Solved: Re: Cisco WSA 11.8 trailblazer not starting

seitzmartin · ‎09-16-2019

Hi guys and ladies.

today I was playing with a virtual WSA I have done the upgrades from Version 11.5 to 11.7 and finally 11.8.

After the last reboot, It showes me the new gui feature at the top of the window. By clicking on it nothing happend.

In the documentation for ASYNC OS 11.8 I found.

trailblazerconfig
You can use the trailblazerconfig command to route your incoming and outgoing connections through HTTP and HTTPS ports on the new web interface.
Note
By default, trailblazerconfig CLI command is enabled on your appliance. You can see the inline help by typing the command: help trailblazerconfig.
The syntax is as follows:
trailblazerconfig enable <https_port> <http_port>
trailblazerconfig disable
trailblazerconfig status
Where:
'enable' runs the trailblazer on the default ports (HTTPS: 4431 or HTTP: 801).
'disable' terminates the trailblazer
'status' checks the status of the trailblazer.
Note
If you have enabled trailblazerconfig command on the appliance, the request URL will contain the HTTP/HTTPS port number appended to the hostname.
You can try any one of the following steps to make the navigation in your browser seamless:
Accept the cerificate used by the web interface and use the following URL syntax: https://hostname:<https_api_port> (for example, https://some.example.com:6443) in a new browser window and accept the certificate. Here <https_api_port> is the AsyncOS API HTTPS port configured in Network > IP Interfaces. Also, ensure that the API ports (HTTP/HTTPS) are opened on the firewall.

By default, trailblazerconfig CLI command is enabled on your appliance. Make sure that the HTTP/HTTPS ports are opened on the firewall. Also ensure that your DNS server can resolve the hostname that you specified for accessing the appliance.
If the trailblazerconfig CLI command is disabled, you can run the trailblazerconfig > enable command using the CLI to avoid the following issues
Requiring to add multiple certificates for API ports in certain browsers.

Redirecting to the legacy web interface when you refresh the Spam quarantine, Safelist or Blocklist page.
Metrics bar on the Advanced Malware Protection report page does not contain any data.

Guess what happend, nothing.

When I do the enable command, I receive the positive feedback that it is enabled now.

When I then perform the status command after this, I get the information that trailblaezer is not running.

Is there somthing that I have missed?

I am open for anykind of help.

assethum · ‎09-17-2019

Hello,

Please check the below requirements for trailblazer to be enabled :

> Ensure that your DNS server can resolve the exact "hostname" of the appliance that you specified --> This is very important,

I have seen similar symptoms to yours when this is not correct.

> By default, the new web interface needs TCP ports 6080, 6443, and 4431 to be operational. Ensure
that these ports are not blocked in the firewall

> The new web interface also needs AsyncOS API (Monitoring) ports for HTTP and HTTPS. By
default these ports are 6080 and 6443. (Ensure that this is enabled under the "interfaceconfig" settings in the CLI.

Once this is done, disable and re-enable trailblazer again from the CLI.

Thanks

Ash

View solution in original post

assethum · ‎09-17-2019

Hello,

Please check the below requirements for trailblazer to be enabled :

> Ensure that your DNS server can resolve the exact "hostname" of the appliance that you specified --> This is very important,

I have seen similar symptoms to yours when this is not correct.

> By default, the new web interface needs TCP ports 6080, 6443, and 4431 to be operational. Ensure
that these ports are not blocked in the firewall

> The new web interface also needs AsyncOS API (Monitoring) ports for HTTP and HTTPS. By
default these ports are 6080 and 6443. (Ensure that this is enabled under the "interfaceconfig" settings in the CLI.

Once this is done, disable and re-enable trailblazer again from the CLI.

Thanks

Ash

seitzmartin · ‎09-17-2019

Hi Ash Thanks for your Reply,

I have the WSA and now also the SMA installes in a separated lab environment without a local DNS Service running.

I just use Google DNS Servers for public DNS Services.

Does that mean that I can't use this trailblazer feature until I do have a local DNS Server instead of the public?

The other two points about Ports and firewall are already given.

assethum · ‎09-17-2019

Hello ,

Yeah. Until the DNS servers cannot resolve the host name of the WSA. This will not work. I have seen exactly your same symptom when the DNS cannot resolve the WSA host name, which is the "trailblazer" gets disabled eventhough you have enabled it.

Regards

Ash

seitzmartin · ‎09-17-2019

Again, thanks for respond,

I will test it during the day

seitzmartin · ‎09-18-2019

Ash Again, thanks.
After I have configured DNS Settings for WSA and SMA in my lab environment.I was able to log on to the ngui easily.

So Yes it is important to meet the requirement for the DNS Server. The Appliance must be able to resolve their own name by it self.

Prab · ‎07-23-2020

AsyncOS Version: 12.0.1-334

I would like to add that I faced this issue at one of our end customer side & I checked that the DNS was fine (WSA hostnames was resolved) , firewall was not blocking any ports etc.

The way how we got it fixed was to execute the trailblazer command with the port number. Just executing the trailblazer enable command did not help and the service was not starting, we tried the following command & the service got started & NGUI worked.

> trailblazer enable 4431

Cheers,

Prab :)