Using the User Diagnostics portal
Workflow for using the user diagnostics and troubleshoot end users issues.
Before you begin
Have the user ID or Device ID (of the device running the EAA Client) , name of the IdP URL, name of the application, type of the application whether it is client-access application (Tunnel 2.0, Tunnel-type, TCP-type) or access-application (Web or HTTPS or HTTP , VNC, RDP, SSH), time when the application or IdP was last working, when the problem occurred, what error/s were last seen from the support ticket.
For a client-access application issue, you should know the Device ID, EAA Client version, OS of the laptop, last activity using the laptop.
For a web application (clientless) you should have the type of browser used to access the application and last activity using the laptop.
- Login to the EAA Management portal.
- Navigate to .
Select one and provide information.
- User ID. Provide the username of the user accessing the login portal (identity provider URL).
- Device ID. Provide the Device ID of EAA Client.
Select the identity provider name (your login portal URL).
Note: All the Identity providers for the tenant are shown and are not dependent on User ID or Device ID.
Select a time range (of a maximum of 7 days) around the time when the problem
Note: A narrow time range is more accurate.
- Click Search.
You will see multiple tiles appear. Select one or more tiles based on:
- For a client-access application
issue, select one tile based on these parameters you have obtained from the support
ticket. It can be the any of these:
- For an access-application issue
(Web or HTTP or HTTPS, RDP, SSH, VNC) select the tile which says “Clientless activity”:Note: Clientless activity shows the browser used for the last access (Last activity) by the user.Note: Clientless activity is not dependent on the identity provider in step 4. You only need to provide the User ID, if you're debugging an access-application issue.
- If you see the issue for both client-access application and access-application, select multiple tiles.
- For a client-access application issue, select one tile based on these parameters you have obtained from the support ticket. It can be the any of these:
- Expand the ACCESS section. You can either filter for the application you are trying to diagnose or select the application from the list. You will be shown either or both client-access and access applications in the descending order of the Requests. You can re-sort this list based on Errors or Volume.
- Click on the application you are interested to troubleshoot and the chart appears. By default, it shows the distribution of Volume (in MBytes), Total Requests (hits), Denies count (4XX messages), Error count (5XX errors) and when the Deployment happened on the selected time period. Click on the application hostname link to navigate to the application configuration page and update any mis-configuration issues.
- You can use the POLICY section to fix any policy violations to applications or authorization violations using the selected identity provider. Expand the POLICY section to see all the violations or filter by the IdP name or application host name. Click the Edit Rules to navigate to the Access Control List rules configuration page for the application. Click the Edit Directories for IdP to navigate to the IdP configuration page. Assign another directory, update the directory with the correct user, groups, and permissions to fix the authorization issue. Then deploy the IdP or deploy the application.
- You can use the NETWORK section to fix any network connectivity issues in the different network segments. Expand the NETWORK section. In the Select application to troubleshoot, enter the name of the application or search for the application you’re debugging.
- Use the >> and << buttons to navigate through each data point on the time-slider to check the data before the time the problem occurred and at the time the problem was reported to check for any abnormalities.