Troubleshooting

This section provides guidance on troubleshooting common issues with Tenable On-Prem connector deployments.

Connectivity Issues

  • Verify network connectivity: Ensure the gateway server can reach Tenable One over HTTPS (port 443) and UDP port 51820. Use tools like ping, traceroute, and telnet or nc to test connectivity:

    nc -v -u -z -w 3 site.url.com 51820

  • Check firewall rules: Verify that the necessary firewall rules are in place on the gateway server, any intermediate firewalls, and the network perimeter. Specifically, ensure that outbound HTTPS and UDP/51820 traffic is allowed, and that inbound UDP/51280 traffic to the gateway's public IP address is permitted.

    Note: Your network firewall must allow outbound UDP traffic on port 51820 to the Tenable gateway (for example, site.gateway.cloud.tenable.com). This port is required for the WireGuard tunnel. If this port is blocked, standard connectivity checks may fail.

  • DNS resolution: Ensure the gateway server can resolve the Tenable One hostname (e.g., gateway.TenableOne).

Authentication Issues

  • Verify the activation key: Double-check that the activation key was entered correctly during the gateway configuration.

  • Check gateway: Ensure the gateway is properly registered and activated within the Tenable Exposure Management application.

On-Prem Status

  • Check gateway status in Tenable Exposure Management: The Tenable Exposure Management interface provides information about the status of connected gateways. Check for any error messages or alerts.

    Tip: For more information, see Connector Status in the Tenable Exposure Management User Guide.

  • Check gateway logs: Examine the Tenable On-Prem connector logs on the server for any error messages. The location of these logs are available through the Tenable Core user interface (port 8000).

Data Fetching Issues

  • Verify scanner connectivity: Ensure that the Tenable scanner used by the gateway can communicate with the target assets.

  • Check network segmentation: Ensure that the gateway and scanner are located in a network segment that can reach the target assets.

  • Check credentials: Ensure that the provided credentials are correct and have the correct role associated with them.

General Troubleshooting Steps

For general help, do the following:

  • Consult the Tenable documentation and support resources.

  • Contact Tenable Support for assistance.

Tools

The following are some tools that can help you troubleshoot issues with your Tenable On-Prem connector configuration:

  • ping: Test basic network connectivity.

  • traceroute / tracert: Trace the route that packets take to reach a destination.

  • telnet / nc: Test connectivity to a specific port on a host. nc (netcat) is generally preferred over telnet.

  • nslookup / dig: Query DNS servers to troubleshoot name resolution.

  • ifconfig / ip addr: Display network interface configuration.

  • netstat / ss: Display network connections and listening ports.

  • docker logs: View the logs of a Docker container.

  • Firewall tools (e.g., iptables, firewall-cmd, ufw): Inspect and modify firewall rules.