Cloud Exchange Troubleshooting

Cloud Exchange Troubleshooting

Review these sections for troubeshooting information.

Troubleshooting Tips and FAQs

This section provides information about common issues and suggested solutions.

The Cloud Exchange UI is freezing. What can I do?

Docker/Podman requires the net.ipv4.ip_forward setting to be enabled in order to access the outside world.  According to reported issue on docker (https://github.com/moby/moby/issues/490), docker needs this to be  enabled but it does not enable this automatically as it is the user’s responsibility (podman seems to  have a different behavior in this regard, see https://github.com/containers/podman/issues/399).

The installation failed/hit a strange error. How do I get help?

Yes, please open a ticket with Netskope support and we’ll get an engineer to help you as soon as possible. Usually following the installation steps in this guide prevents most issues. If you do engage support, and you can access Cloud Exchange (the install got that far), please provide the following details with the ticket:

  • Download, install (requires ZIP command), and execute the Diagnose script found at https://github.com/netskopeoss/ta_cloud_exchange
  • If you have already installed a SSL certificate, two of the commands in the diagnose script will not work. If the UI is accessible:
    • Copy the exact version of cloud exchange and its components in use by CE. Go in your CE instance as follows: Go to Settings > General tab, Software version section.
    • Download the application’s logs from your CE platform. Navigate to the Logging tab and click on the download icon.
  • Attach all output to the support ticket.
There is an issue while starting the docker container. What should I do?

The error message is this:

Network netskope-cloud-threat-exchange-docker-compose_default Error 0.0s failed to create network netskope-cloud-threat-exchange-docker-compose_default: Error response from daemon: could not find an available, non-overlapping IPv4 address pool among the defaults to assign to the network.

The issue is specific to the network of the machine. The docker network conflicts with the host network and because of that the docker network is not created successfully. To change the network configuration of the docker you can refer to: https://docs.docker.com/compose/compose-file/06-networks/

There was an issue while checking the podman-compose version. What should I do?

For issues when checking for installed podman-compose version, you can reinstall podman-compose by running this command:
$ sudo pip3 install podman-compose.

I got a Bad Gateway error. What could cause this?

There are 3 possible causes:

  1. Mongo data directory permission issue
  2. The Core/Mongo-DB container is down
  3. The CE maintenance password is incorrect
1. For the Mongo data directory permissions issue

Verify

Execute ls -lRn . inside the directory with docker-compose.yml.

The mongo-data dir should be read/write accessible to the user with UID 1001.

./data/mongo-data:
total 0
drwxr-xr-x. 3 1001 0 16 Apr 14 18:16 data

Solution to mongo data directory permissions issue:

Execute the setup script again using ./setup to fix the file permissions.

Restart CE.

2. For the core/mongo-db container is down issue

Verify

Check the container status using sudo docker-compose ps, all the containers should be Up.

$ sudo docker-compose ps
Name Command
State Ports
---------------------------------------------------------------------------------------------------------------- 
ce_330_core_1 /bin/sh start.sh Up 80/tcp
ce_330_mongodb-primary_1 /opt/bitnami/scripts/mongo ... Up 0.0.0.0:27018->27017/tcp ce_330_rabbitmq-stats_1 /opt/bitnami/scripts/rabbi ... Up 15671/tcp, 0.0.0.0:15672->15672/tcp, 25672 /tcp, 4369/tcp, 5551/tcp, 5552/tcp, 5671/tcp, 0.0.0.0:5672->5672/tcp
ce_330_ui_1 /bin/sh start.sh Up 0.0.0.0:443->3000/tcp, 80/tcp ce_330_watchtower_1 /watchtower --http-api-update Up 0.0.0.0:8080->8080/tcp

Solution to core/mongo-db container is down:

If any containers are down follow the below steps:

sudo docker-compose down
sudo ./start
3. For the maintenance password is incorrect Issue

Verify

Check the core logs using `sudo docker-compose logs core` for any “authentication error”.

Check if the customer is using CE version 3.2.0 or below 3.2.0 with the same MongoDB.

Solution to the maintenance password is incorrect:

Perform the following steps:

sudo docker-compose down
sudo rm -rf .env
sudo ./setup
Add maintenance password as "cteadmin"
sudo ./start
Receiving an error during SSO setup when entering hostname (without a Top Level Domain). Why?

SSO requires a top level domain (TLD). Not adding a TLD in the hostname while mapping the URL and upon enabling SSO in CE, a customer will receive the error “Invalid Hostname, Top Level Domain required”. This is resolved by adding proper TLD e.g. (netskope.com).

“Unsupported TLS Protocol Version Error” appears. Why?
tls_error.png

If you receive this kind of error then it’s because Netskope CE by default supports TLSv1.3 only. To resolve this error, you should allow Netskope CE to run on TLSv1.2 along with TLSv1.3 and for that you have to change the TLS version from the setup script. Re-run the setup script again and give ‘Yes’ to following question.

Do you want to enable TLSv1.2 along with TLSv1.3 for CE UI.

Then execute the start script.

Cloud Exchange certificates are expired. How do I fix this?

If your certificates are expired then follow below steps to regenerate the certificates.

  • Down all the containers.
  • Remove the certificate files (cte_cert.crt, cte_cert_key.key) from data/ssl_certs folder.
  • Re-run the setup script to regenerate the certs. Enter “https” to the below question:
Do you want to access CE over HTTP, or HTTPS (HTTPS is recommended)? https
  • Execute the start script.
Although sharing is configured, the IoCs reported are not being shared with the threat source.

While sharing the IoCs to a particular plugin, the sharing filters provided with the plugin’s configurations are considered. Ensure that the sharing configuration matches with the IoCs you are expecting to be shared. If the sharing filter is incorrect, fix the sharing criteria. To fetch the historical data that you may have missed due to misconfiguration, consider removing the sharing configuration and re-adding it.

Netskope is rejecting some of the URLs Threat Exchange is pushing to it. Why?

Netskope only accepts URLs with wildcard characters that are in front of the domain, others will be rejected when Threat Exchange tries to send it. So *.google.com will be accepted by the Netskope tenant,but google.com/* will not. If your Threat Exchange database contains wildcards, you will need to manually tag to share.

Can I create new users apart from the default admin user?

Yes. Refer to Cloud Exchange Users.

Where are all the uploaded plugins stored?

By default, all your uploaded plugins are stored inside the ./data/custom_plugins directory. However, this can be changed from the docker-compose by mounting a different directory or the Admin can add an additional repository to download custom plugins from. This is configured within the Settings menu. This is the best method of adding additional plugins to your CE instance, and the only method for adding additional CTO, CLS, and CRE plugins.

How do I reset the user password if the current password is forgotten?

To reset the administrator password, refer to Reset Password in the Account Settings section. Make sure to change the password from Account Settings after the CE administrator has reset the password.

To reset any other user’s password, the Super Admin can update a user password from Settings > Users, and then click the Edit icon on the right.

CE shows numerous errors after it was successfully setup (fetching error, internal server error, etc.)

A special character was potentially used for the maintenance password during setup, which RabbitMQ does not support and causes issues with other services attempting to schedule tasks as cross-container communication fails to engage RabbitMQ.

Run the following steps from the directory where docker-compose.yml resides to reconfigure the maintenance password:

sudo docker-compose down
sudo rm -rf .env
sudo ./setup
Add maintenance password.
sudo ./start
The IoCs search performance is slow. It takes more than 5 seconds to load results.

The platform by default searches for the last 7 days of IoCs. If there are too many IoCs (more than 1 million) and no filter selected, the search performance will be slow.

Proposed solution : Consider applying the filters and narrowing the search criteria. Performance is best when the data set is ~100K records or less.

After upgrading/restarting the core and ui containers, the custom plugin configurations are not visible.

Verify you uploaded a custom plugin with active configuration to Netskope CE prior to upgrading or restarting the containers. In such a case, upload the custom plugin after the upgrade (Refer to Create a Custom CTE Plugin in the Supported 3rd-party Plugins). The configurations would be retained after uploading the custom plugin and normal operation is restored.

While configuring a new plugin, even after providing accurate credentials, the configuration is not saved and an error message is displayed.

Verify if the outgoing API calls require a proxy. If your network deployment expects a proxy for HTTP API calls and a proxy is configured, the plugin operations would be impacted.

Proposed Solution:

  1. Go to Settings > General > Proxy.
  2. Edit the existing configuration and enable Use System Proxy.
Although the Poll interval for a plugin is configured to poll every 5 minutes, the Last Run shows an interval which is more than 5 minutes ago.

CE relies on an internal scheduling mechanism for the plugin’s task. There are workers which execute the plugin tasks, by picking up a task from the queue one by one. The number of workers available in your system depends on the number of cores. If the available workers are busy serving plugin task, the already queued up task has to wait till the existing worker is available. This situation may usually occur during initial data ingestion, where there’s more data to be processed.

Proposed Solution: Consider increasing the cores of the system if you have a large number of configured plugins, and the configured plugins are consistently lagging behind. For initial ingestion, the system should pick up the backlog post initial ingestion and behave normally if the incremental data is not large.

A plugin configuration shows a red alert icon as shown below. What happened?
image83.jpeg

If there is a red alert icon on one of the configurations, it indicates that there was one or more problems while polling the plugged-in system for data per that configuration. This could be related to API, proxy, or SSL settings.

Proposed Solution:

  • Make sure the Plugin Configuration has correct parameters for API, Secret key, URL, etc.
  • Make sure Enable Proxy is selected and your proxy is configured if outbound network calls require a proxy connection.
  • Check logs for errors occurring around the last run time displayed on the configuration from the Audit section.
Mac OS users cannot select tar.gz while uploading a custom Threat Exchange plugin via the Add Plugin widget
image84.jpeg

When a user tries to upload a plugin with a tar.gz package using the browse button, tar.gz files are not selectable by default.

Proposed Solution: Drag and drop plugin packages to the drop area of the UI.

image85.jpeg
How do I update the last run time of a plugin configuration? This is to replay the indicators in case they were missed.

Open the plugin configuration and set the Last Run value to an older date-time and save the configuration. Make sure that the configuration is currently not running when you update the Last Run value.

What kind of indicators are extracted from STIX/TAXII sources?

For STIX 1, the cybox observables of type URI, Domain, SHA256 and MD5 are extracted. For STIX 2, the same type of observables are extracted from the pattern string field of the indicators.

Even though a file in the repo is renamed, the comment on indicator still reflects the older file name.

This is a known limitation. Indicator comment is only added the first time that file is encountered. In subsequent runs, if the file is renamed, only the external hits will be increased as long (as the contents of the file remains same).

Ticket status is showing Deleted within Cloud Ticket Orchestrator even though tickets/incidents are not removed from 3rd-party platforms. Why?

This may happen if the API credentials used to create the tickets do not have access to the tickets anymore. Make sure that the credentials you are using have read access to the tickets.

How do I handle large repositories with the Github DLP Plugin?

When a Git repo contains a large number of files, a plugin configuration could timeout. The default timeout duration is set to 120 minutes. However, this can be increased by adding an environment variable in the docker-compose file.

core:
    image: crestsystems/netskope:core-latest
    container_name: "core"
    volumes:
    - ./data/custom_plugins:/opt/netskope/integrations/cte/custom_plugins:z
    environment:
    - PLUGIN_TIMEOUT_MINUTES=120
Log Shipper restarted or stopped. Why?

Log Shipper stops if something breaks, typically because one of the following conditions are considered a failure: code race condition, core dump, process errors, or TCP socket errors. If CE receives 5 of these, it stops. Note that Log Shipper does NOT restart when it receives API errors, including the HTTP 200 error code, Response: {"status":"error","errorCode":"General Error","errors":["We encountereda backend error. Please try again."]}

Could not find the plugin with id = *****.

When updating the plugin from Settings > Plugin Repository, the plugin code is getting updated but it is not reloaded, which is causing this error. Try to restart the docker services using the command $ docker-compose restart to resolve the issue.

An error occurred while enabling SSO configuration.

When you see this message: Error URL host invalid, Top Level Domain required, it’s typically because the domain name used for accessing CE does not have TLD. To resolve this, use a hostname with TLD.

After rebooting the server/VM containers are not starting.

Containers not starting after rebooting the server/VM is due to the restart: on-failure:5 tag in the docker-compose.yml file. To resolve this, change tag value as restart: always” in the docker-compose.yml file.

Getting a Bad Gateway error even if I do a docker-compose rm and reinstall it.

A Bad Gateway error appears due to mongo-data folder permissions not being properly set. Copying the wrong MongoDB folder can cause a permission issue to occur. To resolve this, delete the mongo-data folder, recreate the folder, and copy data from the backup location.

Getting a Bad Gateway error when trying to access Netskope CE.

One of the possible reason for getting Bad gateway is the mongo-data directory is removed or the mongo-data directory does not have enough permissions. To resolve the issue:

  1. Pull the latest changes from remote: $ git reset –hard HEAD && git pull.
  2. Rerun the setup script: $ python3 setup.
Getting a Bad Gateway error when updating the UI with an older version of docker-compose.

Bad gateway error appears due to the maintenance password not being setup, which is available in latest version, but not in old docker compose version. To resolve this, do a git pull, and then run the setup script with maintenance password and restart CE.

Having an issue whie checking podman-compose version. What should i do?

If you are having any issue while checking for installed a podman-compose version, you can reinstall podman-compose by running below command: sudo pip3 install podman-compose.

We use static DNS servers but CE uses rotating DNS services (i.e. non-static). What can I do?

CE is designed to leverage dynamically defined DNS due to limitations of docker-compose. If you wish to have CE utilize rotating DNS services, the resolv.conf file must be customized to eliminate references to corporate DNS servers and restored after every code upgrade

To apply a workaround customers need to follow below steps:

  1. Copy the host’s /etc/resolv.conf file and create a new file (copy of /etc/resolv.conf) inside the data folder of ta_cloud_exchange.
  2. Open the copied resolv.conf file and remove the corporate nameservers (which are not required or desired) and add the static nameserver 10.89.0.1 that will be appended to the container.
  3. Mount the newly created resolv.conf file to the core container. Open the podman-compose.yml file and add this line inside the volumes section of the core service: ./data/resolv.conf:/etc/resolv.conf
  4. Down all the pods using the ./stop command and then again start the pods using ./start command.

Note that you will need to maintain this resolv.conf file after every upgrade as the setup script will overwrite your changes.

Follow the steps below to upgrade and maintain your file:

  1. Use this command to forcefully reset all files on Git to HEAD: git reset –hard HEAD
  2. Upgrade the CE using traditional update instructions from the documentation.
  3. The resolv.conf file from the previous CE must be moved to the newly cloned repo if the customer is cloning the new repository. If not, there is no need to create or transfer the file because it has already been created.
  4. As described in the instructions for the workaround, now open the docker-compose.yml or podman-compose.yml file and mount the data directory’s resolv.conf file.
  5. Down all the containers and then again start the containers to reflect the changes.
Can having a proxy enabled while migrating from on-premises to the cloud cause problems?

If a proxy is enabled while migrating to cloud, ”Connection time out” error messages appear in the logs. To avoid this error, you need to remove the proxy from Cloud Exchange> Settings > Proxy, clear the data, and then save it.

If Netskope CE has stopped sending logs to SIEM or sharing indicators, and a WorkerLost error appears in the core container logs in an extra small stack, you need to restart Cloud Exchange.
  • For a Docker-based deployment:
    1. Retrieve the core container logs using this command:

      $ docker-compose logs core | grep WorkerLost

      If the logs containing WorkerLost appear around 5-6 times, this indicates there’s an issue. Restart the containers using these commands:

      $ ./stop$ ./start

  • For a Podman-based deployment:
    1. To access the core container logs, use this command:

      $ podman-compose logs core | grep WorkerLost

      If the logs containing WorkerLost appear around 5-6 times, this indicates there’s an issue. Restart the containers using these commands:

      $ ./stop$ /start

Cloud Exchange Error Codes

These sections provide descriptions for the Cloud Exchange Platform and the Log Shipper, Ticket Orchestrator, Threat Exchange, and Risk Exchange modules.

Cloud Exchange Platform Error Codes

Error CodeError message
CE_1000Invalid request query parameter is provided: The query parameter needs to be only from “sso”, “slo”, “sls”, and “acs”. Any other request query parameter provided will throw this error.
CE_1001Error occurred while processing the query: Any kind of error that has not been handled will be handled here. An example might be the Overflow Error when the integer value is too long.
CE_1002Could not load the uploaded plugin: Will handle all HTTP Exceptions only.
CE_1003Error occurred while checking for updates: Occurs when the docker credentials are wrong. Can also occur when there are Docker errors.
CE_1004Error occurred while connecting to mongodb: Occurs during either 1) MongoDB container is down or 2) The MongoDB credentials are wrong.
CE_1005Error occurred while checking for system updates: Occurs when there is an issue with credentials or there is a Docker error like DockerException(“”Error while fetching server API version: (‘Connection aborted.’, PermissionError(13, ‘Permission denied’))””)”.
CE_1006Error occurred while checking for plugin updates: Occurs if there is a connection error to the repository or if there are not enough permissions.
CE_1007Error occurred while cleaning up system logs: Occurs if Mongodb container might be down or if there is a connection error.
CE_1008Error occurred while cleaning up tasks: Occurs if Mongodb container might be down or if there is a connection error.
CE_1009Tenant with name <tenant_name> no longer exists: Occurs when the tenant has been deleted.
CE_1010Error occurred while pulling alerts: Exceptions related to V2 API of Netskope like Max Retry Error or Connection, Proxy Error.
CE_1011Error occurred while pulling events: Exceptions related to V2 API of Netskope like Max Retry Error or Connection, Proxy Error.
CE_1012Error while loading plugin. Could not parse manifest: Occurs when the manifest.json provided is invalid.
CE_1013Error occurred while importing plugin: Occurs when there are import, syntax, and library errors.
CE_1014Error occurred while cloning plugin repo: Occurs when CE is not able to clone git repo due to connectivity or wrong credentials or incorrect repo.
CE_1015Error occurred while importing mapping file: Occurs if there is a wrong key provided in mapping file or there is an invalid JSON file.
CE_1016Error occurred while fetching updates for plugin repo: Occurs when CE is not able to connect to the remote repo because of reasons such as expired credentials or exceptions in the command git fetch.
CE_1017Error occurred while parsing manifest.json for <package>: Occurs if and only if there is a JSON decode error during the parsing of manifest.json file.
CE_1018Error occurred while updating origin for repo: Occurs if wrong repository credentials are provided or there are expired repo credentials or there is a connection error.
CE_1019Could not find container with keywords <containers>: Occurs if CE is not able to find containers from client’s container list.
CE_1020Error occurred while checking for updates for container <containers>: Occurs when CE is not able to pull the changes from the docker hub for the given image tag.
CE_1021Error occurred while updating the containers: Occurs when watchtower container might be down or there is an invalid token due to which watchtower cannot be connected.
CE_1022Error occurred while connecting to rabbitmq server: Occurs if CE cannot connect to the rabbitmq API.
CE_1023Error occurred while sharing usage analytics with Netskope: Occurs due to mongodb error, key error or connection error.
CE_1024Error occurred while validating v2 token : Exceptions related to V2 API of Netskope like Max Retry Error or Connection, Proxy Error.
CE_1025Error occurred while validating v1 token: Exceptions related to V1 API of Netskope like Max Retry Error or Connection, Proxy Error.
CE_1026Exception occurred while checking disk free alarm: Any exception that occurs while connecting to Rabbitmq API. There might be a connection error or sometimes even rabbitmq might be down.
CE_1027Could not load the uploaded plugin: Will handle all exceptions and then proceeds to throw a 500 internal server error along with information about the exception caught.
CE_1028Error occurred while checking for updates: Occurs during actually updating. This happens when the docker credentials are wrong. Can also occur when there are Docker errors
CE_1029Tenant with name <tenant_name> no longer exists: Occurs if a tenant is not found and CE is trying to pull alerts. Can happen if the tenant is deleted.
CE_1030Tenant with name <tenant_name> no longer exists: Occurs if a tenant is not found and CE is trying to pull events. Can happen if the tenant is deleted.
CE_1031Error occurred while pulling alerts: Occurs when the status code is not valid (not 200 or 201) for V2 API. There are no exceptions, only the response status code is invalid.
CE_1032Error occurred while pulling alerts: Any other exception for V2 API not handled before will be handled here.
CE_1033Error occurred while pulling alerts: Exceptions related to V1 API of Netskope like Max Retry Error or Connection, Proxy Error.
CE_1034Error occurred while pulling alerts: Occurs when the status code is not valid (not 200 or 201) for V1 API. There are no exceptions, only the response status code is invalid.
CE_1035Error occurred while pulling alerts: Any other exception for V1 API not handled before will be handled here.
CE_1036Error occurred while pulling events: Occurs when the status code is not valid (not 200 or 201) for V2 API of events. There are no exceptions, only the response status code is invalid
CE_1037Error occurred while pulling events: Any other exception for V2 API not handled before will be handled here.
CE_1038Error occurred while pulling events: Exceptions related to V1 API of Netskope like Max Retry Error or Connection, Proxy Error.
CE_1039Error occurred while pulling events Occurs when the status code is not valid (not 200 or 201) for V1 API of events. There are no exceptions, only the response status code is invalid.
CE_1040Error occurred while pulling events: Any other exception for V1 API not handled before will be handled here.
CE_1042Error occurred while connecting to rabbitmq server: Any other exceptions not handled before will be handled here for rabbitmq API.
CE_1043Error occurred while sharing usage analytics with Netskope: Occurs when the status code is not a success one for analytics.
CE_1044Error occurred while validating v2 token: For V2 token, this error occurs when the response code is 403 which means the tenant name or the API token is incorrect.
CE_1045Error occurred while validating v1 token: For V1 token, this occurs when the response code is 403 which means the tenant name or the API token is incorrect.
CE_1046Exception occurred while checking disk free alarm: This error occurs when the status code is not a success one for the rabbitmq API.
CE_1047Error occurred while processing the query: Any kind of error that has not been handled will be handled here. An example might be the OverflowError when the integer value is too long.
CE_1048Error occurred while checking for updates: Occur when the entered credentials are wrong.
CE_1049The system’s compute is insufficient to manage the configured workload …: Happens when the CPU configured workload isn’t enough to run the plugins/tenants configured. Thus, need to reduce the CE plugin/tenant usage or increase the workload.
CE_1050You’re running out of disk space…: This happens when the disk space is critically low. Thus, user will have to free up the disk space or provide additional disk space.
CE_1051Error occurred while checking resources or physical disk space: Occurs when CE not able to fetch details regarding physical disk space or CPU cores.
CE_1052Error occurred while pulling events: Any exception not handled before will be handled here for events.
CE_1053Error occurred while pulling events: Any exception for historical events will be handled here.
CE_1054Error occurred while pulling events: Exceptions related to Historical iterator API like Max Retry Error or Connection, Proxy Error.
CE_1055Error occurred while pulling events: Exceptions related to Historical iterator API like Max Retry Error or Connection, Proxy Error.
CE_1056Error occurred while pulling events: Any exception for historical events will be handled here.
CE_1057Error occurred while pulling events: Exceptions related to iterator API like Max Retry Error or Connection, Proxy Error.
CE_1058Error occurred while pulling events: Exceptions related to iterator API like Max Retry Error or Connection, Proxy Error.
CE_1059Error occurred while pulling events: Exceptions related to Iterator API like Max Retry Error or Connection, Proxy Error.
CE_1060Error occurred while pulling events: Occurs when the status code is not valid (not 200 or 201) for Iterator API of events. There are no exceptions, only the response status code is invalid.
CE_1061Error occurred while pulling events: Occurs when the status code is not valid (not 200 or 201) for historical iterator API of events. There are no exceptions, only the response status code is invalid.
CE_1062Error occurred while pulling events: Occurs when the status code is not valid (not 200 or 201) for historical iterator API of events. There are no exceptions, only the response status code is invalid.
CE_1063Error occurred while pulling events: Occurs when the status code is not valid (not 200 or 201) for Iterator API of events. There are no exceptions, only the response status code is invalid.
CE_1064Error occurred while pulling alerts: Exceptions related to iterator API like Max Retry Error or Connection, Proxy Error.
CE_1065Error occurred while pulling alerts: Occurs when the status code is not valid (not 200 or 201) for iterator API of alerts. There are no exceptions, only the response status code is invalid.
CE_1066Error occurred while pulling alerts: Exceptions related to historical iterator API like Max Retry Error or Connection, Proxy Error.
CE_1067Error occurred while pulling alerts: Occurs when the status code is not valid (not 200 or 201) for historical iterator API of alerts. There are no exceptions, only the response status code is invalid.
CE_1068Error occurred while pulling alerts: Any exception for historical events will be handled here.
CE_1069Error occurred while pulling alerts: Exceptions related to historical iterator API like Max Retry Error or Connection, Proxy Error.
CE_1070Error occurred while pulling alerts: Occurs when the status code is not valid (not 200 or 201) for historical iterator API of alerts. There are no exceptions, only the response status code is invalid.
CE_1071Error occurred while pulling alerts: Any exception for historical alerts will be handled here.
CE_1072Error occurred while pulling alerts: Exceptions related to iterator API like Max Retry Error or Connection, Proxy Error.
CE_1073Error occurred while pulling alerts: Occurs when the status code is not valid (not 200 or 201) for iterator API of alerts. There are no exceptions, only the response status code is invalid.
CE_1074Error occurred while pulling alerts: Any exception for alerts will be handled here.
CE_1075Error occurred while getting the running processes: Occurs if there is a problem while fetching the running processes.
CE_1076Workers not deleted for tenant.
CE_1077Workers not deleted for tenant.
CE_1078Error occurred while checking worker for tenant: Any exception during subprocess handling will be caught here.
CE_1079Error occurred while creating workers for tenant: Any exception during subprocess handling will be caught here.
CE_1080Error occurred while pulling alerts: Any exception for alerts will be handled here.
CE_1126Error occurred while connecting to MongoDB.
CE_1127Error occurred while processing the response from RabbitMQ.
CE_1128Error occurred while checking the CORE status for ‘{ip}’ node.
CE_1129Error occurred while checking the UI status for ‘{ip}’ node.

Log Shipper Module Error Codes

Error CodeError message
CLS_1000Could not found attribute mapping with name {mapping_file}: Occurs if mapping file is not found from database.
CLS_1001Error occurred while validating configuration: Occurs if there is a validation error occured from plugin configuration parameters.
CLS_1002Business rule {rule.name} cannot be deleted: The default business rule can’t be deleted.
CLS_1003Error occurred while creating a new configuration (toast).

Exception is logged as it is => General Exception: Occurs if pymongo or scheduler error occurs while creating a new configuration.

CLS_1004CLS business rule {rule} may have been deleted: Occurs if someone deleted business rule, while parsing webtx.
CLS_1005Error occurred while ingesting [{data_type}][{sub_type}] data for configuration {configuration.name}.

{retries_remaining} retries remaining. {repr(ex)}: Occurs while ingesting data in cls plugin.

CLS_1006Could not find the plugin with id='{destination.plugin}’: Occurs if plugin does not exist in container.
CLS_1007Could not find the mapping file {destination.attributeMapping} required for {destination.name} : Occurs if mapping file does not exist during the transforming and ingest task.
CLS_1008Plugin {destination.plugin} has not implemented transform method: Occurs if transform method is not implemented by a plugin.
CLS_1009Transformation of {len(data)} [{data_type}][{data_subtype}] for {destination.name} has failed with an exception: {repr(ex)}: Occurs if transformation of a field is failed by plugin and so the plugin will raise respective error and it will be caught here.
CLS_1010Business rule {rule} no longer exists: Occurs if someone deletes the SEIM while fetching historical data.
CLS_1011CLS configuration {source} no longer exists: While fetching historical data if source configuration is deleted by user, then this error occurs.
CLS_1012CLS configuration {destination} no longer exists: While fetching historical data if destination configuration is deleted by user, then this error occurs.
CLS_1013Historical alert pulling failed for the window {event_helper.start_time} UTC to {event_helper.end_time}

UTC for {source.name} to {destination}, rule {rule.name}. Error: {err}”: Occurs if manual sync is true and the historical alert task failed, while pulling historical alerts.

CLS_1014Historical alert pulling failed for {source.name} to {destination}, rule {rule.name}. Error: {err}: Occurs if manual sync is false and the historical alert task failed,while pulling historical alerts.
CLS_1015Netskope CLS Plugin: Validation error occurred. Error: Invalid alert_type found in the configuration parameters: Occurs if the alert type is invalid.
CLS_1016Netskope CLS Plugin: Validation error occurred. Error: Invalid event_type found in the configuration parameters: Occurs if the event type is invalid.
CLS_1017Netskope CLS Plugin: Validation error occurred. Error: Alert type, and Event type both can not be empty: Occurs if the alert type and event type are both empty.
CLS_1018Netskope CLS Plugin: Validation error occurred Error: Invalid hours provided: Occurs if the hours provided are invalid like negative hours or empty hours provided.

Ticket Orchestrator Module Error Codes

Error CodeError message
CTO_1000Error occurred while processing the query. (Toast). Exception is logged as it is => Query error: Occurs if the user tries to filter alerts with invalid type/ invalid attribute.
CTO_1001Could not find a configuration with name {name}: Occurs if configured plugin does not exist in database.
CTO_1002Plugin {configuration.plugin} does not implement the get_queues method: Occurs if plugin does not have get_queue() method.
CTO_1003Error occurred while fetching queues for configuration {configuration.name}. Exception is logged as it is. Error occured. Check logs: If the get_queue() method return unexpected result like not able to fetch queue from plugin, or api error, or max retry error.
CTO_1004Error occurred while getting available fields.

Exception is logged as it is: Occurs if the plugin API’s return status code is not 200.

CTO_1005Error occurred while getting default mapping. Exception is logged as it is: Occurs if plugin returns an invalid default mapping.
CTO_1006Exception occurred while executing validate for step {step}. Exception is logged as it is: Occurs when there is an error like authentication or params error.
CTO_1007Error occurred while getting fields. Check logs: While fetching fields from plugin apis, if an API related error occurred then it will be caught here.
CTO_1008Exception is logged as it is. Error occurred while processing the query: Occurs when a user tries to filter tasks with invalid type/invalid attribute.
CTO_1009Error occurred while cleaning up alerts/tasks/notifications. Exception is logged as it is: Occurs when a celery task is not able to delete task/alerts/ notification, which can be due to MongoError or Rabbitmq error.
CTO_1010Ticket Orchestrator configuration {name} no longer exists: Occurs when a celery task is triggered but somehow configuration is deleted while pulling alerts in CTO.
CTO_1011Could not create/update task for alert with ID {alert.id} for configuration {configuration.name}. Exception is printed as it is: Occurs when a plugin is not able to generate/update tickets/incidents/ notification because of api related error. For example: Could not create tasks attribute error or Could not create tasks connection error/proxyerror/general error.
CTO_1012Could not create tasks for the given alerts with configuration {configuration.name}. Plugin does not implement create_task method: Occurs if the plugin does not have create_task() method.
CTO_1013Error occurred while creating tasks with configuration {configuration.name}. Exception is logged as it is: Any mongo error or plugin error will be caught here.
CTO_1014Business rule {rule} no longer exists: Occurs if a business rule is deleted from UI, while syncing state of tasks status.
CTO_1015Could not pull alerts. Plugin with ID {configuration.plugin} does not exist: Occurs if someone deletes plugin from core container, while pulling alerts from plugin.
CTO_1016Could not pull alerts. Plugin does not implement pull_alerts method: Occurs if someone tries to pull alerts from plugin but plugin does not have pull alerts method implemented.
CTO_1017Could not pull alerts. An exception occurred. Exception is logged as it is: General errors will be handled here.
CTO_1018Could not sync states. Plugin with ID {configuration.plugin} does not exist: Occurs if configuration does not exist and sync_state method is triggered.
CTO_1019Could not sync states. Plugin does not implement sync_states method: Occurs when the sync_states method is not implemented.
CTO_1020Could not sync states. An exception occurred. Exception is logged as it is: All the general errors coming from the plugin will be caught here.
CTO_1021Error occurred while getting fields from alert with id=<id>: Occurs when there is an exception caught during getting fields from alert.
CTO_1022Exception occurred while executing validate for step {step}. Exception is logged as it is: Occurs when there is an authentication/params errors.
CTO_1024Error occurred while retrying ticket creation. Ticket Orchestrator business rule {rule} no longer exists.
CTO_1025Error occurred while retrying ticket creation. Queue for Ticket Orchestrator business rule {rule} no longer exists.
CTO_1026Error occurred while retrying ticket creation. Ticket Orchestrator configuration {configuration} no longer exists.

Threat Exchange Module Error Codes

Error CodeError message
CTE_1000Could not store the indicator with value='{indicator.value}’: Occurswhile updating indicators if there is an error occured in mongo update query.
CTE_1001Could not find the plugin with id='{configuration.plugin}’: Occurs if the plugin cannot be found by CE
CTE_1002Pull method returned data with invalid datatype for plugin with id='{configuration_db.plugin}’: If returned indicators from plugin is not a valid list, None, or not an instance of Indicator Model, then this error can occur.
CTE_1003Pull method not implemented by plugin for configuration ‘{configuration_name}’: Occurs if the pull method is not implemeted by plugin while executing the plugin life cycle.
CTE_1004Error occurred while connecting to the database: In a mongo operation, there can be AuthenticationError, ConnectionError, etc.
CTE_1005Error occurred while executing the plugin lifecycle for configuration: While pulling iocs from plugins, if any exception occures, it will be caught here.
CTE_1006Could not share indicators with configuration ‘{shared_with}’. Invalid return type: Can occur while pushing iocs and if the plugin returns an invalid model.
CTE_1007Could not share indicators with configuration ‘{shared_with}’. {push_result.message}: If pushResult is false, this error will occur.
CTE_1008Could not share indicators with configuration ‘{config}’; it does not exist.: Occurs if target plugin does not exist.
CTE_1009Could not share indicators with configuration ‘{config}’; plugin with id='{configuration.plugin}’ does not exist: Occurs if we cannot find plugin with the help of plugin id
CTE_1010Could not share indicators with configuration ‘{configuration.name}’. Push method not implemented: Occurs when the push method is not implemeted by target plugin.
CTE_1011Error occurred while sharing indicators with configuration ‘{configuration.name}’: If any exception occur while pushing indicator from plugin it will be caught here.
CTE_1012Error occurred while creating a new configuration: Occurs if a user tries to change the configuration model.
CTE_1013Error occurred while scheduling the configuration: Occurs if there is an exception caught during scheduling perodic tasks. An example would be a PyMongo Error.
CTE_1014Error occurred while getting list of actions: Occurs when the plugin does not return action list in expected format. Thus we get action method return errors.
CTE_1015Error occurred while processing the query: While reading indicators, if there is any exception, it will be handled here.
CTE_1016Error occurred while checking urllist.
CTE_1017Error occurred while creating urllist.
CTE_1018Error occurred while appending URL list to Netskope.
CTE_1019Error while deploying changes.
CTE_1020Error occurred while pushing URL list to Netskope.
CTE_1021Plugin: Netskope – {tenant_name}, Exception occurred while pushing data to Netskope: Any exception not caught before will be handled here.
CTE_1023Plugin: Netskope Invalid value for ‘Type of Threat data to pull’ provided. Allowed values are Both, Malware, or URL: If the value of threat data to pull is not malware, url or both, then this error occurs. So it may occur when the user selects nothing.
CTE_1024Plugin: Netskope – {tenant_name}, Exception occurred while validating action parameters: Occurs when validation of action parameters is unsuccessful.
CTE_1025Error occurred while getting list of actions. Exception is logged as it is => General Exception. Could not get action list. Check logs: Occurs when there is an exception while getting list of actions. Happens when the plugin does not return action list in expected format. CE returns action method return errors.
CTE_1026Error occurred while checking urllist : Occurs when the status code is not valid.
CTE_1027Error occurred while creating urllist : If any exception occurs, it will be handled here.
CTE_1028Error occurred while creating urllist: Occurs when the status code is not valid.
CTE_1029Error occurred while appending URL list to Netskope: If any exception occurs, it will be handled here.
CTE_1030Error occurred while appending URL list to Netskope: Occurs when the status code is not valid.
CTE_1031Error occurred while appending URL list to Netskope: If any exception occurs, it will be handled here.
CTE_1032Error occurred while appending URL list to Netskope: Occurs when the status code is not valid.
CTE_1033Error while deploying changes: Occurs when the status code is not valid.
CTE_1034Error occurred while pushing URL list to Netskope: Occurs when the status code is not valid.
CTE_1035Error while pushing file hash list to Netskope: Occurs when the status code is not valid.
CTE_1036Error while pushing file hash list to Netskope: Occurs when the status code is not valid.

Risk Exchange Module Error Codes

Error CodeError message
CRE_1000Error occurred while validating configuration: Occurs while validating plugin configuration parameters if validation is unsuccessful. For example – Base URL is empty.
CRE_1001Error occurred while processing the query. Exception is logged as it is => Query error: While fetching action logs from database if its filter with invalid attribute.
CRE_1002Could not get action list. Check logs. Exception is logged as it is. Error occurred while getting list of actions: Occurs while fetching action list from CRE plugin.
CRE_1003Error occurred while processing the query. Exception is logged as it is => Query error: Occurs while filtering CRE logs.
CRE_1004Error occurred while processing the query. Exception is logged as it is => Query error: While fetching users from database or filtering users if any wrong attribute isprovided, then this error occurs.
CRE_1005Error occurred while calculating aggregate normalized score. Exception is logged as it is: Occurs while calculating normalized score for plugins if any error occurs related to pymongo.
CRE_1006Error occurred while cleaning up logs. Exception is logged as it is: Occurs while deleting cre logs if any error ocurred related to pymongo.
CRE_1007Execute action operation not implemented for configuration {configuration.name}: Occurs if destination plugin does not have execute_action() method while performing action on a CRE user.
CRE_1008Error occurred while executing action for configuration {configuration.name}. Exception is logged as it is: Occurs if a destination plugin encounter any error while executing execute_action() method, while performing action on CRE user.
CRE_1009Could not fetch scores from configuration {configuration.name}. Method not implemented: Occurs when Fetch_score() method is not implemented.
CRE_1010Error occcurred while fetching scores from configuration {configuration.name}. Exception is logged as it is: Occurs if the API gives an unexpected error, while fetching scores of user in plugin method.
CRE_1011Could not fetch records from configuration {configuration.name}. Method not implemented: Occurs if api gives unexpected error, while fetching scores of user in plugin method.ccurs if fetch_user() method is not implemented in plugin.
CRE_1012Error occcurred while fetching records from configuration {configuration.name}. Exception is logged as it is: Occurs if fetch_user() method returns unexpected result such as API gives internal server error.
CRE_1013Invalid value returned by plugin while fetching records from {configuration.name}: Occurs if returned records from plugin does not have datatype list.
CRE_1014Error occurred while fetching score for user: {record.uid}: Any exception caught during fetching scores will be handled here.
CRE_1015Error occurred while fetching groups: Any exception caught during fetching groups will be handled here.
CRE_1016Error occurred while fetching users: Any exception caught during fetching users will be handled here.
CRE_1017Error occurred while removing user from group: Any exception caught during removing user from group will be handled here.
CRE_1018Error occurred while adding user to group: Any exception caught during adding user to group will be handled here.
CRE_1019Error occurred while creating group: Any exception caught during creating a group will be handled here.
CRE_1020Error occurred while validating SCIM details: Any exception caught during validation of SCIM details will be handled here.
CRE_1021Error occurred while validating V2 API Token: Any exception caught during validating V2 API Token will be handled here.
CRE_1022Invalid SCIM Key provided: The SCIM Key provided is wrong as the status code is 401.
CRE_1023Invalid V2 API Token: The V2 API Token is wrong as the status code is 401.
CRE_1024Error in credentials(Forbidden user): The user is forbidden as credentials are wrong.
CRE_1025Netskope CRE: Could not validate SCIM details/V2 API Token. Status code:

{groups.status_code}, Response: {groups.text}, Status code:

{response.status_code}, Response: {response.text}: The SCIM details or V2 API Token is wrong.

CRE_1026Could not get action list. Check logs. Exception is logged as it is. Error occurred while getting list of actions.
CRE_1027Error occurred while fetching score for user: {record.uid}: Occurs while fetching scores, if the status code is not a success code.
CRE_1028Error occurred while fetching groups: While fetching groups, if the status code is not a success code, then this error will occur.
CRE_1029Error occurred while fetching users: While fetching users, if the status code is not a success code, then this error will occur.
CRE_1030Error occurred while removing user from group: While removing user from group, if the status code is not a success code, then this error will occur.
CRE_1031Error occurred while removing user from group: While removing user from group, if the status code is not a success code, then this error will occur.
CRE_1032Error occurred while creating group: While creating group, if the status code is not a success code, then this error will occur.
CRE_1033Error occurred while validating SCIM details: While validating SCIM details, if the status code is not a success code, then this error will occur.
CRE_1034Error occurred while validating V2 API Token: While validating V2 API Token, if the status code is not a success code, then this error will occur.

Generate Diagnostic Logs

This section provides information about how to extract various logs required by the Support team before engaging in a troubleshooting call with them. Follow these steps to generate the Diagnostic logs.

  1. Go to your existing Cloud Exchange directory.
    $ cd netskope/ta_cloud_exchange
  2. Run the Diagnostic utility to generate a Diagnostic log zip file.
    $ sudo ./diagnose
    CEdiagnostics.jpg
  3. All the required logs will be gathered and added to a ZIP file named based on the current date and time (like Thu_Dec_15_12:06:45_IST_2022). Please attach this zip file to the Support ticket.
Share this Doc

Cloud Exchange Troubleshooting

Or copy link

In this topic ...