Troubleshooting
The ACSC agent software is composed of two separate services running on each host:
- The ACSC agent, which communicates with the ACSC management UI (the “control plane”).
- The ACSC client, which sends and receives traffic to and from the ACSC network (the “data plane”).
Windows
The agent manages the client as directed from the ACSC management UI. On Windows, it runs as a system service called acsc-agent-service
.
The client manages the acsc0
virtual network interface. On Windows, it runs as a system service called secure-connect-service
.
Version Check
To check the version of the ACSC software installed, run the following PowerShell command:
PS> Get-WmiObject -Class Win32_Product -Filter "name like '%Secure Connect%'"
IdentifyingNumber : {2CDA8ED9-6914-4235-B481-1FE43ADDB479}
Name : Anti-Cloud Secure Connect x64
Vendor : The Anti-Cloud Corporation
Version : 1.4.8.1
Caption : Anti-Cloud Secure Connect x64
Agent Status
To check the status of the agent on the host, run the following command in a command prompt:
> sc query acsc-agent-service
SERVICE_NAME: acsc-agent-service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
If the agent is running, this command output should contain STATE : 4 RUNNING
. Otherwise, try starting the agent with this command as Administrator:
> sc start acsc-agent-service
SERVICE_NAME: acsc-agent-service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 1234
FLAGS
Run the stop
command and then the start
command to restart an already running agent.
Client Status
To check the status of the client on the host, run the following command in a command prompt:
> sc query secure-connect-service
SERVICE_NAME: secure-connect-service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
If the client is running, this command output should contain STATE : 4 RUNNING
. Otherwise, try starting the host’s acsc0
interface through the ACSC management UI.
Agent Logs
To check the log files of the agent on the host, open up the following file with Notepad:
> notepad "C:\Program Files\Anti-Cloud\Secure Connect\agent\log\stdout.log"
Also check the following log files (which normally contain only a few messages like “starting logging at level X
” and “service config is Y
”):
> notepad "C:\Program Files\Anti-Cloud\Secure Connect\agent\log\init.log"
> notepad "C:\Program Files\Anti-Cloud\Secure Connect\agent\acsc-agent-service.log"
Client Logs
To check the log files of the client on the host, open up the following file with Notepad:
> notepad "C:\ProgramData\Anti-Cloud\Secure Connect\secure-connect.log"
Agent Log Messages
If the agent is working properly, whenever it starts up it will add a log message like the following to the end of its stdout.log
file:
2020-01-01 13:12:14,567 procustodibus_agent.agent ERROR: Starting agent 1.0.0
!!! no wireguard interfaces found !!!
... 192.0.2.3 is acsc ip address ...
... healthy acsc api ...
... can access host record on api for My Test Host ...
All systems go :)
Missing conf
If the output at the bottom of the log file is Missing conf for Agent ID and Host ID
, then the agent configuration file is either missing (or missing required settings). Try re-downloading the configuration file as directed by the Host Set Up instructions.
If the agent configuration file is present at C:\Program Files\Anti-Cloud\Secure Connect\agent\cnf\acsc.conf
, and you examine it, it should look similar to the following:
# acsc.conf generated 1/1/2020, 12:34:56 PM PDT
[Acsc]
# Alice's Laptop Agent
Agent = ABC123def45
# Alice's Laptop
Host = DEF456ghi78
Missing code
If the output at the bottom of the log file is Missing code in setup file
, then the agent setup file is missing required settings. Try re-downloading the setup file as directed by the Host Set Up instructions.
If you examine the agent setup file, it should look similar to the following:
# acsc-setup.conf generated 1/1/2020, 12:34:56 PM PDT
[Acsc.Setup]
# Alice's Laptop Agent
Agent = ABC123def45
Code = GHI789JKL01
Expires = 2020-01-03T20:34:56Z
Setup code has expired
If the output at the bottom of the log file is Setup code has expired
, then the code in the agent setup file has expired. Download a new setup file as directed by the Host Set Up instructions.
Could not read credentials
If the output at the bottom of the log file is Could not read credentials file
, then the agent credentials file is missing; download a new setup file as directed by the Host Set Up instructions (a new setup file will allow the agent to generate a new credentials file).
Missing private key
If the output at the bottom of the log file is Missing private key in credentials file
, then the agent credentials file is missing required settings; try downloading a new setup file as directed by the Host Set Up instructions (a new setup file will allow the agent to generate a new credentials file).
If you examine the agent credentials file, it should look similar to the following:
# acsc-credentials.conf generated 2020-01-01T20:34:56Z
# for agent ABC123def45 on a123.corp.example.com
[Acsc.Credentials]
PublicKey = O2onvM62pC1io6jQKm8Nc2UyFXcd4kOmOsBIoYtZ2ik=
PrivateKey = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
No wireguard interfaces
If the output at the bottom of the log file is no wireguard interfaces found
, then the client has not been configured yet. This is fine – the agent should configure the client automatically once the agent starts up (and once the host’s ACSC interface has been configured to start).
Cannot lookup ip address
If the output at the bottom of the log file is cannot lookup ip address
, then the host may not be able to resolve the ACSC servers’ DNS entries. Make sure that:
- The host’s DNS resolver is working
- The host’s DNS resolver can resolve public DNS entries
Try running the nslookup
command in a terminal on the host, using the hostname of the ACSC management UI (like vpn123.acsc.myanty.cloud
):
> nslookup vpn123.acsc.myanti.cloud
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
Name: vpn123.acsc.myanti.cloud
Address: 162.210.184.123
If the nslookup
command doesn’t output an answer, likely either a) or b) above is not true.
Server unavailable
If the output at the bottom of the log file is server unavailable
, check whether or not the output also includes cannot lookup ip address
. If it does, see the Cannot lookup ip address issue above.
If the output does not include cannot lookup ip address
, the output will include the IP address of your active ACSC API endpoint in a phrase like 192.0.2.3 is acsc ip address
(the IP address will be something other than 192.0.2.3
, however). Try running the following command in a terminal on the host (replacing 192.0.2.3
with the actual IP address from the output):
> ping -n 1 192.0.2.3
Pinging google.com [192.0.2.3] with 32 bytes of data:
Reply from 192.0.2.3: bytes=32 time=27ms TTL=112
Ping statistics for 192.0.2.3:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 27ms, Maximum = 27ms, Average = 27ms
If the ping
command hangs or the output of the ping
command ends with 100% loss
, network access from the host to the ACSC servers may be blocked. You may need to update your firewall or other networking settings to allow the host to access the ACSC servers.
If the output of the ping
command includes 0% loss
, your connection to the ACSC servers is good. The ACSC servers may be down; email support@myanti.cloud to check.
Unhealthy acsc api
If the output at the bottom of the log file is unhealthy acsc api
, then there is a problem with the ACSC servers; email support@myanti.cloud for details.
Cannot access host record
If the output at the bottom of the log file is cannot access host record
, then the agent does not have permission to access the host’s record on ACSC. Either:
- The host record on ACSC has been deleted
- The agent record on ACSC has been deleted
- The agent’s credentials for ACSC have been revoked
- The agent’s access to the host on ACSC has been revoked
Otherwise, try re-downloading the acsc.conf
and acsc-setup.conf
files as directed by the Host Set Up instructions, and then restart the agent as directed by the Agent Status instructions.
Unauthorized for url
If the output at the bottom of the log file is the following, then the agent does not have permission to set up its credentials:
401 Client Error: Unauthorized for url: https://vpn123.acsc.myanti.cloud/users/ABC123def45/credentials/signature
Try re-downloading the acsc.conf
and acsc-setup.conf
files as directed by the Host Set Up instructions, and then restart the agent as directed by the Agent Status instructions.
Linux with Systemd
Status
To check the agent status on a Linux distro that uses systemd, run the following command in a terminal on the host:
$ systemctl status acsc-agent
● acsc-agent.service - Anti-Cloud Secure Connect Agent
Loaded: loaded (/etc/systemd/system/acsc-agent.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2020-07-09 12:45:36 PDT; 17s ago
Main PID: 2770504 (acsc-agent)
Tasks: 1 (limit: 38335)
Memory: 15.0M
CGroup: /system.slice/acsc-agent.service
└─2770504 /opt/venvs/acsc-agent/bin/python3 /opt/venvs/acsc-agent/bin/acsc-agent --loop=30
Jul 09 12:45:36 localhost systemd[1]: Started Anti-Cloud Secure Connect Agent.
If the agent is running, this command output should include active (running)
. Otherwise, try starting the agent with this command:
$ sudo systemctl start acsc-agent
Substitute restart
for start
to restart an already running agent.
Logs
To check the agent logs on a Linux distro that uses systemd, run the following command in a terminal on the host:
$ journalctl -u acsc-agent
Linux with OpenRC
Status
To check the agent status on a Linux distro that uses OpenRC, run the following command in a terminal on the host:
$ rc-service acsc-agent status
acsc-agent started
If the agent is running, this command output should end with started
. Otherwise, try starting the agent with this command:
$ doas rc-service acsc-agent start
Substitute restart
for start
to restart an already running agent.
Logs
To check the agent logs on a Linux distro that uses OpenRC, run the following command in a terminal on the host:
$ less /var/log/acsc-agent.log
FreeBSD
Status
To check the agent status on FreeBSD, the following command in a terminal on the host as root:
# service acsc-agent status
acsc_agent is running as pid 1234.
If the agent is running, this command output should contain is running
. Otherwise, try starting the agent with this command as root:
# service acsc-agent start
Starting acsc_agent.
Substitute restart
for start
to restart an already running agent.
Logs
The agent logs to the system messages log on FreeBSD. To agent messages, run the following command in a terminal on the host, then search for acsc-agent
:
# less /var/log/messages
/acsc-agent
macOS
Status
To check the agent status on macOS, run the following command in a terminal on the host:
% launchctl print system/acsc-agent
system/acsc-agent = {
active count = 1
path = /Library/LaunchDaemons/acsc-agent.plist
type = LaunchDaemon
state = running
...
If the agent is running, this command output should contain state = running
. Otherwise, try starting the agent with this command as root:
% sudo launchctl kickstart system/acsc-agent
Logs
To check the agent logs on macOS, run the following command in a terminal on the host:
% less /var/log/acsc-agent.log
Also check the error log if present:
% less /var/log/acsc-agent.err