Azure NSS VM is not coming reporting back to ZIA

Hi All,

I have an NSS server deployed on Azure with two interfaces on hn0 and hn1. Both of the interfaces were assigned with two IPs from same subnet and with same Gateway.
hn0- mgt interface
hn1 - service interface
I am able to ssh to this vm and hence i can confirm hn0 is working as expected but for hn1 interface i am not seeing any IP assigned.

Both the IPs are assigned statically. Zscaler TAC told, Interface is not responding for ARP request.

We followed same steps mentioned on Zscaler help portal but still it is same.

when we tried to collect TCP dump, i see that for hn0 it is collecting without any warnings but for hn1, i see a message "No IPV4 address assigned "

Can someone help me? why my same gateway is responding to second interface?

Thanks in advance for all your help…

@sumanthdandaboina I have some experience with the NSS servers, firstable, take a look at this screenshot of our hn1 interface:

your hn1 interface won’t get an IP, in the same way the hn0 interface gets an IP, because it’s supposed to be running in promiscuous mode.

Now, it is definitely weird that you can’t tcpdump on it, this works as it should when I tried it:
sudo tcpdump -i hn1
listening on hn1, link-type EN10MB (Ethernet), capture size 96 bytes

I am going to assume you are correctly assigning an IP address in azure to the secondary interface hn1 of your NSS (I hope you are, otherwise, of course it’s not going to work) and that you did this:

Upload NssCertificate.zip to the VM (download the cert from Zscaler admin portal)
sudo nss install-cert NssCertificate.zip
Get the gateway (netstat -rn)
sudo nss configure
N
N
enter private IP of the service NIC (with CIDR notation ( must be /24) get this from azure portal)
enter the gateway obtained earlier (wihtout CIDR notation)
sudo nss update-now (this takes a while)
sudo nss start

You may be wondering why you had to give a /24 to the service NIC as opposed to /32, since it’s only 1 IP address, /32 would be more appropriate, right?
You may have forgotten you are dealing with Zscaler here. /32 does not work, at the time of this writting, a long time was spent troubleshotting why /32 won’t work, without any results.

Do you get anything when you run this?
sudo nss troubleshoot netstat | grep tcp

Hey … Sorry for late response. After long multiple calls. mistake we found is “smnet_address” spelling was mentioned with capital ‘S’ instead of small ‘s’ … very silly but this is not edited by us. we followed the script given by Zscaler itself.

Also, /32 should be right one but Zscaler support asked me to use /24 not sure why… After providing /24 only, it started running at least in first call. Hope this update helps. Thanks