This article provides instructions to configure Netskope steered traffic to go directly to the Netskope cloud without traversing the full VPN tunnel.
You must add exceptions to your Netskope steering configuration to bypass VPN traffic. To learn more see: Exception Configuration for VPN Applications.
- Netskope Client 188.8.131.525
- Cisco AnyConnect 4.10.05111 or higher
- macOS 10.15 (Catalina)
Interoperability Configuration Requirements
When deploying Netskope Client along with a 3rd party VPN app, we recommend the following configuration changes in both the VPN client and Netskope Tenant. The following configuration changes ensure that both, the Client and the VPN app are able to operate smoothly without any conflicts.
While working on the macOS performance improvement using the enableMacPerformance feature flag, Netskope observed an interoperability issue with Cisco Anyconnect in full-tunnel mode. To address the same, when the Client tunnel is established, a probe process starts within three seconds to detect AnyConnect full tunnel mode. The Client switches to lwip (method prior to enableMacPerformance flag) if the probe is unsuccessful and generates a “tunnel down due to error” event. If this occurs, the Client might disconnect and reconnect intermittently for 10-20 seconds. As a workaround, Netskope recommends adding the macOS Client VIF IP range (100.127.100.0/24) to Cisco AnyConnect split tunnel exclusion range.
Configuring Cisco AnyConnect for Netskope Client
We recommend the following configuration changes in Cisco AnyConnect to bypass Client traffic to Netskope Cloud.
- SSH into the Cisco ASA (Adaptive Security Appliance) and enter into the config mode.
- Copy the following ACLs and ensure that you remember the name of the this ACL.
access-list Netskope_NewEdge_Exclusions standard deny 184.108.40.206 255.255.255.0 access-list Netskope_NewEdge_Exclusions standard deny 220.127.116.11 255.255.255.0 access-list Netskope_NewEdge_Exclusions standard deny 18.104.22.168 255.255.255.0 access-list Netskope_NewEdge_Exclusions standard deny 22.214.171.124 255.255.255.0 access-list Netskope_NewEdge_Exclusions standard deny 126.96.36.199 255.255.255.0 access-list Netskope_NewEdge_Exclusions standard deny 188.8.131.52 255.255.128.0 access-list Netskope_NewEdge_Exclusions standard deny 184.108.40.206 255.255.128.0 access-list Netskope_NewEdge_Exclusions standard deny 220.127.116.11 255.255.255.255 access-list Netskope_NewEdge_Exclusions standard deny 18.104.22.168 255.255.255.255
While in config mode, create a group policy and specify the exclusion ACLs to the Split Tunnel List.
- Enter the following command:
group-policy grouppolicyname attributes
- In the group policy prompt, specify the exclusion ACLs to split tunnel policy
split-tunnel-network-list value Netskope_NewEdge_Exclusions
- Write changes to memory
Configuring Netskope Client for Cisco AnyConnect
To allow 3rd party apps to co-exist with Netskope Client, we recommend configuring Destination Location exceptions to your steering configurations. To learn more about adding exceptions, see Exception Configuration for VPN Applications article.
To verify if Netskope Client is able to directly send traffic to Netskope Cloud, check the routing table in the AnyConnect client. A successful configuration will have a routing table similar to the following example screenshot.