Cato Networks Knowledge Base

Troubleshooting Socket Registration/Initial Connectivity Failures

  • Updated


Registration is the process where a Socket is assigned to a site in the CMA. If registration does not complete properly, a Socket may fail to connect to the Cato Cloud.

A Socket may fail to register to the CMA after being reset or added as a new Socket. The Socket has internet connectivity but it can not proceed to complete the registration process. 

Possible Causes 

  • Registration mismatch between Socket and CMA
  • DTLS tunnel issues
  • Upgrade issues


The following steps may be followed to troubleshoot Socket registration/initial connectivity issues.


For Sockets previously registered to CMA

A Socket registration issue may be caused by a registration status mismatch between the Socket and the CMA.

  • If the Socket's local registration status shows a different account, the account and site will show on the About page. The socket can be unassigned directly from the Socket WebUI by clicking the Unassign button (supported from Socket v15 and higher). This operation will reset the socket to factory settings.
  • If the Socket is considered 'registered' in CMA, the Socket status will be Connected under the Sockets Inventory
  • The CMA's Socket registration status can be reset by unassigning the Socket from the site. Click Network > Sites > Select the site > Site Configuration > Socket. Under Actions select Unassign.

  • The Socket status under Sockets Inventory will change to Installed which means that the Socket is connected to the Cato Cloud but it isn't yet assigned to a site. The socket may reboot/upgrade during this step.

  • After a few minutes, an 'Activate New Socket' notification will pop up in CMA and the Socket can be re-assigned to the site.
  • If any of the above steps fail, please Contact Support.


For new Sockets

A new Socket fails to register with Cato. This may be caused by a DTLS tunnel establishment issue.

  • A PCAP capture can be run directly from the Socket WebUI to check for any possible issues with port TCP/443 used in an initial TLS connection with Cato or port UDP/443 used to establish the DTLS tunnel with Cato.  See Logging in to the Socket WebUI Locally.
  • From the Socket WebUI, open the Monitor page to see the connectivity status of the WAN port. It will display a message if there are connectivity issues with the Internet or with the Cato Cloud.

  • Get the Socket's local registration status which can be found under About in the WebUI.
  • If a firewall is placed in front of the socket, allow the ports and URLs listed in Cato Socket Connection Prerequisites
  • If any of the ports mentioned above are being blocked by the ISP or there are communication issues using the default port, the DTLS port can be changed to UDP/1337. See Setting a Different Port to Connect to the Cato PoP. The change will apply to new DTLS tunnels.
  • The previous step is supported on version 12 or above. If the socket is running a lower version, follow Reimaging a Socket via USB Drive which will install a more up-to-date version. The socket version can be found under About in the WebUI. 
  • If the issue continues please Contact Support and submit the PCAP capture taken before.

A new Socket may also fail to register with Cato if the initial upgrade process fails.

  • Check in the CMA and verify if there's a notification saying that the initial upgrade failed.
  • If the above notification is found, please Contact Support and report the failure.

Was this article helpful?

0 out of 0 found this helpful



Please sign in to leave a comment.