Overview
Socket deployment is the first critical step onboarding a site to the Cato cloud. Failures to register a socket to the cloud represent the first hurdle in utilising the feature set that Cato offers. This playbook supports administrators in troubleshooting any issues they may face on socket deployment.
Symptoms
A failure in socket registration can manifest in a number of ways. An administrator may note the following symptoms:
- No new socket notification when connecting socket to internet
- New socket notification is received but the initial firmware upgrade fails
- No site found when assigning a Socket
- Socket registered to site successfully but site goes offline shortly after
- Socket not assignable after unassigning from a site
Possible Causes
The majority of cases in which registration is failing falls under the following causes:
- Registration mismatch between Socket and CMA
- DTLS tunnel Connectivity issues
- Scheduled license causes site to go offline.
Troubleshooting the Issue
Steps to troubleshoot the symptoms an Administrator may encounter are listed below. These steps are intended to identify possible causes for the issues faced. The resolution steps will be highlighted later in the playbook.
Troubleshooting No New Socket Notification When Connecting Socket
When a new socket is connected to the internet for the first time, it will reach out to Cato and begin upgrading to the relevant firmware. This is shown as a notification on the account in which the socket has been assigned to on purchase.
A failure to receive this notification suggests that the connection has not completed successfully.
Checking Socket Connectivity
Ensure you are familiar with the Cato Socket Connection pre-requisites.
The socket's connectivity status can be seen via it's local WebUI, see Logging in to the Socket WebUI Locally. In order for the registration to succeed, the WAN port that is being used to service the connection to the Cato cloud should show a green status icon. An indicator other than green suggests a connectivity problem. The meaning of different status icon colours is described in Understanding the Link Status Icons
For a red icon ensure that there is a working physical link between the socket and the ISP device.
A warning icon will indicate other types of connectivity issues, such as IP conflict. If the WebUI reports an IP conflict issue, see IP Address Conflict Reported
In the event of a connectivity problem we can utilise the Tools tab to further test. In order to register to Cato, the socket requires L3 access to the CMA using the hostname cc2.catonetworks.com, or the hardcoded IP address. To identify the IP address, see Source IP Address for the Cato Management Application (you must be signed in to view this article). Use the ping tool to ensure that this hostname and IP address are reachable over the WAN port directly. If neither are reachable please view the resolving connectivity issues section.
Ensure that the WAN IP address is excluded from SSL/TLS inspection performed by any device in the upstream direction.
If these tests are all passing, a packet capture can also be done to ensure that the socket's request to establish a DTLS tunnel to the PoP is being responded to. When capturing on the WAN port in question, bi-directional packets on UDP/443 to the PoP should be seen.
If only outbound DTLS packets are detected please view resolving DTLS traffic one way only.
Checking Socket Registration Status
In order for a new socket with internet connectivity to produce a notification in your account, it has to be assigned to the relevant account. In order to verify the registration status of all sockets assigned to an account view the sockets inventory under Administration > Sockets Inventory.
By searching for the MAC or serial of a given socket, it can be determined whether the socket is assigned to your account correctly and what the CMA's current view of registration status is. An administrator connecting a new socket to the internet can expect the socket to move from status Delivered to Installed as described in Showing All Sockets in the Account (Sockets Inventory)
If the socket does not appear in the inventory, or the socket registration status does not move to Installed when connected to a working internet connection please view the Resolving Registration Mismatch Settings section.
Troubleshooting Failed Initial Firmware Upgrade
When a newly deployed Socket first connects to the Internet, it will continuously attempt to reach out to Cato via its WAN port using port TCP/443, and it will attempt to upgrade its firmware version.
If there are no "Socket upgraded successfully" or "Activate New Socket" Notifications in CMA, ensure a socket's connectivity to the internet is being serviced correctly by viewing the troubleshooting steps for Checking Socket Connectivity
If the connectivity of the socket is verified in the above steps, please view the resolving registration status mismatches section.
Troubleshooting No Site Found when Assigning a Socket
As mentioned in Managing Sockets, when the 'New Socket' notification is received in CMA, the next step is to assign the Socket to an already-configured site. However, if the configured site does not show listed or the window shows 'No Results', verify that the Connection Type configured in the site's general settings matches the Socket model installed on the site.
For example, if the Site is configured as connection type Socket X1600 LTE, the Socket model installed on the site must be an X1600 LTE model.
Troubleshooting Socket Goes Offline Shortly After Successful Register
Ensure your socket still has connectivity.
If after the new socket detected notification was received, and the initial firmware upgrade completes successfully the socket goes offline after a brief time, check in the CMA, Administration > License > Bandwidth, that the license shown in the Plan column is Trial or Commercial. A scheduled license will cause the Socket to disconnect after being added to the Site. See License Life Cycles for Accounts and Sites for more information on scheduled licenses.
If you see the License is scheduled, please view the Resolving Scheduled license Causing Site to Go Offline section.
If your license is correct, follow the reset process outlined in Resolving Registration Mismatch Settings.
Troubleshooting Socket Not Assignable after Unassigning From Site
Unassigning a socket from a site is the main action in making a socket assignable to a different site. This however must be done while the socket is online. If, after unassigning, the socket does not get detected as new within your notifications, follow this troubleshooting flow.
Checking Registration Status in CMA and in Socket
In order to verify the registration status of all sockets assigned to an account view the sockets inventory under Administration > Sockets Inventory.
By searching for the MAC or serial of a given socket, it can be determined whether the socket is assigned has correctly been unassigned from a site from the CMA's point of view. An administrator should expect that an unassigned socket will move to the Installed state.
The registration status of the socket according to CMA should match with the socket's own view. The socket's view can be checked by accessing the WebUI of the socket, see Logging in to the Socket WebUI Locally.
The socket's registration target is visible on the main page of the WebUI in the format ' | <sitename>.<accountname> | ' in the location shown below.
If this doesn't account for the unregistering of the socket, please follow the troubleshooting flow outlined in Checking Socket Connectivity.
If connectivity appears to be fine, please view the resolving registration status mismatches section.
Resolving Discovered Issues
Resolving Connectivity Issues
It is important to isolate if connectivity issues only affect the socket. If you plug a laptop into the same ISP connection, do you encounter the same issues with resolving DNS or pinging addresses? If so reach out to your ISP in order to progress.
If the connectivity issues are isolated to your socket, ensure that the IP configuration is correct under the Network Settings tab of the WebUI:
If these settings are correct, ensure with your provider that DTLS traffic on UDP port 443 is allowed to egress towards the internet. If necessary, this port can be changed as described in Setting a Different Port to Connect to the Cato PoP.
Resolving DTLS Traffic One Way Only
Ensure with your provider that DTLS traffic on UDP port 443 is allowed to egress towards the internet. If necessary this port can be changed as described in Setting a Different Port to Connect to the Cato PoP.
Resolving Registration Mismatch Settings
If there is a mismatch of the CMA and the Socket as to the register status, then a reset of the Socket can be performed to restart the registration process. Before carrying out a reset, first determine if the Socket has previously been registered to a site.
In the About tab, a Socket that has not previously been registered to a site will display the message "Still not registered in CC2" as shown below:
For a Socket that has not been registered to a site, reset the socket by pressing the Reset/FD button for 30-35 seconds as described in Resetting the Admin Password and Resetting a Socket.
For Sockets with a site registration, while the Socket is not connected to the Cato cloud, click 'Unassign' from the Administration tab to reset the socket.
In both instances, ensure that the Socket is also unassigned from any assigned site in CMA.
Resolving Scheduled license Causing Site to Go Offline
Please contact your Cato SE or CSM representative to have the license updated.
Reaching Out to Cato Support
If following this playbook has not resolved an issue, submit a Support ticket with the results of the above troubleshooting steps. Include connectivity test results and confirmation that a reset has been performed as per the above instructions.
0 comments
Please sign in to leave a comment.