Troubleshoot Secure Access Connect

This page shows you how to resolve issues with Secure Access Connect.

Attachment creation errors

This section lists errors that you might encounter when creating attachments and provides suggestions for how to fix each of them.

When you identify the Symantec site that you want to connect your attachment to using the gcloud beta network-security secure-access-connect realms describe command, the output indicates whether your Symantec connection is successful.

If the connection to Symantec is successful, the output contains the following line:

symantecConnectionState: SUCCEEDED

If the output doesn't contain the preceding line, or the symantecConnectionState isn't SUCCEEDED, your connection to Symantec is unsuccessful.

This issue can be caused by one of the following reasons.

The API key that you uploaded when you created a realm isn't valid.

To resolve this issue, verify the format of the secret that contains the API key. The secret must use the following format and must not include any white spaces or tabs:
```
USERNAME:PASSWORD
```
If the secret doesn't match the preceding format, edit the secret. If the secret matches the preceding format, try generating and uploading a new API key.
The secret doesn't exist, the secret isn't associated with the realm, or the service account lacks permissions.

To resolve this issue, do the following:
- View the realm details and confirm that the secret name is correct.
- Verify and correct the permissions granted in Create a Secure Access Connect realm.
The Symantec location might already be in use by an existing attachment.

To resolve this issue, make sure that you use a location that's not in use.
The Symantec site is temporarily unavailable.

To resolve this issue, check with Symantec about the availability of their service.

The following table lists the connection states to Symantec and what they mean.

State	Description
SYMANTEC_CONNECTION_STATE_UNSPECIFIED	The default value when the state is omitted.
SUCCEEDED	Successfully connected to Symantec.
READ_SECRET_FAILED	Can't access the API key in the provided secret_path because the secret doesn't exist or the service account doesn't have the required permissions to read it.
REQUEST_TO_SYMANTEC_FAILED	Failed to get a successful response from Symantec API due to an invalid API key or Symantec API unavailability.

If you encounter a Palo Alto Network Prisma Access attachment creation error, check for the following issues.

You aren't setting Symantec-specific fields.
You aren't specifying an invalid resource name.

To resolve this issue, make sure that your resource name conforms with RFC 1034, is restricted to lowercase letters, numbers and hyphens, and has a maximum length of 63 characters. Additionally, the first character must be a letter and the last a letter or a number.
A corresponding partner realm already exists and the associated realm is in the PARTNER_ATTACHED state.

If the realm isn't in the PARTNER_ATTACHED state, you must complete the attachment process in the Palo Alto Network Prisma Access console.

The following table lists the realm attachment states and what they mean.

Realm state	Description
STATE_UNSPECIFIED	The default value used when the state is omitted.
PENDING_PARTNER_ATTACHMENT	This realm has never been attached to a partner realm. Used only for Palo Alto Networks Prisma Access.
PARTNER_ATTACHED	This realm is attached to a partner.
PARTNER_DETACHED	This realm was attached to a partner before but has been detached.
KEY_EXPIRED	This realm is not attached to a partner realm, and its pairing key has expired and needs key regeneration. Used only for Palo Alto Networks Prisma Access.

The following table lists the Secure Access Connect attachment states and what they mean.

Attachment state	Description
STATE_UNSPECIFIED	No state specified.
PENDING_PARTNER_ATTACHMENT	Has never been attached to a partner.
PARTNER_ATTACHED	Attached to a partner.
PARTNER_DETACHED	Was attached to a partner before but has been detached.