CSA troubleshooting steps

Version 2

    Verified Product Versions

    Endpoint Manager 2016.xEndpoint Manager 2017.xEndpoint Manager 2018.x

     

    Purpose

    The idea of this document is to list all the troubleshooting/verification steps in order to help you identify the root cause when the communication with or through your CSA fails. This should be your "central hub" for CSA troubleshooting unifying in one place all other articles for troubleshooting some parts of CSA.

     

    Troubleshooting steps

     

    1. CSA third-party certificate & Core - CSA communication

    In the first step please verify the communication between your Core server and your CSA as well as your CSA third-party certificate by following the article: Mobility enrollment failure troubleshooting steps.

     

    If you have any issue to add your third-party certificate to your CSA please check Failed to post the certificate to the CSA.

     

    2. APNS certificate

    In the second step please check if your APNS certificate has not been expired: Adding/Renewing Apple APNS Certificate to LDMS Core.

     

    3. CSA configuration & certificates

    In the third step please check all the points of the following CSA configuration article - in particular, please check the hostname of your CSA according to point 21 as well as the public address of your CSA.

     

    Please also check the "Core Configuration" part and all the sub-elements corresponding to the certificates. Please check how many certificates do you have in your CSA - are there more than one? In order to check your certificate please apply the "Modify" and then "Apply" options to your certificate that is supposed to work just to see if it works without any problems. 

     

    4. Open Ports

    Please check if the 3 necessary ports are open on your CSA (80, 443, 444) - you can perform this test putting the address of your CSA at this website for example.  All these 3 ports must be open on your CSA to ensure good communication - please read the article about ports used by Ivanti if you want to know more on that subject. 

     

    So please make sure that your Core server can communicate with ports 443, 444 and 80 of your CSA and that these ports are open at your CSA level. Please ensure that this network flow is not blocked by your antivirus or firewall. Please also check if your Core server needs the proxy to communicate with the external network and if this proxy is configured correctly.

     

    5. Internal & External hostname & IP

    According to the note quoted below in the following article about How To Add a Third Party Certificate to a Cloud Service Appliance, the external and internal names of your CSA must be the same to ensure the proper functioning of your external certificate. Please change the name and internal IP address to match the name and external address? Alternatively, you can check the "Use an internal address" box in your CSA configuration. You can simply replace the internal name with the external name directly in your CSA and it should work without any additional action.

    "Note: After the 3rd part cert is applied to your CSA; go into LDMS - Configure - Manage Cloud Service Appliance. With the 3rd party cert, the external name and internal name for the CSA must be the same for the 3rd party cert to work. They will both need to be the same name found on the 3rd party cert. This is usually the external name."

    Warning - The hostname of your CSA used in the "CSA internal name" field must also be present in the "Additional hostnames" field.

     

    6. BrokerConfig

    In order to further troubleshoot any communication issues with or through your CSA please check BrokerConfig.exe and its log by verifying all the steps of 3 following articles: