Maintain and Monitor Resource Connectors and Connector Groups
Maintain and monitor connectors and groups to prevent, identify, and address issues.
Table of contents
- Connector software updates
- Connector platform operating system (OS) updates
- Monitor connector and connector group status
- Increase connector group capacity as needed
- Check Connector CPU Load
Resource Connector software updates
Secure Access automatically updates the resource connector with changes to Secure Access resource connector software.
Updates typically take up to 15 minutes. To avoid impacting service, only one connector in a group is updated at a time.
If there is a problem updating a connector:
- Upgrades to all other connectors in the connector group are halted.
- Secure Access will make multiple attempts to retry the update for all connectors, in case the situation is temporary.
- You will see a yellow icon in the Version column on the Connect > Network Connections > Connector Groups page:. Click the connector group name to identify the problem connector.
A yellow icon can indicate any of several problems; hover over the icon to determine what the issue is. - Connectors may show a green icon in the Version column even if they are not running the latest version, if a different connector is blocking the upgrade.
- For troubleshooting tips, see Troubleshoot Resource Connectors and Connector Groups.
Note: Operating system updates are not automatic. See the following section on this page.
Connector platform operating system (OS) updates
Platform operating system upgrades are not automatic.
When security vulnerabilities are reported to Cisco, Secure Access will publish an updated connector image. When this happens, you will see a yellow icon in the Version column on the Connect > Network Connections > Connector Groups page:. Hover over the icon for more information, as a yellow version indicator is not always related to OS vulnerabilities.
For details about operating system vulnerabilities addressed in a particular connector image, see the Secure Access connector release notes, available from https://www.cisco.com/c/en/us/support/security/secure-access/series.html.
New versions of the connector image will have the latest operating system version. Secure Access may also periodically issue connectors with the latest operating system even if there are no other changes. Replacing connectors to obtain the latest operating system version is optional, and the connector version status indicator does not flag these releases unless they also include reported vulnerability fixes.
Connectors in a group can run different operating system versions.
To deploy operating system security fixes and other updates, redeploy your connectors:
- Obtain the new connector image. See Obtain the Connector Image.
- Redeploy your connectors using the new connector image provided by Cisco.
See Add Connectors to a Connector Group. - Delete the vulnerable connectors from Secure Access.
See Disable, Revoke, or Delete Resource Connectors and Groups. - Delete the vulnerable connector instances from your data center.
Monitor connector and connector group status
- Check connector group status on the Overview page
- Check connector group status on the Connector Groups page
- Check connector status
Check connector group status on the Overview page
Check the Connectivity section on the Overview page for status and health of your connector groups. Click a status tile to see the connector groups that are experiencing the problem:
If you see | Check here | Then do this |
---|---|---|
Disconnected | Click the Disconnected tile to see which connector groups have this problem, then click a connector group to see which connectors are problematic. | See Troubleshoot Resource Connectors and Connector Groups. |
Warning | This indicates that users have failed to reach resources in at least one connector group. Click the Warning tile to see which connector groups have this problem, then click a connector group to see which connectors are problematic. | See Troubleshoot Resource Connectors and Connector Groups. |
Overloaded CPU | Click the Warning tile to see which connector groups have CPU loads over 70%. | If this situation continues, increase connector group capacity as needed by deploying additional connectors in the group. See Add Connectors to a Connector Group. |
Check connector group status on the Connector Groups page
On the connector group listing page, scroll down to the table of connector groups and check the Status column. If any of the connectors in a group have connectivity issues that affect end user connectivity to resources, you will see a warning here. You can click a connector group to see which connectors are showing warnings. For descriptions of connector statuses, see Check connector status, below.
Status | Description | Action Required |
---|---|---|
Connected | At least one connector in the group is connecting user traffic to private resources, and the connectors are not overloaded. | None |
Overloaded | The running average CPU load of all connectors in the group is above the recommended threshold (70% usage.) | Deploy additional connectors in the group. Be sure to use the current provisioning key shown for the connector. See Add Connectors to a Connector Group. |
Disabled | The connector group or all connectors in a group have been intentionally disabled by an administrator and are not forwarding traffic to resources. | If you want to re-enable connectors or connector groups, click the ellipsis menu at the end of the applicable table row. |
Unestablished | The connector group is not yet fully set up. | Add at least one connector and one private resource to the group. See Add Connectors to a Connector Group and Assign Private Resources to a Connector Group as applicable. |
Disconnected | All connectors in the group are disconnected. The connector group is not forwarding any traffic to private resources. | See Troubleshoot Resource Connectors and Connector Groups. |
Check connector status
To see a list of connectors for a particular connector group, see View a Connector Group's Connectors and Assigned Resources.
On the Connectors page for a connector group, check the Status column:
Status | Description | Action Required |
---|---|---|
Connected | The connector is connecting user traffic to private resources as expected. | None |
Disconnected | The connector is no longer connecting user traffic to private resources. | See Troubleshoot Resource Connectors and Connector Groups. If the connector remains disconnected for too long (a variable time period up to 5 weeks), it will expire. Expired connectors cannot be reactivated. |
Disabled | An administrator has disabled this connector intentionally. | If you want to re-enable this connector, click the ellipsis button [...] at the end of the table row for that connector and choose Enable . |
Updating | The connector software is being automatically updated. | No action is required. This process takes up to 15 minutes. The connector will resume service automatically after the update completes. If you have deployed more than one connector in the group, traffic should not be impacted. |
Expired | In order to ensure connector integrity, connector validation is periodically renewed. If a connector is disconnected at the time renewal must occur, it expires and can no longer be used. This is a security feature. | There is no way to reactivate an expired connector. Delete the connector instance in your virtual environment, delete the expired connector from the connector group in Secure Access, and deploy a new connector if needed. |
Increase connector group capacity as needed
In order to accommodate traffic volume, you may need to add connectors to a connector group. To check connector group capacity utilization, navigate to the Overview page and look at the Connectivity section. If you see Overloaded CPU, especially if this status continues over time, consider adding more connectors.
See Add Connectors to a Connector Group.
Check Connector CPU Load
- Navigate to Connect > Network Connections > Connector Groups.
- Locate the connector group of interest.
- Check the Average CPU load column.
If you see Incomplete data or a break in the line, this indicates that at least one connector was not fully active during the entire time period, because it was newly deployed, experiencing connectivity issues, or unable to communicate with the Secure Access cloud. - If the average load is unexpectedly high, click the connector group name and look at the CPU Load column for individual connectors to look for problems.
Disable, Revoke, or Delete Resource Connectors and Groups < Maintain and Monitor Resource Connectors and Connector Groups > Troubleshoot Resource Connectors and Connector Groups
Updated 9 months ago