The NPA Troubleshooter Tool

The NPA Troubleshooter Tool

Using the Troubleshooter Tool involves:

Finding Errors with the Troubleshooter Tool

NPA provides a troubleshooting tool in the UI to help you resolve connection issues.

  1. Log into the Netskope UI at <tenantname>.goskope.com if your tenant is hosted in the US. If not, use:
    • <tenantname>.eu.goskope.com if your tenant is in the E.U.
    • <tenantname>.de.goskope.com if your tenant is in Germany.
  2. In the Netskope UI, go to Settings > Security Cloud Platform > Custom Apps > Private Apps.
  3. Select the private app, the user, or the device that is having the issue, and then click Troubleshooter.
    TroubleShooterButton.png

    The Troubleshooter dialog shows the private app, steering configuration, Client, policy, and Publisher information. Click Troubleshoot.

    NPAtroubleshooter.png

    The Troubleshooter dialog changes to show status of the private app, steering configuration, Client, policy, and Publishers.

    NPA-Troubleshooter2.png
  4. Fix any components that do not show a green status check mark using the suggested methods in the next section.

Troubleshooting Errors with the Netskope UI

Here are methods for fixing errors found by the Troubleshooter.

Tip

The Troubleshooter results provide links to the Netskope UI pages where configuration changes can be made to fix errors. For example, under Configuration, clicking Default tenant config opens the Default Tenant Configuration page.

Client is Disabled

Make sure the Client is enabled on the Troubleshooter page.

Under User & Client, if the Client is disabled, click device details in the Troubleshooter dialog to open the Devices details, and then click Enable.

NPAclientDetails.png

The Steering Configuration does not have Private Apps Enabled

Enable Private Apps in the steering configuration.

  1. Determine which steering configuration the user is in. Have the user right-click their Netskope Client icon in the system tray on their device (if you are displaying it) and select Configuration.

    Otherwise, jump to the next step to go to the Steering Configuration page (Settings > Security Cloud Platform > Steering Configuration), and select the Steering Configuration based on the OU or Group that user is a member of.

    In this case, the user is in the Default tenant config group.

    NPAclientConfig.png
  2. In the Netskope UI (Settings > Security Cloud Platform > Steering Configuration), click on the name of the Steering Configuration the user is part of, like Default tenant config.
    image15.png
  3. Click the pencil icon to configure the steering configuration.
    image16.png
  4. Make sure Steer all Private Apps is enabled. If not, enable it and then click Done.
    image17.png

The Real-time Protection Policy does not Allow Access

Review the policy and ensure it is set to Allow.

Tip

Inline Policies are now called Real-time Protection policies.

  1. Go to Settings >Policies >Real-time Protection and verify the policy Action is Allow.
    image18.png
  2. If it is not set to Allow, click on the name of the policy and change the Action from Block to Allow.
    image19.png

There is no Real-time Protection Policy Hit

There is no Real-time Protection policy that matches the user/user group/device classification/OS; Private Access implicitly denies access when there is no matching policy.

This could be because a user matches by group and OS to a policy, but doesn’t match by your device classification, or the user’s AD groups may have changed, and now a user doesn’t match by user group.

The User Account was Deleted

Create a new account for the user to allow access to private apps.

The User is Associated with Multiple Accounts. Only the First Mapped Account will have Access to the App

Contact Netskope support if you believe there is an error.

Each Netskope user can have one or more Enterprise accounts (synced from AD or SCIM). By default, there should be only one, and Netskope only looks at that one account. Sometimes users have multiple accounts. This is especially problematic if one account is disabled and another is enabled.

User is Disabled

Suggestion: Enable the user through Active Directory or via SCIM.

The Client Version is Outdated

The Client version needs to release 70 or later.

Updates, which are available from the support site, can be pushed out via software distribution tools like SCCM. Updates can also be controlled in the Netskope UI (Settings > Real-time Protection > Devices). Click Client Configuration.

image20.png

Enable Upgrade clients automatically to update an outdated Client version.

Important

Enabling Upgrade clients automatically will affect all devices in a particular Client Configuration. You may need to review this change with additional team members before upgrading a large number of Clients.

After changing this setting, click Save.

image21.png

Private Access is not Enrolled in the Client

Contact Netskope Support if you believe this is the error.

A Publisher is not Configured for an App

Check to ensure a Publisher is set up for a private app.

  1. Go to Settings > Security Cloud Platform > Custom Apps > Private App. Click the menu icon MenuIcon.png to edit the app.
    image22.png
  2. Click in the Publisher text field and select the correct Publisher for the app and click Save.
    image23.png
  3. The Reachable status should turn from a red X to a green checkmark. It may take a minute or two for the status to change.
    image24.png

Real-time Policy Size (SRP Size)

Check the SRP Size to ensure it is not excessively large.

Important

The Netskope Client will not setup an NPA tunnel if the user’s SRP is > 40 MB.
Review the best practice guide to reduce the size of the user’s SRP.

If these configurations cannot be optimized, please reach out to Netskope Support for additional assistance.

Application Specification Count

Application specifications for the user is the count corresponding to the number (#) of host definitions – 7.

NPAtroubleshooter2.png
Share this Doc

The NPA Troubleshooter Tool

Or copy link

In this topic ...