Netskope Client Troubleshooting Guide
Netskope Client Troubleshooting Guide
This guide is designed to help troubleshoot issues with end-users and administrators using Netskope Client.
Netskope Client steers traffic from the end-user device to the Netskope Cloud. The Client creates an SSL tunnel from the end device and terminates it at the Netskope forward proxy in the Cloud. The tunnel carries traffic that is selected by the administrators as part of the steering configuration. All intermediate and root CA Certificates are installed in the system cert store during the Netskope Client installation to facilitate the SSL termination.
General Troubleshooting Methods
Is my Netskope Client installed and active?
The easiest way is to check the taskbar or menu bar for an active Netskope icon on your screen.
Windows
macOS
Linux
To learn more, view Using Netskope Client.
Where can I view more details about the Netskope Client?
To view details, do the following:
-
Click the Netskope Client icon.
-
Select Configuration to display the window. The following details are constant including Organization, Gateway, Steering Configuration, and so on.
-
Organization
-
Gateway: The Gateway IP however will be intelligently identified based on your location. In this case, A user based out of Austin, TX is redirected to the closest Netskope datacenter of Dallas for gateway-tenant.goskope.com.
-
Gateway IP
-
User Email: The User Email will typically be the UPN derived from the iDP and unique to each user.
-
To learn more, view Netskope Client.
Is my Netskope Client disabled?
An administrator or end-user can enable a disabled Client. If disabled, click the Netskope Client icon and select Enable Netskope Client option to activate the Client again.
How can I know if I am connected to the nearest datacenter?
The Netskope Client always routes traffic to the nearest datacenter (with Client assisted GTM). The Gateway IP in the Netskope Client Configuration must display the location of the nearest datacenter.
How do I know if a specific website is steered through Netskope?
The Netskope Client steers traffic from the user machine to the Netskope Cloud.
-
Cloud Apps – Only defined SaaS app traffic over ports 80, 443 is steered.
-
All Web Traffic – All traffic going to ports 80,443 is steered. Non-standard ports configured on the webUI are also steered.
-
All Traffic – Steer all HTTP(S) and non-HTTP(S) to the Netskope cloud for deep analysis.
In CASB/Cloud Apps mode, Netskope does not steer All Web traffic today and is limited to specific applications defined in the steering configuration. The easiest way is to view the application browser certificate and check if the Issuer is signed by Netskope.
The following example shows the browser certificate details when the traffic from box.com is steered through Netskope.
Steered through Netskope
Not steered through Netskope
For non-web traffic, you can check SkopeIT in your tenant and view whether your traffic was bypassed or blocked by Netskope.
How does the Netskope Client determine what to steer?
The Netskope Client inspects the end device packets using OS packet filtering capabilities (Traffic mode and exceptions). This process varies according to the OS and the presence of Explicit Proxy in the network.
Will my applications/web sites see my IP address or Netskope address?
All sites that are steered through Netskope will see the source (egress) IP as coming from Netskope IP address space.
If applications require source IP allowlisting, they will need to allowlist the Netskope IP ranges found here: Consolidated List of IP Ranges for Allowlisting.
Private Access
How can I know if my Client is connected to NPA?
-
Right-click on the Netskope Client icon in the system tray and select Configuration. Private Access should show as Connected.
For Windows, you can also check one of the following options:
-
The tooltip of Netskope Client icon in the tray icon shows the NPA status. Or,
-
Click the Netskope Client icon and check the Services section. It displays Private Access if the NPA status is enabled.
-
-
If the Configuration shows Private Access as Disabled, make sure the Steer all Private Apps option is enabled in the Steering Configuration settings for your tenant. Go to Settings > Security Cloud Platform > Steering Configuration.
If you are using only the Default tenant configuration, click Edit in the upper right corner. If you have multiple Steering Configurations, click on the name of the Steering Configuration you are using for NPA to open the details page.
-
What can I do when the NPA Tunnel is getting disabled?
If you cloned a VM snapshot and installed it on multiple machines, this will cause the NPA tunnel to become disable. The NPA backend requires the netskope-device-id to be unique, which is derived from the machine-id.
You need to regenerate unique machine-ids following these steps:
- Stop the client service.
sudo systemctl stop stagentd.service
- Remove NPA certificates from /opt/netskope/stagent/data. The following certificates needs to be removed:
- npaccesscert.pem
- npaccesskey.pem
- npatenantcert.pem
- Remove the machine-id.
rm /etc/machine-id rm /var/lib/dbus/machine-id
- Regenerate the machine-id.
dbus-uuidgen --ensure systemd-machine-id-setup
- Verify the new machine-id.
cat /etc/machine-id host namectl
- Reboot the machine.
sudo reboot
Endpoint DLP
Where can I enable Endpoint DLP to my client configuration?
Endpoint DLP is an add-on feature for the Netskope Client. To enable Endpoint DLP for the Netskope Client, contact your sales representative.
Select Enable Endpoint DLP to enable Endpoint Data Loss Prevention for the client configuration and apply Content and Device Control policies to the devices. You can enable Endpoint DLP for the Default Tenant Config to apply policies to all client users or for custom client configurations to apply policies to specific users.
Troubleshooting Configuration Issues
How can I perform a speed test on the connected Netskope POP?
-
Click the Netskope Client icon.
-
Select Advanced Debugging.
-
Click Speed Test.
-
Select the desired File Size option.
-
Click Start.
For example, view the following screenshots for macOS:
How can I restart the Netskope Service on my Windows, macOS, or Linux devices?
Use the following commands:
Windows
Ensure that Protect Client configuration and resources field is disabled in Client Configuration.
-
Start Service:
stagentsvc -start
-
Stop Service:
stagentsvc -stop
-
macOS
-
Pre Big Sur
-
Start Service:
sudo launchctl load
/Library/LaunchDaemons/com.netskope.stagentsvc.plist
-
Stop Service:
sudo launchctl unload
/Library/LaunchDaemons/com.netskope.stagentsvc.plist
-
-
BigSur/Monterey or later
There is no command to stop network extension. You need to disable the client from the UI.
Linux
-
Start service:
sudo systemctl start stagentd.service
-
Stop service:
sudo systemctl stop stagentd.service
How can I gather information about the Netskope Client using API?
https://<tenant-URL>/api/v1/clients – This endpoint returns information related to the Netskope Client. To learn more, view Get Client Data.
How do I save my Netskope Client logs?
-
To save Client logs, go to Netskope Client icon > Save Logs. You can save the .zip log file to a specific folder.
-
If the Client is hidden by your administrator, use command-line options to save the .zip log files.
-
Windows =
Nsdiag.exe –o mylogs.zip
-
Mac =
./nsdiag –o mylogs.zip
-
Linux =
/opt/netskope/stagent/nsdiag -o mylogs.zip
-
Android =
NetskopeLogs.zip
-
How can I collect the log details from my Netskope account?
-
Go to Settings > Security Cloud Platform > Devices page, search for the username and click the device name.
-
Click Collect Log on the top right-hand corner.
-
Once the log file is generated, the admin (requestor) receives an email link to download the log to their local computer in zip format.
Where can I find the Netskope certificates and branding files?
-
Windows: C:\ProgramData\netskope\stclient
-
macOS: /Library/Application\ Support/Netskope/STAgent
-
Linux: /opt/netskope/stagent/
-
Android:Settings > Biometrics and Security > Other Security Settings > View Security Certificates. Tap on the User tab. You can see the Security certificates for Netskope.
-
iOS: Settings > VPN > VPN Profile > More Details. The branding file is protected and not viewable.
Where can I find the Netskope Log files?
Windows
Processes | Log Location |
Netskope Client services and other processes running as admin | %ProgramData%/Netskope/stagent/Logs |
User process | %APPDATA%/Netskope/STAgent/Logs |
Service crash dump | %ProgramData%/Netskope/stagent/Logs |
UI Crash dump | %APPDATA%/Netskope/stagent/Logs |
macOS
Processes | Log Location |
System extensions and other processes with root privilege | /Library/Logs/Netskope |
User process | ~/Library/Logs/Netskope |
Linux
Processes | Log Location |
Service and installation logs | /opt/netskope/stagent/logs |
UI and stAgentApp | ~/.netskope/stagent/logs |
Android
-
Go to the Netskope Client app.
-
Click the three dots.
-
Select Send Logs.
-
You can download it to the desired location.
iOS
Users cannot read Netskope logs on iOS devices, but you can download Netskope logs zip files and share them through AirDrop and email.
Where can I find the Netskope executables and diagnostic tools?
-
Windows: C:\ProgramFiles(x86)\Netskope\STclient\
-
macOS: /Library/Application\ Support/Netskope/STAgent
-
Linux: /opt/netskope/stagent/
-
Diagnostic command in Windows: %ProgramFiles(x86)%\Nestkope\STclient\nsdiag.exe
-
Diagnostic command in Mac: /Library/Application Support/Netskope/STclient/nsdiag
-
Diagnostic command in Linux: /opt/netskope/stagent/nsdiag