Troubleshooting Checklist

Basic details on the key parts of the SDM environment and what information should be looked at for each as a basic check when things are not working as planned. 

Gateways

  1. Required: access outbound to app.strongdm.com:443.

  2. Required, if configured: access to a configured syslog server

  3. Port 5000 (Or as configured) - this isn't required for them to be alive, just required for client access to them. ie, they will show without error if this requirement isn't satisfied.

  4. Same as relays, but also listen on a public interface

  5. Most are configured with a public IP address, but this is not necessary. Just as long as clients can reach one or more gateways, private IP for the listening address is ok.

  6. Gateways don't connect outbound to clients.

  7. Gateways connect outbound to resources, either directly if there is a route from the gateway to the resource OR indirectly connects to resources through relays if there is no direct route from the Gateway to the resource.

Relays

  1. Required: access outbound to app.strongdm.com:443

  2. Required: every relay must be able to connect outbound to at least one gateway.

  3. NOT required: access inbound to a relay from any other network element: not client, nor other relay, nor gateway.

  4. Required: Relays must be able to reach outbound to the desired resources that they are intended to connect to. This could be one or more resources.

  5. A particular relay does not have to be able to reach every resource.

Client

  1. 127.0.0.1 localhost must be on allowlist

  2. HTTP Listener: Port 65230 (This is not required if there are no HTTP/ web resources)

  3. Client (outbound) MUST be able to hit app.strongdm.com on port 443.

  4. Client (outbound) MUST be able to hit at least 1 Gateway on port 5000 (or other port, if configured with a non-default port)

  5. Can client get to the gateway?

    1. by customer: sdm doctor -v

  6. CLI Listener: Port 65220- Is there some network interception (zscaler, Netskope, etc) or workstation endpoint protection (Sophos) causing SDM to fail?

  7. GUI can show the following when there are no active gateways: reconnecting...

  8. Missing resources > check granted role

Gateways & Clients

  1. A client outbound must be able to reach at least one gateway on its default port.

Gateways & Resources

  1. A gateway may have to reach a resource through a relay if there is no direct path from the gateway to the resource.

  2. All resources need to be accessible directly by either a relay or a gateway.

  3. All resources don't need to be accessible by every relay/ gateway

Powered by Zendesk