You can use the appdcli run secureapp task to help you troubleshoot problems with your deployment.


To check general functionality and to run diagnostics on Cisco Secure Application, run appdcli run secureapp health:

appdcli run secureapp health
BASH

Sample output:

$ appdcli run secureapp health
endpoints/appd-postgres-primary condition met
endpoints/appd-mysql condition met
endpoints/controller-service condition met
endpoints/auth-service condition met
SecureApp dependencies are Ready
checking if secureapp is installed
Secureapp charts have been installed by Helm
endpoints/onprem-user-service-auth condition met
endpoints/agent-proxy condition met
endpoints/abs-headless condition met
endpoints/ui condition met
endpoints/onprem-proxy-server condition met
endpoints/api-proxy condition met
endpoints/api-service condition met
endpoints/alert-proxy condition met
SecureApp services are Ready
Signing into controller as admin for customer1
Authenticated admin for account customer1
Check if argent.enabled property is set on the account
Account properties are configured for Secure App
endpoints/onprem-proxy-server condition met
endpoints/onprem-proxy-server condition met
Tenant configured:
customer1
Account data has been configured in SecureApp
Auth service config has account dns name mappings configured
Account data has been configured in SecureApp
<ip-address>  <SNI-host>
Authentication DNS entries for customer1 configured
Check if CONFIG_ARGENTO permission is set for the user
Check if VIEW_ARGENTO permission is set for the user
Permissions are set up for Secure App
SecureApp API is responding
Checking Auth for Agents in Account customer1 at IP <ip-address> with SNI host <SNI-host>
Agent Authentication succeeded
Feed Entries: 10376
Secureapp checks have passed
BASH

To confirm that a properly configured agent can authenticate to the Cisco Secure Application in the virtual appliance, run appdcli run secureapp checkAgentAuth:


appdcli run secureapp checkAgentAuth
BASH

Sample output:

Checking Auth for Agents in Account <account-name> at IP <ip-address> with SNI host <SNI-host>
Agent Authentication succeeded
BASH

To confirm that a properly configured agent can fully report to Cisco Secure Application through the external ingress point for the virtual appliance, run

appdcli run secureapp startTestAgent:
appdcli run secureapp startTestAgent
BASH

Sample output:

$ appdcli run secureapp startTestAgent
Building dependency release=test-agent, chart=test-agent
Upgrading release=test-agent, chart=test-agent
Release "test-agent" has been upgraded. Happy Helming!
NAME: test-agent
LAST DEPLOYED: Fri Feb 14 18:40:13 2025
NAMESPACE: cisco-secureapp
STATUS: deployed
REVISION: 2
TEST SUITE: None

Listing releases matching ^test-agent$
test-agent      cisco-secureapp 2               2025-02-14 18:40:13.174379865 +0000 UTC deployed        test-agent-0.1.0        0.1.0


UPDATED RELEASES:
NAME         NAMESPACE         CHART          VERSION   DURATION
test-agent   cisco-secureapp   ./test-agent   0.1.0          14s
BASH

To confirm stop a test agent, run appdcli run secureapp stopTestAgent:


appdcli run secureapp stopTestAgent
BASH

Sample output:

$ appdcli run secureapp stopTestAgent
Listing releases matching ^test-agent$
test-agent      cisco-secureapp 2               2025-02-14 18:40:13.174379865 +0000 UTC deployed        test-agent-0.1.0        0.1.0

Deleting test-agent
release "test-agent" uninstalled


DELETED RELEASES:
NAME         NAMESPACE         DURATION
test-agent   cisco-secureapp         0s
BASH

To look at version information, run appdcli run secureapp versions:

appdcli run secureapp versions
BASH

Sample output:

$ appdcli run secureapp versions
k8s Client Version: v1.30.9 Server Version: v1.30.9
controller mysql: 8.4.3
auth-service mysql: 8.4.3
kafka: 3.8.0
controller: 25.1.0-10032-124
postgres: 15
redis: 5.2.7
taskfile: Task version: v3.39.2 (<hash>)
BASH

For other troubleshooting steps, see Troubleshoot Virtual Appliance Issues