Messages in syslog /var/log/messages and /var/log/privx/*.log may provide additional information about issues in the setup and in client connections.

For more details about what each microservice does, see Appendix B.

For more information about enabling debug logging, see the section called “PrivX Log Settings”.

You can verify the microservice statuses on the status page, available at (replace https://privx.example.com with the address of your PrivX server:

https://privx.example.com/status.html

Some issues may be fixed by restarting the PrivX service. You can do this by running the following command on your PrivX servers:

# systemctl restart privx

If microservices report 502 errors, check the database connectivity. Make sure the pg_hba.conf on the PostgreSQL server allows PrivX servers to connect to the PrivX database with md5 authentication.

More information about the error may be provided by the microservice logs.

PrivX connects using all the available credentials (such as certificate, public key, and stored credentials). For target users who allow many roles, the OpenSSH MaxAuthTries may be exceeded before PrivX offers the correct authentication method.

To fix the error, increase the MaxAuthTries in the target-host OpenSSH configuration, restart the target-host OpenSSH server, then try connecting again.

More information about authentication issues may be found from syslog messages.

Since PrivX uses short-term certificates for user authentication, deviations in system times (minutes or more) will easily result in failing authentications. It is extremely important to synchronize the clocks between all the involved systems:

We strongly recommend using authenticated NTP clock synchronization on all the involved systems.

PrivX applies a default pre-filter for matching user records. The pre-filter may need to be adjusted depending on your user-directory structure. For more information about adjusting how users are matched, see the section called “Adjusting User Matching”.

Sometimes in List users view some of the columns show Anonymous, or are empty. In this case it is possible you may need to adjust the attribute mapping in your directory settings. For example in default OpenLDAP setup you could have the following attribute mappings:

You can request technical support and let us know about PrivX issues on the SSH Communications Security support site at https://help.ssh.com/

When submitting a support ticket, please attach PrivX troubleshooting data. To generate troubleshooting data, run the following on your PrivX server:

# /opt/privx/scripts/troubleshoot.sh info

And attach the generated troubleshooting-data package to the support ticket. By default the package is generated to the current working directory, with the name:

Privx-troubleshoot-data-<host>-<timestamp>.tar.gz

For additional usage instructions related to the troublehsooting script, you may run:

# /opt/privx/scripts/troubleshoot.sh -h