Troubleshoot Secure Access Error "Enrollment Service Is Not Responding. Contact Your IT Help Desk"

Available Languages

Download Options

  • PDF     (34.7 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (118.4 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (98.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:November 17, 2023
Document ID:221201

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes a way to resolve the error "Enrollment service is not responding. Contact your IT help desk".

    Problem

    When a user tries to enroll Zero Trust Access (ZTA) module of Secure Client, the enrollment fails and the error is printed on the Cisco Secure Client notification popup:

    Enrollment service is not responding. Contact your IT help desk

    Cisco Secure Client errorCisco Secure Client error

    The reason behind this error is that the ZTA module of Secure Client is unable to establish an SSL connection to one of the enrollment services.
    Connectivity issues can be caused by any upstream filtering device that is between the end client and the Internet, like a firewall or proxy.
    If your PC is connected directly to the internet (without proxy), such an error must never be seen and indicates a problem with the enrollment service itself.

    Solution

    To fix this enrollment error, you need to make sure that the required domains are included in allow list or bypassed on any upstream filtering device:

    • enroll.ztna.sse.cisco.com
    • devices.api.umbrella.com
    • prod.acme.sse.cisco.com
    • enroll-ui.ztna.sse.cisco.com
    • sseposture-routing-commercial.k8s.5c10.org
    • sseposture-routing-commercial.posture.duosecurity.com

    Additional Details

    You can run the CURL commands in the terminal of your PC to verify that there are no issues with connectivity to the required domains

    For detailed logs from the client, you can collect the DART bundle and examine the file called ZeroTrustAccess.txt.

    Example error message that you can find in the logs:

    request complete for url=https://devices.api.umbrella.com/deployments/v2/ztna res=28 error=Timeout was reached

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    17-Nov-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Wojciech Brzyszcz
      TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products