Steps to troubleshoot a Sapphire Eye that does not appear in the network topology
- The first step should be to verify and validate all ports and addresses on page Sapphire Eye Ports and Protocols (7signal.com)
- Ping the sensor to make sure it has IP address.
- Out of the box, the sensor uses DHCP and should get an IP address from your DHCP server. If the sensor does not get an IP address, the issue could be related to VLAN and DHCP configuration, cabling, ACL/Firewall, MAC address filtering on DHCP.
- Verify that the sensor is listed under Registered Eyes. In Configurator, go to Manage > Security > Registered Eyes and check that the Ethernet MAC-address of the sensor is listed correctly in the menu.
If the sensor's MAC-address is found in the cloud, then proceed to the next steps to check for connectivity on ports 7799 and 7800. Otherwise, please contact 7SIGNAL Support.
- Next, verify that you are allowing outbound traffic on ports 7799, 7800 and 53, to the 7SIGNAL cloud (Northern America: IP address range 64.65.61.0/24).
- If you are not sure whether the traffic is allowed through your firewall, you can run the following command to check if connectivity to 7SIGNAL's cloud can be established.
- Connect to the sensor via SSH (ask 7SIGNAL Support for credentials)
- Type command: 7config conn check redirector
- If the cloud server is not reachable, check your firewall configuration.
- If the output returns the what is seen in the box below, then your organization is likely redirecting or blocking external DNS.
Checking Eye Eye-B8-99-19-63-02-9D.eye.7signal.com in redirector 64.65.61.4
Error: DNS server was reachable but the Eye was not found in it.
- Next, run the following command to check connectivity on ports 7799 and 7800:
- 7config conn check carat
- As long as you see it return the following two lines you can ignore the certificate errors in the beginning of the output.
- 7config conn check carat
Success: TLS connection established to Carat 64.65.61.252:7799
Success: TLS connection established to Carat 64.65.61.252:7800
-
-
- If the command shows failure for one of the TLS connectivity checks, please check your firewall settings.
- Below is the full output of a successful command:
-
root@77:~# 7config conn check carat
Checking connectivity to Carat server, address 64.65.61.252 and ports 7799 7800
Success: Carat server reachable by using 64.65.61.252:7799
Checking TLS connection to Carat 64.65.61.252:7799
Can't use SSL_get_servername
depth=0 C = US, ST = Ohio, L = Independence, O = 7signal Solutions Inc, OU = WQA, CN = carat.eye.sapphire.syte.cloud.7signal.com, emailAddress = support@7signal.com
verify error:num=20:unable to get local issuer certificate
depth=0 C = US, ST = Ohio, L = Independence, O = 7signal Solutions Inc, OU = WQA, CN = carat.eye.sapphire.syte.cloud.7signal.com, emailAddress = support@7signal.com
verify error:num=21:unable to verify the first certificate
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_CHACHA20_POLY1305_SHA256
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA1:RSA+SHA1
Peer certificate: C = US, ST = Ohio, L = Independence, O = 7signal Solutions Inc, OU = WQA, CN = carat.eye.sapphire.syte.cloud.7signal.com, emailAddress = support@7signal.com
Hash used: SHA256
Signature type: RSA-PSS
Verification error: unable to verify the first certificate
Server Temp Key: X25519, 253 bits
DONE
Success: TLS connection established to Carat 64.65.61.252:7799
Success: Carat server reachable by using 64.65.61.252:7800
Checking TLS connection to Carat 64.65.61.252:7800
Can't use SSL_get_servername
depth=0 C = FI, ST = Uusimaa, L = Helsinki, O = 7signal Oy, OU = WQA, CN = carat.eye.sapphire.default.7signal.com, emailAddress = cert-auth@7signal.com
verify error:num=20:unable to get local issuer certificate
depth=0 C = FI, ST = Uusimaa, L = Helsinki, O = 7signal Oy, OU = WQA, CN = carat.eye.sapphire.default.7signal.com, emailAddress = cert-auth@7signal.com
verify error:num=21:unable to verify the first certificate
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_CHACHA20_POLY1305_SHA256
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA1:RSA+SHA1
Peer certificate: C = FI, ST = Uusimaa, L = Helsinki, O = 7signal Oy, OU = WQA, CN = carat.eye.sapphire.default.7signal.com, emailAddress = cert-auth@7signal.com
Hash used: SHA256
Signature type: RSA-PSS
Verification error: unable to verify the first certificate
Server Temp Key: X25519, 253 bits
DONE
Success: TLS connection established to Carat 64.65.61.252:7800
If you need assistance, please contact 7SIGNAL Support.