Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

How To - Troubleshoot Zero Trust Access Gateway (ZTAG)


This article aims to assist in troubleshooting the Kemp Zero Trust Access Gateway (ZTAG) automation script.

Points Covered

1 – Pre-Flight Checks

2 - Enable Logging

3 – Script Hash

4 –Logging Details

Pre-Flight Checks

The Zero Trust Policy Builder script running includes several checks to validate the entries within the Configuration Files (XML). 


When the script is run, one of many variations of the following warning may be presented to the user.



Depending on the Use Case/ Configuration File being used, unique policy elements must match the identify section entries.

In this example, the IP address /173\.16\.10\..* does not match any IP address provided in the Zero_Trust_Access_Gateway_Policies section. This must be addressed for the Zero Trust Policy Builder to run successfully.


Enable Logging

To provide the necessary visibility of the Zero Trust Policy Builder to the user, extended logging is available. Verify that the following section is populated, and the proper permissions are enabled on the directory path.


  1. Log File Path – Location to store log files.
  2. MaxLogSizeKB – The maximum log file size in KiloBytes.
  3. MaxLogRollovers – Permit the number of log file rollovers.

Setting MaxLogSizeKB to 500 and MaxLogRollovers to 1 will allow for a maximum of ~1MB of disk usage for Kemp Zero Trust Access Gateway logs.

Script Hash

In environments where multiple administrators have access to the Zero Trust Policy Builder script, the script may be modified unintentionally. This can be verified by matching the expected hash with the hash that is generated in the logs.

  1. Obtain the expected hash – The expected hash can be found in the Zero Trust Access Gateway package that was downloaded from the Kemp website. Open the file with the name Script-Hash.xml with Notepad or other application that can read XML.



  1. Open the current log file in the specified path and find the line that reads Script-Hash. (There may be several lines depending on the number of times the script was run).  The Script-Hash entry in the log must match the hash that is provided in the Script-Hash.xml file.


  1. If the hash does not match, download the latest version of the Kemp Zero Trust Access Gateway package.

Logging Details

To help identify any possible errors that may occur during the Zero Trust Policy Builder run, extended logging is available. The log files are located in the path that is specified in the Configuration File (XML). 

  1. Open the log file and scroll to the bottom.
  2. Each Zero Trust Policy Builder run is separated, and each run starts with Starting Log File Execution.
  3. Examine the log file for any entry that does NOT equal

ReturnCode=200; Response=Command successfully executed

  1. If a line is found that does not match the response above, there is a description of the action that attempted to occur, which can be used to troubleshoot the issue.


Was this article helpful?
0 out of 0 found this helpful