radius Auth server User Attributes do not display code/number associated with them on nSA UI.

Condition: Creating/Editing a Role Mapping rule based on User Attributes under a User Realm with Radius auth server.

Workaround: The code/number associated with the attributes can be viewed on GW UI.

Symptom: Enduser is not able to receive multicast traffic.

Condition: When the enduser is connected to VPN in ESP.

Workaround: Not applicable

Symptom: Config Template: Adding MDM server for 22.1R1 template fails.

Condition: When Admin tries to add an MDM server for 22.1R1 template it shows this element is not expected.

Workaround: Upgrade the Gateways to 22.2R1 and add this Gateway to 22.2R1 template and create the configuration.

Symptom: Configuration values in Security Settings > Miscellaneous page is not retained.

Condition: When nSA admin tries to configure values in Security Settings > Miscellaneous page.

Workaround: No functionality impact, configs are pushed successfully.

Symptom: Second node in the cluster is shown as disconnected.

Condition: Upgrade from older release to 22.2R1 build, through nSA.

Workaround: Navigate to the cluster through nSA and check the status.

Symptom: Default and Factory version name is not displayed for default Ivanti Secure Access Client package.

Condition: Admin selects the gateway and accesses Ivanti Secure Access Client Components.

Workaround: Not applicable

Symptom: Roll back option not available in nSA for AA cluster.

Condition: When Admin tries to do a roll back from nSA.

Workaround: Reboot the AA cluster.

Symptom: Default and Factory Version labeling name is not displayed for default Client package.

Condition: Select gateway and access Client Components in nSA.

Workaround: Not applicable

Symptom: Resource not exists is displayed while trying to delete Internal, external, management port.

Condition: Select a gateway > Navigate to Network > Vlan > Internal, external, management > virtual port.

Workaround: Perform the Configuration using Gateway Admin UI.

Symptom: Unable to configure cluster when License server configured on both nodes.

Condition: When License server is configured on Gateways used to create cluster.

Workaround: Remove License server configuration from Gateways and create cluster.

Symptom: When admin tries to filter out logs in Template> logs page.

Condition: When controller logs filter is set to true.

Workaround: None

Symptom: XML Import of SAML SSO 1.1 policy and creation from nSA fails.

Condition: Import of SAML SSO 1.1 policy and policy creation.

Workaround: Use the Gateway Admin UI.

Symptom: "Unknown Error" is displayed on the nSA Admin UI, while adding gateway to configuration template.

Condition: When admin tries to add gateway with many large configurations. For example, many Host Checker policies.

Workaround: Ignore the error as the Gateway is added to template and config is pushed to gateway.

Symptom: Expired certificate is getting imported on nSA from Config Template > Trusted Server page.

Condition: When Admin tries to import an expired CA certificate in nSA.

Workaround: Ensure that the certificate is valid before importing it on nSA.

Symptom: Editing the configuration name is not working on nSA.

Condition: Create an new component set for Client Components, edit the name of the component set and the edited name is not being reflected in nSA but it is successfully pushed to ICS Gateway.

Workaround: No functionality impact.

Symptom: Updating ESAP package to cluster will not work when one node is in connected state and other is in disconnected state.

Condition: When user tries to update the ESAP package to a cluster.

Workaround: Update ESAP package from the active node configuration.

Symptom: Reconcile configuration takes few seconds.

Condition: Select a Gateway or cluster, which exists in the configuration template and click Reconcile configuration.

Workaround: None

Symptom: Deletion time is high while deleting the config in configuration template.

Condition: Deleting many server configurations at a time.

Workaround: Deleting minimal amount of configuration or server config from template.

Symptom: File upload fails to push to Gateway for VMware and Citrix download configurations.

Condition: Admin tries to upload large size file.

Workaround: Use the Gateway Admin console to upload the configuration.

Symptom: ICS gateway model details not updated correctly on nSA.

Condition: When licenses are installed on Gateway after nSA registration.

Workaround: Install all required licenses before registering to nSA.

Symptom: Deleting AD Auth server shows internal server error in nSA.

Condition: Deleting AD Auth server from nSA.

Workaround: Refreshing the page shows AD AUTH is deleted.

22.1R1

Symptom: nSA is not reachable using web browser.

Condition: When the Admin refreshes the Configuration template page.

Workaround: None. nSA becomes reachable in few minutes.

Symptom: While navigating to the Gateway list page user might get 'Request failed with status code 500' error.

Condition: When more then 100+ Gateways are registered with nSA, sometimes navigating to Gateway list page results in above mentioned error.

Workaround: Waiting or refreshing the page resolves the issue.

Symptom: Reconciliation fails with a config group template having a CA certificate, which already exists on the Gateway.

Condition: Admin tries to perform a Reconciliation in nSA.

Workaround: Delete the duplicate certificate from the Gateway before trying reconciliation again.

Symptom: Configuration status of one or more Gateways on Configuration template shows "pending configuration". Host Checker configuration made on configuration template is not pushed to particular Gateways.

Condition: Gateways are added to configuration template and Host checker configurations (Policy and Rules) done using configuration template.

Workaround: Select all Gateways in "pending configuration status" and do reconciliation.

Symptom: Download percentage towards end shows more then 100%.

Condition: Admin starts Gateway upgrade from nSA, and then observes the download percentage.

Workaround: Wait for package download operation to complete, even if the % goes to around 120%.

Symptom: nSA ICS Overview dashboard Info panel shows empty values for some users.

Condition: Issue is seen for the sessions, whose Host Checker logs generated by Gateway do not have both device_id and browser_id values.

Workaround: None

21.12

Symptom: nSA Insights page displays Users/Sessions as active when session is suspended in client.

Condition: When the user VPN connection is suspended from the client.

Workaround: None

Symptom: The ICT changes are not sent through passive node of cluster.

Condition: In Active/Passive cluster, the configuration change for ICT is not sent through passive node.

Workaround: Admin needs to send the ICT related changes to active node in cluster.

Symptom: The status info like cluster reboot/ICT/cluster upgrades are not synced between Gateways in nSA cluster.

Condition: In any cluster, the cluster wide actions status are not synced.

Workaround: None

Symptom: When Admin sends ICT config, Gateway logs shows interval is seen in seconds instead of hours/minutes format.

Condition: When ICT configuration is sent from nSA.

Workaround: None

Symptom: Gateway certificate Renewal Failed" error messages seen on nSA.

Condition: When registering release 21.9 Gateway devices in release 21.12 nSA.

Workaround: Upgrade the Gateway to release 21.12.

Symptom: One of the upgraded node in Active/Passive cluster will intermittently be showing the old version in nSA.

Condition: During the Active/Passive cluster upgrade.

Workaround: Rebooting the problematic device will fix the issue in nSA.

Symptom: The first time changes to ICT are not pushed to ICS Gateway.

Condition: Post registration to nSA, the first time configuration changes are not pushed to Gateway.

Workaround: Admin needs to reconfigure the ICT with different values.

Symptom: In nSA application access count is incremented, even though application is not accessed.

Condition: When resource is not reachable or disconnected from the internal port of ICS or internal VLAN port of ICS.

Workaround: None

21.9

Symptom: ICS Gateway: Gateway selection at the top of the page is not applicable for Insights pages.

Workaround: Apply a global Gateway filter on the dashboard.

Symptom: ICS Gateway: Insights > Users > Session types chart > View All - device type is missing for IF-MAP imported sessions in table view.

Workaround: None

Symptom: Cluster Table is not getting updated when user tries to destroy the registered Virtual ICS/ PCS Gateway from ESXi server.

Condition: Destroy the Gateway in ESXi server without deleting the Cluster.

Workaround: Delete the created Cluster and then destroy the virtual Gateways in ESXi server.

Symptom: nslookup with TXT query returns large response then 403 error is seen in Admin UI events log.

Condition: nslookup with TXT query returning large response.

Workaround: Use the Gateway nslookup query.

Symptom: Use proxy gets enabled on System > Ivanti Neurons for Secure Access, though set to no in REST API.

Condition: When using /api/v1/nsa/register REST API to register ICS Gateway with nSA.

Workaround: If not going to use proxy, do not send proxy related config in the POST body.

Symptom: After cluster upgrade to 9.1R12, node details, tunnel type, tunnel IP details are not updating in user access logs.

Condition: In AA Cluster, upgrading cluster nodes when 5K users (or more users) connected and traffic is on, user might see node details, tunnel type, tunnel IP details are not updating in user access logs.

Workaround: Do the upgrade process during, off-peak hours.