Troubleshooting Socket Registration/Initial Connectivity Failures

Issue

Registration is the process where a Socket is assigned to a site in the CMA. If the registration is not completed properly, a Socket may fail to connect to the Cato Cloud.

A Socket may fail to register to the CMA after being reset or added as a new Socket. The Socket has internet connectivity but it can not proceed to complete the registration process. 

Possible Causes 

  • Registration mismatch between Socket and CMA
  • DTLS tunnel issues
  • Upgrade issues
  • Wrong License

Troubleshooting 

The following steps may be followed to troubleshoot Socket registration/initial connectivity issues.

 

For Sockets previously registered to CMA

A Socket registration issue may be caused by a registration status mismatch between the Socket and the CMA. One possibility is a local reset on the socket, which can be achieved by Resetting a Socket using the FD/reset button or Reimaging a Socket via USB Drive.

Checking the Socket's local registration status:

  • The Socket's local registration status can be seen in the About tab of the WebUI. See Logging in to the Socket WebUI Locally.
    • The message "Still not registered in CC2" will show up if the Socket isn't registered.
    • If the Socket retains local registration, the About page will show the account and site that the socket has been registered to.

  • To reset the Socket's local registration status, the socket can be unassigned directly from the Socket WebUI by clicking the Unassign button (supported from Socket v15 and higher) which is only available when the DTLS tunnel is down. This operation will reset the socket to factory settings.
  • Optionally, a PCAP capture can be run directly from the Socket WebUI to check if the socket is attempting to register. See Logging in to the Socket WebUI Locally.
    • Port TCP/443 is used during the registration process with Cato.
    • Port UDP/443 is used to establish the DTLS tunnel with Cato after the registration process is completed.

Checking the Socket's CMA registration status:

  • If the Socket is considered 'registered' in CMA, the Socket status will be Connected under the Sockets Inventory
  • The CMA's Socket registration status can be reset by unassigning the Socket from the site. Click Network > Sites > Select the site > Site Configuration > Socket. Under Actions select Unassign. The socket may reboot/upgrade during this step.

  • After the Socket is unassigned from the site, its status under Sockets Inventory will change to Installed which means that the Socket is connected to the Cato Cloud but it isn't yet assigned to a site. 
  • After a few minutes, an 'Activate New Socket' notification will pop up in CMA and the Socket can be re-assigned to the site.
  • If any of the above steps fail, please Contact Support.

 

For new Sockets

A new Socket fails to register with Cato. This may be caused by a DTLS tunnel establishment issue.

  • From the Socket WebUI, open the Monitor page to see the connectivity status of the WAN port. It will display a message if there are connectivity issues with the Internet or with the Cato Cloud.

  • Get the Socket's local registration status which can be found under About in the WebUI.
    • The message "Still not registered in CC2" will show up if the Socket isn't yet registered. Possible connectivity issue over Port TCP/443.
    • If the Socket got a local registration, the About page will show the account and site that the socket has been registered to.
  • A PCAP capture can be run directly from the Socket WebUI to check deeper for any connectivity issues. See Logging in to the Socket WebUI Locally.
    • Port TCP/443 is used during the registration process with Cato.
    • Port UDP/443 is used to establish the DTLS tunnel with Cato after the registration process is completed.
  • If a firewall is placed in front of the socket, allow the ports and URLs listed in Cato Socket Connection Prerequisites
  • If any of the ports mentioned above are being blocked by the ISP or there are communication issues using the default port, the DTLS port can be changed to UDP/1337. See Setting a Different Port to Connect to the Cato PoP. The change will apply to new DTLS tunnels.
  • The previous step is supported on version 12 or above. If the socket is running a lower version, follow Reimaging a Socket via USB Drive which will install a more up-to-date version. The socket version can be found under About in the WebUI. 
  • If the issue continues please Contact Support and submit the PCAP capture taken before.

Registration failure caused by an upgrade failure

A new Socket may also fail to register with Cato if the initial upgrade process fails.

  • Check in the CMA and verify if there's a notification saying that the initial upgrade failed.
  • If the above notification is found, please Contact Support and report the failure.

The Socket disconnects after being registered and added to a Site

This issue may be caused by an invalid license assigned to the site.

  • An 'Activate New Socket' notification is received and the Socket is successfully added to the site. However, the Socket gets disconnected after a few minutes.
  • Check in the CMA, Administration > License > Bandwidth, that the license shown in the Plan column is Trial or Commercial. A scheduled license will cause the Socket to disconnect after being added to the Site. See License Life Cycles for Accounts and Sites
  • If the license is scheduled, please contact your Cato SE or CSM representative to have the license updated. If the license is Trial or Commercial and the issue continues, please Contact Support

Was this article helpful?

0 comments

Add your comment