Troubleshooting Cluster Deployment in Azure

  • Issue: No traffic flow

    Troubleshooting:

    • Check if the health probe status of the Threat Defense Virtual instances deployed with a GWLB is healthy.

    • If the Threat Defense Virtual instance's health probe status is unhealthy-

      • Check if the static route is configured in the Management Center Virtual.

      • Check if the default gateway is the data subnet's gateway IP.

      • Check if the Threat Defense Virtual instance is receiving health probe traffic.

      • Check if the access list configured in the Management Center Virtual allows health probe traffic.

  • Issue: Cluster is not formed

    Troubleshooting:

    • Check the IP address of the nve-only cluster interface. Ensure that you can ping the nve-only cluster interface of other nodes.

    • Check the IP address of the nve-only cluster interfaces are part of the object group.

    • Ensure that the NVE interface is configured with the object group .

    • Ensure that the cluster interface in the cluster group has the right VNI interface. This VNI interface has the NVE with the corresponding object group.

    • Ensure that the nodes are pingable from each other. Since each node has its own cluster interface IP, these should be pingable from each other.

    • Check if the CCL Subnet's Start and End Address mentioned during template deployment is correct. The start address should begin with the first available IP address in the subnet. For example, if the subnet is 192.168.1.0/24. The start address should be 192.168.1.4 (the three IP addresses at the start are reserved by Azure).

    • Check if the Management Center Virtual has a valid license.

  • Issue: Role-related error while deploying resources again in the same resource group.

    Troubleshooting: Remove the roles given below by using the following commands on the terminal.

    Error message:
    
"error": {
"code": "RoleAssignmentUpdateNotPermitted",
"message": "Tenant ID, application ID, principal ID, and scope are not allowed to be
updated.”}

    • az role assignment delete --resource-group <Resource Group Name > --role "Storage Queue Data Contributor"

    • az role assignment delete --resource-group <Resource Group Name > --role "Contributor"