ZTNA Client - Network Interceptor Error

Available Languages

Download Options

  • PDF     (4.2 KB)
    View with Adobe Reader on a variety of devices
Updated:March 12, 2026
Document ID:225603

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Contents

Issue

Users experiencing network interceptor errors when attempting to access private resources through Cisco Secure Access Zero Trust Access (ZTNA). The error prevents successful connection to any private resources configured within the Zero Trust Access environment, resulting in complete loss of access to internal applications and services.

Environment

  • Technology: Cisco Secure Access - Zero Trust Access (ZTNA)
  • Software Version: 5.1.14
  • Product Family: SECACCS
  • Error Type: Network interceptor error
  • Impact: Critical - Complete loss of access to private resources
  • Recent Changes: None reported

Resolution

This can be seen in the Dart logs:

++ The following logs were found:

E/ ZtnaKdfConfigurator.cpp:208 ZtnaKdfConfigurator::StartIntercept() IZtnaApi::SetParameters failed with error code=BadParameter

2026-03-02 11:33:30.933701 csc_zta_agent[0x000020fc/config_enforcer, 0x00001994] E/ ZtnaConfigEnforcer.cpp:444 ZtnaConfigEnforcer::applyActiveSteeringPolicy() failed to start/update ZTNA intercept

2026-03-02 11:33:30.933701 csc_zta_agent[0x000020fc/config_enforcer, 0x00001994] I/ ZtnaConfigEnforcer.cpp:145 ZtnaConfigEnforcer::reportInterceptorConnectivityChange() Reporting KDF reachability: ConfigFailed

in the Cached config from DART 

A trailing white space is introduced - cisco.com - causing this issue.

  • After further testing, it became evident that selecting the remotely reachable address option for private resource configuration, and the remotely reachable address field is unchanged, or has the same values as the internally reachable address, this setting disables itself upon save.
  • However, it looks like when the remotely reachable address field was checked, there was an extra whitespace in the remotely reachable address FQDN (for example, 'cisco.com' versus 'cisco.com '), and the configuration was able to be saved.
  • As the default zero-trust profile was in-use, meaning that any newly created or existing private resource configuration is pushed down to every user in the organization, the configuration with this whitespace was synchronized. This whitespace caused the "Network Interceptor" errors that the client was exhibiting.
  • To remedy this issue for the time being,go to the private resources and ensure whitespaces are not present in the remotely reachable address FQDN.

Cause

The network interceptor error in Cisco Secure Access Zero Trust Access is typically caused by misconfigured or problematic private resource definitions within the ZTNA environment. When the remotely reachable address field was checked, there was an extra whitespace in the remotely reachable address FQDN (for example, 'cisco.com' versus 'cisco.com ').

Related Content

Revision History

Revision Publish Date Comments
1.0
12-Mar-2026
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Amit Arora
    Technical Consulting Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products