Known Issues

22.8R1.2

Symptom: Start time may appear as blank for cluster which are part of config sync rule, when cluster status is not yet synced with controller

Workaround: Wait for cluster status sync to happen with controller or DIsable/Enable cluster nodes, then trigger config sync rule

Symptom: Eligible Gateways count shows extra entries when 9.X GW's are also registered with controller.

Workaround: N/A

Symptom: Sequential stage and upgrade for the valid gateways also fails with a toast message in UI even when there are multiple standalone gateways/cluster triggered for stage and upgrade does not meet the criteria for the gateway version not supported/gateway disconnected

Workaround: NA

Symptom: Toast message in the UI shows the gateway id instead of gateway name when there is a failure in triggering stage/upgrade which could happen due to the gateway version not supported for stage/upgrade or if the gateway is in disconnected state

Workaround : NA

Symptom: Gateway List page will show the status of a specific gateway as "4/4 Upgraded" instead of "4/4 Staged" once the package is staged successfully on the gateway

Workaround: NA

Symptom: INSTALL button post successful staging will still be visible in the UI under Manual/Schedule Stage and Upgrade tab even when GW upgrade is already in progress

Workaround : NA

Symptom: Screen flickering issue seen sometimes during the execution of a config sync rule.

Workaround: Navigate to any other page and come back to config sync page

Symptom: Restarting services fails to update or synchronize the cluster status on the controller.

Workaround: Disable/Enable node will sync cluster configuration on nSA.

Symptom: Unable to modify Custom Expression from nSA.

Workaround: NA

Symptom: McAfeeAntiVirusHigh default AV import issue.

Workaround:

•Unmap default McAfeeAntivirushigh device policy in auth policy or in secure access policy if configuration import error in Admin logs or warning in device policy page.

•Create custom AV policy for McAfeeAntiVirusHigh and map it for the policy.

Symptom: Syslog forwarding configuration with "via Gateways" on ZTA may impact syslog forwarding for nSA and ZTA.

Cause: System tries to forward logs "via Controller" also even with configuration "via Gateways" on ZTA.

Workaround: On ZTA, Configure Syslog Server for ZTA "via Controller" only.

Symptom: TCP dump action under Gateway Troubleshooting in nSA/ZTA fails to upload the dump to Troubleshooting overview intermittently when admin is unable to stop the TCP dump

Workaround: TCP dump could be available from ICS Gateway console and in case of ZTA, re-try triggering TCP dump action

Symptom: Unicodes are seen sometimes in the Tenant UI instead of Icons.

Condition: While using the Tenant using Chromium browser.

Workaround: No functional impact. Reopen the App in another tab in the browser, issue will not be seen.

22.8R1

Symptom: When source gateway is running on version 22.7R2.5 or lower and target gateway is running on version 22.7R2.6, during selective config sync operation, config sync gateway status remains in Importing state.

Workaround: Include at least one modified configuration option from Systems Settings > Configuration in the config sync rule when the source gateway is running version 22.7R2.5 or lower and syncing to a target gateway running version 22.7R2.6 Or Upgrade source gateway to version 22.7R2.6.

Symptom: Config Sync Schedule Jobs - creating schedule job with no end date results in an unknown error.

Workaround: Create schedule job with some end date, then edit rule, and set date to no end date.

Symptom: Report job fails when creating a report adhoc or scheduled, and an admin configures it to share with any admin user in the tenant.

Workaround : NA

22.7R1.6

Symptom: Admin can observe Active Session count mismatch between Gateway and nSA Dashboard intermittently.

Workaround: Session count is synced hourly. Admin should see matched count every hour.

Symptom: GroupBy option in tenant admin logs is not showing any data.

Workaround: No workaround.

Symptom: Config Sync Status shows an error.

Workaround: No workaround, see Config Sync Rule.

Symptom: TCP dump action under Gateway Troubleshooting in nSA/ZTA fails to upload the dump to Troubleshooting overview intermittently when admin is unable to stop the TCP dump

Workaround: TCP dump could be available from ICS Gateway console and in case of ZTA, re-try triggering TCP dump action

22.7R2.3 (ICS GW)

Symptom: jsonConfigHelpe process crash is observed during config sync operation.

Condition: When entire config sync operation failed with long error message, splitted failure. log messages got truncated, due to which sometime jsonConfigHelpe process crash is observed.

Workaround: Try Selective config sync.

Symptom: XML Import failure logs gets truncated on Gateway during config sync operation.

Condition: When entire config sync operation failed with long error message, splitted failure log messages got truncated.

Workaround: Try Selective config sync.

22.7R1.5

Symptom: Error while trying to reset TOTP user account from nSA controller under Administration > Admin Management > Authentication Servers if secondary auth is configured for the sign-in policy

Workaround: No workaround

Symptom: TCP dump action under Gateway Troubleshooting in nSA fails to upload the dump to Troubleshooting overview. This issue happens intermittently when Admin is unable to stop the TCP dump.

Workaround: Use the ICS Gateway console for performing the TCP dump.

22.7R1.4

Symptom : The consolidated landing page (ZTA+nSA) is currently in preview mode, you may see some discrepancies between the chart counts and the logs/table views of the corresponding charts.

Workaround : No workaround

Symptom: The platform license fails to update in the gateway after toggling between gateway license and nSA licensing modes.

Condition: Post-transition from the default Gateway licensing mode to nSA named user licensing mode, login is restricted to more than two users.

Workaround: Restart the services or reboot the gateway.

Symptom : Column re-sizing is not supported under Administration > Subscriptions > Users

Workaround : No workaround

22.7R1.3

Symptom: In certain cases, incorrect tenant identity values are included in messages transmitted by Gateways that are registered with the nSA Controller. This may cause the controller to overlook certain log messages and cause the related data to disappear from analytics dashboards.

Workaround: No workaround

Symptom: nSA Config Sync: The admin log for the sync rule is not appearing.

Workaround: No workaround

Symptom: When exporting logs for any L4 dashboard, the active view data is displayed for the previous four days, but only the last hour is exported.

Workaround: To see the correct logs in a csv or json export, choose the custom time range that needs to be sent with the data.

Symptom: Active view (past 1 hour): The home page for nSA+ZTA's consolidated data will only display the current user count activity, not the entire history of user activity over the previous hour.

Workaround: ZTA users' total activity over the past hour (Active view) will be displayed on the Overview page.

Symptom: The All Gateway count on the Overview page and Insight > Gateways summary shows the registered and online gateways count only in the historic view.

Workaround : No workaround

Symptom: Username sorting is not working on Subscriptions > Users page

Condition: Observed when subscription page has entries without username, only device login entries.

Workaround: No workaround

Symptom: Offline Gateway count doesn’t gets displayed on Gateway Overview page.

Condition: This is observed with certain screen resolution.

Workaround: Increase screen resolution to fix the issue.

Symptom: Any number of nodes can be added while creating cluster from nSA.

Condition: For Gateways other then virtual Gateways.

Workaround: No workaround

Symptom: Unable to login to staging tenant, getting 'Your request could not be authenticated (Error 401)'.

Workaround: Relaunch the browser or login using incognito mode.

Symptom: Error message while upgrading cluster from nSA when its status is not yet updated.

Workaround: No workaround

Symptom: On the Consolidated Landing Page, the Current Day view (Displayed as Last X hours) may show a count mismatch between the Summary Panel and the Table.

Condition: When admin wants to view details of current day's data.

Workaround: The admin can utilise the custom view to observe data for the same time range.

Symptom: The admin might notice discrepancies between the device counts in the Summary Panel and the Table view when clicking on the counter.

Condition: Endpoints without a device identification number or share the same device identification number.

Workaround: Consider the Summary Panel count as the accurate count.

Symptom: Even after turning off the proxy, ICS keeps using it to communicate with the nSA (notification channel).

Workaround: Reboot the ICS Gateway when there is a change in Proxy setting.

Symptom: With gateways upgraded from 9.1R18.2 to 9.1R18.6 and higher, config sync has known issues with maintenance/archiving settings.

Workaround: If archive system configuration or archive user accounts is enabled then update day settings may be blank after upgrade then save these settings from nSA UI and retrigger the config sync rule.

Symptom: After upgrading the Gateway from nSA, nSA continues to show the previous version/unupdated version.

Workaround: Restart the services/Restart the Gateway.

Symptom: 1. Invalid download URL error while importing ESAP package. 2. Not Found error while browser HC policies.

Condition: 1. Whenever custom ESAP package is uploaded from nSA UI, 'Invalid Download URL' error is seen.

2. After successful activation of the custom ESAP package on Gateway, a Not Found error prevents the Host Checker (HC) Create Read Update Delete (CRUD) operations from being completed from the nSA UI.

Workaround: Perform HC policy CRUD operations from the Gateway UI.

Symptom: The count shown for specific gateway version might differ between the Gateway by version chart and the table view under Insights > Gateways in nSA.

Workaround : No workaround

Symptom : Consolidating landing page(ZTA+nSA) is in preview mode and hence there could be data mismatch between the counts on the chart compared to the logs/table view of corresponding charts.

Workaround : No workaround

Symptom: If admin activates an unsupported ESAP package on the nSA Controller UI, it results in deletion of all the existing ESAP packages from the gateway.

Condition: Admin activating an unsupported ESAP package on the nSA controller UI.

Workaround: Admin can activate a supported ESAP package from nSA or from the Gateway UI. For minimum supported ESAP version, refer to Supported Platform Guide.

Symptom: Admins might observe a slight difference in the CPU, Swap Memory, Disk Usage and Network Throughput values shown on the tooltip forTop Gateways by Health chart under nSA > Insight > Gateways and the table view logs for respective gateways.

Workaround : No workaround

Symptom: Read only admin is able to make changes to cluster status and properties on nSA controller UI.

Condition: Read only admin performing CRUD operations of cluster status and properties on nSA controller UI.

Workaround: No workaround

Symptom: Selective config sync with archiving settings or entire config sync failure.

Condition: Selective config sync of 'archiving' settings or entire config sync may fail with could not access or modify schedule item in cache or component selected without selecting any Day error.

Workaround: Either remove archiving settings from config sync rule or fix components where days are not selected.

Symptom: Selective config sync with automatic snapshot settings or entire config sync failure.

Condition:Selective config sync of automatic snapshot settings or entire config sync may fail with Take a snapshot every (minutes)] Invalid value 0: integer must be 1 to 20219 error.

Workaround: Either remove automatic snapshot settings from config sync rule or fix snapshot settings.

Symptom: Selective config sync with 'User Realms' settings or entire config sync failure.

Workaround: Remove 'User Realms' settings from config sync rule.

Symptom: Selective config sync with Certificates settings or entire config sync failure.

Condition: Selective config sync of 'Certificates' settings or entire config sync may fail with Invalid reference error.

Workaround: Remove Certificates settings from config sync rule or manually import the certificate which is causing failure.

Symptom: Selective config sync with Security settings or entire config sync failure.

Condition: Selective config sync of Security settings or entire config sync may fail with Custom cipher does not match the available selection error.

Workaround: Remove Security settings from config sync rule or manually change custom chiper which is causing failure.

Symptom: Selective config sync with Certificates settings or entire config sync failure.

Condition: Selective config sync of Certificates settings or entire config sync may fail with Invalid value for node crl-download-frequency error.

Workaround: Remove Certificates settings from config sync rule or manually change crl-download-frequency for certificates which is causing failure.

Symptom: Selective config sync with PSAM destination profile settings or entire config sync failure.

Condition: Selective config sync of PSAM destination profile settings or entire config sync may fail with Invalid value for identifier destination error.

Workaround: Remove PSAM destination profile settings from config sync rule or manually fix PSAM destination resource entries which is causing failure

Symptom: Selective config sync with Log/Monitoring settings or entire config sync failure.

Condition: Selective config sync of Log/Monitoring settings or entire config sync may fail with Modification of this attribute is not allowed error.

Workaround: Remove Log/Monitoring profile settings from config sync rule or manually fix attribute entries which is causing failure.

Symptom: Selective config sync with Admin Roles settings or entire config sync failure

Condition: Selective config sync of Admin Roles settings or entire config sync may fail with Invalid IP Address error

Workaround: Remove Admin Roles settings from config sync rule or manually fix IP entries which are causing failure.

Symptom: Selective config sync with Logs/Monitoring settings or entire config sync failure

Condition: Selective config sync of Logs/Monitoring settings or entire config sync may fail with error

Workaround: Remove Logs/Monitoring settings from config sync rule or manually fix log size below 200 MB which is causing failure.

Symptom: Selective config sync with SAML auth server settings or entire config sync failure.

Condition: Selective config sync of SAML auth server settings or entire config sync may fail with 'soap-responder-url is non-empty and source-id is empty' error.

Workaround: Remove SAML auth server settings from config sync rule or manually fix soap-responder-url and source-id field entries which is causing failure.

Symptom: During Gateway rollback observing, 'Failed to upload configuration commit message; Transfer returned result code 56' errors in Event logs.

Workaround: No workaround. Config upload works in the subsequent attempt.

22.7R2 (ICS Gateway)

Symptom: TCP Dump size is 0 when captured from nSA.

Condition: Capture TCP Dump from nSA and verfiy its size.

Workaround: Capture TCP Dump from ICS Gateway.

22.6R1.2

Symptom: The configuration upload to nSA or Pulse one will be initiated again incase there are additional users logging in. If there are constant new users logging in, the full configuration upload will take longer.

Workaround: None

22.6R1

Symptom: SAML dependencies check does not include all checks, while creating the config sync rule.

Condition: When any configuration is dependent on the SAML Auth server, whether it is being used as a service provider or identity provider.

Workaround: Manually select all the SAML dependencies.

Symptom: HTTP error 500 after PUT and Unknown errors in Gateway Events Access logs

Condition: Observed during Gateway rollback.

Workaround: No functional impact. Config upload works fine upon retrying.

Symptom: Analytics Dashboard and Gateway logs are not synced with nSA.

Condition: ICS Gateways running on cloud with version 22.5R2 or above.

Workaround: NA

Symptom: 'Unsupported attribute type 0' errors in Gateway Admin Access logs during config sync operation.

Condition: Observed when config sync operation is performed where source gateway is running on R1 build (FIPS) and target gateway is running R2 build (Non FIPS)

Workaround: Exclude security settings from config sync rule.

Symptom: Config rule push status for the failed gateway will be in "pending" state in nSA Admin UI.

Condition: Config sync rule might fail for one of the target gateways, if entire config sync is pushed to multiple gateways.

Workaround: Delete the failed gateway entry from the config rule and create new config rule for the failed gateway only.

Symptom: Config sync push fails if /configuration/system/maintenance/options/gro-on-off is selected.

Condition: This issue can be seen for both Hardware appliances as well Virtual appliances.

Workaround: Avoid selecting this option while creating a config sync rule.

22.5R1

Symptom: Dependency check for resources policies.

Condition: When resource policies are part of config sync rule.

Workaround: Do not include resource policies in selective config sync rule or skip dependency check.

Symptom: HTTP PUT errors observed in logs.

Condition: When Gateway is registered with nSA sometimes HTTP put errors observed in Events logs.

Workaround: NA

22.4R3

Symptom: When RBAC user navigates to Config Sync rule page, you may not see config sync rules properly.

Condition: While creating RBAC role with connect secure Gateway permissions, user does not select GW's under selected Gateways list which are part of Config Sync rule.

Workaround: Make sure to select all GW's under selected Gateways which are part of config sync rule while creating RBAC role.

22.4R2

Symptom: Program unityConfigSpli fails after gateway reboot.

Condition: When gateway is registered with nSA and upon gateway reboot.

Workaround: NA

22.4R1

Symptom: Config upload post Gateway reboot fails when configurations with resource profile name containing unicode characters. For example but not limited to : ¯, ß, ð, ƒ, ©, þ.

Workaround: Identify the unicode characters in resource profile and remove them from gateway.

Symptom: Admin may not find all application names in the sanky chart which are listed in the access trend chart.

Workaround:NA

Symptom: Admin may see some text and labels in lower case and some in upper case

Workaround: NA

Symptom: When multiple client packages are present in gateway, errors are seen while uploading configurations to nSA.

Workaround: It is recommended to have only one client package in Gateway.

Symptom: Binary config import from a Gateway, which is registered to a different nSA, client certificates are getting replaced. After the import is successful, as the client certificates are getting replaced GW is trying to communicate to a different nSA due to which GW is going to "not ready" state.

Workaround: After the binary configuration import is successful, we need to remove the client certificates and re-register the GW.

Symptom: If one of the gateways goes down in a cluster, nSA is not showing the active session with another gateway, it still shows connected with the gateway which is down.

Workaround: NA

22.3R4

Symptom: Failure logs are seen multiple times during config sync operation.

Condition: When config sync rule fails, it is observed that failure logs are seen multiple times.

Workaround: Skip configuration, which is failing from config sync rule and trigger same rule again.

22.3R1

Symptom: Uploaded device certificate is not visible on the nSA.

Condition: When using nSA to import device certificate onto the ICS gateway.

Workaround: Wait for at least 10 seconds, and then refresh the page.

Symptom: ICS not sending logs to nSA and sessions are not reported.

Condition: When Admin configures the JSON filter.

Workaround: Remove JSON filter, which was created manually.

Symptom: Upgrade of cluster node fails with "Unable to extract installer" error message.

Condition: When upgrade triggered on a cluster:

•Node-1 upgrades successfully to 22.3R1 and prompts Node-2 to upgrade.

•Node-2 copies the package from Node-1, but fails to extract the installer.

•This is due to free disk space constraints on Node-2.

Workaround:

Follow the below procedure:

1.Power cycle Node-2.

2.Press Tab and boot into Standalone mode.

3.Access the UI and follow the procedure mentioned in https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44877/?kA13Z000000L3Z5 to clean up space.

4.Reboot and join the cluster.

Upgrade should now go through fine.

22.2R1

Symptom: Radius Auth server User Attributes do not display code/number associated with them on nSA UI.

Condition: Creating/Editing a Role Mapping rule based on User Attributes under a User Realm with Radius auth server.

Workaround: The code/number associated with the attributes can be viewed on GW UI.

Symptom: Enduser is not able to receive multicast traffic.

Condition: When the enduser is connected to VPN in ESP.

Workaround: Not applicable

Symptom: Config Template: Adding MDM server for 22.1R1 template fails.

Condition: When Admin tries to add an MDM server for 22.1R1 template it shows this element is not expected.

Workaround: Upgrade the Gateways to 22.2R1 and add this Gateway to 22.2R1 template and create the configuration.

Symptom: Configuration values in Security Settings > Miscellaneous page is not retained.

Condition: When nSA admin tries to configure values in Security Settings > Miscellaneous page.

Workaround: No functionality impact, configs are pushed successfully.

Symptom: Second node in the cluster is shown as disconnected.

Condition: Upgrade from older release to 22.2R1 build, through nSA.

Workaround: Navigate to the cluster through nSA and check the status.

Symptom: Default and Factory version name is not displayed for default Ivanti Secure Access Client package.

Condition: Admin selects the gateway and accesses Ivanti Secure Access Client Components.

Workaround: Not applicable

Symptom: Roll back option not available in nSA for AA cluster.

Condition: When Admin tries to do a roll back from nSA.

Workaround: Reboot the AA cluster.

Symptom: Default and Factory Version labeling name is not displayed for default Client package.

Condition: Select gateway and access Client Components in nSA.

Workaround: Not applicable

Symptom: Resource not exists is displayed while trying to delete Internal, external, management port.

Condition: Select a gateway > Navigate to Network > Vlan > Internal, external, management > virtual port.

Workaround: Perform the Configuration using Gateway Admin UI.

Symptom: Unable to configure cluster when License server configured on both nodes.

Condition: When License server is configured on Gateways used to create cluster.

Workaround: Remove License server configuration from Gateways and create cluster.

Symptom: When admin tries to filter out logs in Template> logs page.

Condition: When controller logs filter is set to true.

Workaround: None

Symptom: XML Import of SAML SSO 1.1 policy and creation from nSA fails.

Condition: Import of SAML SSO 1.1 policy and policy creation.

Workaround: Use the Gateway Admin UI.

Symptom: "Unknown Error" is displayed on the nSA Admin UI, while adding gateway to configuration template.

Condition: When admin tries to add gateway with many large configurations. For example, many Host Checker policies.

Workaround: Ignore the error as the Gateway is added to template and config is pushed to gateway.

Symptom: Expired certificate is getting imported on nSA from Config Template > Trusted Server page.

Condition: When Admin tries to import an expired CA certificate in nSA.

Workaround: Ensure that the certificate is valid before importing it on nSA.

Symptom: Editing the configuration name is not working on nSA.

Condition: Create an new component set for Client Components, edit the name of the component set and the edited name is not being reflected in nSA but it is successfully pushed to ICS Gateway.

Workaround: No functionality impact.

Symptom: Updating ESAP package to cluster will not work when one node is in connected state and other is in disconnected state.

Condition: When user tries to update the ESAP package to a cluster.

Workaround: Update ESAP package from the active node configuration.

Symptom: Reconcile configuration takes few seconds.

Condition: Select a Gateway or cluster, which exists in the configuration template and click Reconcile configuration.

Workaround: None

Symptom: Deletion time is high while deleting the config in configuration template.

Condition: Deleting many server configurations at a time.

Workaround: Deleting minimal amount of configuration or server config from template.

Symptom: File upload fails to push to Gateway for VMware and Citrix download configurations.

Condition: Admin tries to upload large size file.

Workaround: Use the Gateway Admin console to upload the configuration.

Symptom: ICS gateway model details not updated correctly on nSA.

Condition: When licenses are installed on Gateway after nSA registration.

Workaround: Install all required licenses before registering to nSA.