CCG in new VA not present

I register my VA and it gets paired with wit my cluster.

Once I start it it connect to ISC and I can see Status being in green connected but VA CCG Version is “Not Available”

image1989×256 26.3 KB

then after waiting a long time (over an hour) I still can’t see CCG image being downloaded by my VA.

image1398×421 49.4 KB

These images look pretty old so I’m guessing they did not get updated too.

Started looking at charon.log and I found some errors but I’m not sure these are relevant

I see a lot of

:"ERROR","type":"charon","message":"Error main loop: NoMethodError: undefined method `include?' for nil: [\"/opt/sailpoint/lib/configuration.rb:499:in `write_fluent_conf'\", \"/opt/sai
lpoint/run.rb:142:in `block in <main>'\", \"<internal:kernel>:187:in `loop'\", \"/opt/sailpoint/run.rb:110:in `<main>'\"]"}

at the begenning I saw

{"@timestamp":"2025-10-07T19:52:49.813","level":"ERROR","type":"gateway","message":"Error refreshing va gateway certificate: Socket::ResolutionError Failed to open TCP connection to devrel-ga-8830.api.cloud.sailpoint.com:443 (getad
drinfo: Name does not resolve) [\"/usr/local/lib/ruby/3.3.0/net/http.rb:1603:in `initialize'\", \"/usr/local/lib/ruby/3.3.0/net/http.rb:1603:in `open'\", \"/usr/local/lib/ruby/3.3.0/net/http.rb:1603:in `block in connect'\", \"/usr/
local/lib/ruby/3.3.0/timeout.rb:186:in `block in timeout'\", \"/usr/local/lib/ruby/3.3.0/timeout.rb:193:in `timeout'\", \"/usr/local/lib/ruby/3.3.0/net/http.rb:1601:in `connect'\", \"/usr/local/lib/ruby/3.3.0/net/http.rb:1580:in `d
o_start'\", \"/usr/local/lib/ruby/3.3.0/net/http.rb:1569:in `start'\", \"/usr/local/bundle/gems/rest-client-2.1.0/lib/restclient/request.rb:727:in `transmit'\", \"/usr/local/bundle/gems/rest-client-2.1.0/lib/restclient/request.rb:1
63:in `execute'\", \"/usr/local/bundle/gems/rest-client-2.1.0/lib/restclient/request.rb:63:in `execute'\", \"/opt/sailpoint/lib/v2/api.rb:145:in `execute_request'\", \"/opt/sailpoint/lib/v2/api.rb:77:in `refresh_token'\", \"/opt/sa
ilpoint/lib/v2/api.rb:23:in `styx_call'\", \"/opt/sailpoint/lib/v2/gateway.rb:143:in `post_csr'\", \"/opt/sailpoint/lib/v2/gateway.rb:34:in `refresh_certificate'\", \"/opt/sailpoint/lib/v2/s3.rb:80:in `va_cli_env'\", \"/opt/sailpoi
nt/lib/configuration.rb:327:in `check_proxy'\", \"/opt/sailpoint/run.rb:119:in `block in <main>'\", \"<internal:kernel>:187:in `loop'\", \"/opt/sailpoint/run.rb:110:in `<main>'\"]"}
{"@timestamp":"2025-10-07T19:52:53.383","level":"ERROR","type":"configuration","message":"Networking check results - Could not reach devrel-ga-8830.cloud.sailpoint.com: Socket::ResolutionError Failed to open TCP connection to devre
l-ga-8830.cloud.sailpoint.com:443 (getaddrinfo: Name does not resolve)\n[\"/usr/local/lib/ruby/3.3.0/net/http.rb:1603:in `initialize'\", \"/usr/local/lib/ruby/3.3.0/net/http.rb:1603:in `open'\", \"/usr/local/lib/ruby/3.3.0/net/http
.rb:1603:in `block in connect'\", \"/usr/local/lib/ruby/3.3.0/timeout.rb:186:in `block in timeout'\", \"/usr/local/lib/ruby/3.3.0/timeout.rb:193:in `timeout'\", \"/usr/local/lib/ruby/3.3.0/net/http.rb:1601:in `connect'\", \"/usr/lo
cal/lib/ruby/3.3.0/net/http.rb:1580:in `do_start'\", \"/usr/local/lib/ruby/3.3.0/net/http.rb:1569:in `start'\", \"/usr/local/lib/ruby/3.3.0/net/http.rb:2297:in `request'\", \"/usr/local/lib/ruby/3.3.0/net/http.rb:1917:in `get'\", \
"/opt/sailpoint/lib/configuration.rb:662:in `block in check_networking'\", \"/opt/sailpoint/lib/configuration.rb:652:in `each'\", \"/opt/sailpoint/lib/configuration.rb:652:in `check_networking'\", \"/opt/sailpoint/run.rb:120:in `bl
ock in <main>'\", \"<internal:kernel>:187:in `loop'\", \"/opt/sailpoint/run.rb:110:in `<main>'\"]"}
{"@timestamp":"2025-10-07T19:52:55.903","level":"ERROR","type":"configuration","message":"Networking check results - Could not reach edge-se01-useast1-external.identitysoon.com: Socket::ResolutionError Failed to open TCP connection
 to edge-se01-useast1-external.identitysoon.com:443 (getaddrinfo: Name has no usable address)\n[\"/usr/local/lib/ruby/3.3.0/net/http.rb:1603:in `initialize'\", \"/usr/local/lib/ruby/3.3.0/net/http.rb:1603:in `open'\", \"/usr/local/
lib/ruby/3.3.0/net/http.rb:1603:in `block in connect'\", \"/usr/local/lib/ruby/3.3.0/timeout.rb:186:in `block in timeout'\", \"/usr/local/lib/ruby/3.3.0/timeout.rb:193:in `timeout'\", \"/usr/local/lib/ruby/3.3.0/net/http.rb:1601:in
 `connect'\", \"/usr/local/lib/ruby/3.3.0/net/http.rb:1580:in `do_start'\", \"/usr/local/lib/ruby/3.3.0/net/http.rb:1569:in `start'\", \"/usr/local/lib/ruby/3.3.0/net/http.rb:2297:in `request'\", \"/usr/local/lib/ruby/3.3.0/net/htt
p.rb:1917:in `get'\", \"/opt/sailpoint/lib/configuration.rb:662:in `block in check_networking'\", \"/opt/sailpoint/lib/configuration.rb:652:in `each'\", \"/opt/sailpoint/lib/configuration.rb:652:in `check_networking'\", \"/opt/sail
point/run.rb:120:in `block in <main>'\", \"<internal:kernel>:187:in `loop'\", \"/opt/sailpoint/run.rb:110:in `<main>'\"]"}
{"@timestamp":"2025-10-07T19:52:58.426","level":"ERROR","type":"configuration","message":"Networking check results - Could not reach devrel-ga-8830.api.cloud.sailpoint.com: Socket::ResolutionError Failed to open TCP connection to d
evrel-ga-8830.api.cloud.sailpoint.com:443 (getaddrinfo: Name does not resolve)\n[\"/usr/local/lib/ruby/3.3.0/net/http.rb:1603:in `initialize'\", \"/usr/local/lib/ruby/3.3.0/net/http.rb:1603:in `open'\", \"/usr/local/lib/ruby/3.3.0/
net/http.rb:1603:in `block in connect'\", \"/usr/local/lib/ruby/3.3.0/timeout.rb:186:in `block in timeout'\", \"/usr/local/lib/ruby/3.3.0/timeout.rb:193:in `timeout'\", \"/usr/local/lib/ruby/3.3.0/net/http.rb:1601:in `connect'\", \
"/usr/local/lib/ruby/3.3.0/net/http.rb:1580:in `do_start'\", \"/usr/local/lib/ruby/3.3.0/net/http.rb:1569:in `start'\", \"/usr/local/lib/ruby/3.3.0/net/http.rb:2297:in `request'\", \"/usr/local/lib/ruby/3.3.0/net/http.rb:1917:in `g
et'\", \"/opt/sailpoint/lib/configuration.rb:662:in `block in check_networking'\", \"/opt/sailpoint/lib/configuration.rb:652:in `each'\", \"/opt/sailpoint/lib/configuration.rb:652:in `check_networking'\", \"/opt/sailpoint/run.rb:12
0:in `block in <main>'\", \"<internal:kernel>:187:in `loop'\", \"/opt/sailpoint/run.rb:110:in `<main>'\"]"}

and nothing else is happening I’m stuck.

I tried from scratch a few times already and I always reach this state.

Could it be network issue?

How do I diagnose?

Hi @aleksander_jachowicz I have experienced this behaviour. I just let the VA running for some hours and come later to see it working. It appear that it takes some (much) time to upgrade where is first installed until get operational.

You can try sudo update_engine_client -check_for_update to force ccg update and wait a few minutes.

my understanding is that CCG is not loaded on to a new virtual appliance until the first Source is configured to use that virtual appliance.

Occasionally i have made WebService sources that just “test connection” to google.com as a means of loading CCG.

what i have seen is that once you configure the VA it takes atleast 4-5 hours to properly configure. Once done the CCG version automatically pops up in the UI. No other configuration is needed.

Thanks to everybody for contributing. I’m still waiting, I connected one source. Nothing new so far. Will keep working on this.

Have you seen this guide?
https://community.sailpoint.com/t5/IdentityNow-Connectors/Virtual-Appliance-Troubleshooting-Guide/ta-p/78735#toc-hId-1367398584

Absolutely but thanks.

I’m trying everything from it step by step.

Maybe it is a connection / dns-issue? Judging from this:

devrel-ga-8830.api.cloud.sailpoint.com: Socket::ResolutionError Failed to open TCP connection to d
evrel-ga-8830.api.cloud.sailpoint.com:443 (getaddrinfo: Name does not resolve)

Seeing it is a devrel tenant, have you used the proper VA image?

Interesting observation

I used the one I downloded using link in the GUI.

Should I use a “special” dedicated one?

I’m an old school IdentityNow guy, so I keep forgetting they updated the VA setup way. I believe there is only one va image nowadays.

I have done some troubleshooting in the past where I had to ‘re-sync’ the va by running the va-boostrap command (which I don’t remember by heart what the options were). Perhaps this is now needed as well?

@aleksander_jachowicz There are 2025 APIs for this don’ forget

image1238×699 199 KB

Thanks for input again. VA are still not working as expected. Still working on it.

Are you doing any deep packet inspection? Reminder that deep packet inspection is not supported.

I have a customer that is running into an issue. The stunt log shows an authentication issue going to the va authorization url. It connects to it but then fails on security and the session is dropped by the peer.

Try running “./stunt.sh -L” on the VA. It will output the stunt script that will show you details on healthy / unhealthy outputs. It could be something like inability to access the fiji service to download the CCG image.

I have this issue in my partner tenant, always fail to access the fiji service. Did you manage to solve?

Looks like this could lead somewhere.

I get Failure for Connection test for https://devrel-ga-8830.identitynow.com

and obviously the url in my case should be https://devrel-ga-8830.identitynow-demo.com

Where is that configuration?

And how come VA status is connected in my OSC instance?

Must be a few places where it’s configurable.

More from stunt log file:

Script encountered an error with the following command: curl -Ssv -i --connect-timeout $seconds_between_tests "https://$ORGNAME.$ISC_DOMAIN" >> "$LOGFILE" 2>&1.

this is hardcoded in the stunt script ISC_DOMAIN=“identitynow.com”

and sailpoint user doesn’t have the right to change it.

So maybe I do need a special Ambasador version of VA after all?

I downloaded a VA from https://sppcbu-va-images.s3.amazonaws.com/va-latest.zip
Configured that in new Cluster but looking at stunt script it still have the domain set to identitynow instead of identitynow-demo. Maybe it’s just this script but this is still a bug

Hi @ts_fpatterson , no packet inspection. This is a vanilla installation.

Facing the same issue. CCG service is not available on the VA for demo tenant. The same image downloaded from the UI few months back worked fine.

@colin_mckibben @LukeHagar @tyler_mairose Appreciate your help here

hi all, had the same issue while connecting to a demo tenant few weeks before (windows environment).

I was surprised to see the VA running ccg service with same image downloaded from the link in documentation (Local VA Deployment with vSphere), file name being va-latest.zip - in a linux environment.

I couldn’t make the VA running with the CCG service in Windows yet.

Hope this helps.