PP Connector Upgrade Failures

If the App Connector upgrade fails, the following reasons could be the cause:

1. Upgrade has been in a failed state for more than 24 hours.

2. The image cannot be downloaded because there is no disk space left.

3. The image cannot be downloaded due to an inconsistent connection between the App Connector and the CO2BR (App Connector to Public Service Edge endpoint).

4. The Provisioning Key was deleted in the ZPA Admin Portal.

   
   

1. Upgrade is in a Failed State for More Than 24 Hours

If the upgrade has failed for more than 24 hours, collect the following logs and review them:

• sudo cat /opt/zscaler/var/version

• sudo ls -lrta /opt/zscaler/var/version

• sudo cat /opt/zscaler/var/updater.version

• sudo /opt/zscaler/var/image.bin -version

• sudo ls -lrta /opt/zscaler/var/image

  
  

2. The Image Cannot Download Due to Lack of Disk Space

If the image cannot be downloaded because of insufficient disk space, perform the following steps:

• Check disk space for the following directories:

sudo df -h /

sudo du -h /

sudo du -a / | sort -n -r | head -n 10

• Delete any unnecessary directories, except /opt/zscaler, to free up space. Once there is sufficient space, the image will download to /opt/zscaler/var/image.bin.

3. Inconsistent Connection Between the App Connector and CO2BR

If the image cannot be downloaded due to an inconsistent connection, verify the App Connector’s connection to the ZPA Public Service Edge:

• Run the following command to check for connection stability:

  perl

  Copy

  journalctl -n 1000 | grep zscaler-update

4. Provisioning Key Deleted in the ZPA Admin Portal

If the Provisioning Key was deleted in the ZPA Admin Portal, follow these steps:

1. Go to the App Connector page and identify the App Connector’s group.

2. Go to the Provisioning Key page and locate the corresponding App Connector group. If the group is not listed in the App Connector Group column, the key has been deleted from the ZPA Admin Portal.

3. Delete the App Connector and re-enroll it. This will allow you to create a new provisioning key for the App Connector.

If None of the Above Causes the Upgrade Failure:

1. Restart the App Connector:

   • Stop and restart the App Connector to see if the issue resolves.

2. Check Zscaler Public Service Edge DNS:

   • Run the following command to check DNS resolution for Zscaler Public Service Edge:

   csharp

   Copy

   [admin@localhost ~]$ dig +short co2br.prod.zpath.net 13.60.119.37 42.68.244.163

3. Verify TLS Connection:

   • Check if the App Connector can establish a TLS connection using the openssl command. You should receive a certificate subject string from the Public Service Edge.

   perl

   Copy

   [admin@localhost ~]$ openssl s_client -servername mockcompany.com.server1.net -connect 13.60.119.37:443 2>&1 | grep subject subject=/C=US/ST=California/L=San Jose/O=Zscaler/OU=Emerging Technologies/CN=broker1a.sjc8.prod.zpath.net

   • If you receive a certificate subject, proceed to the next troubleshooting steps.

   • If you do not receive a certificate subject, there may be a TLS communication error that needs to be resolved.