Mac OS Ethernet Dongles and Netskope

  • 18 October 2023
  • 9 replies
  • 187 views

Userlevel 2
Badge +6

Hi Folks,

We have a few users that have real difficulty with reestablishing connectivity via netskope when their macs come out of sleep/hibernate. The common thread between them is that they are also using dongles with ethernet connections to the internet. 

One fix that appears to help some users is turning off IPV6 ( changing to link-local) on any ethernet dongle that is attached. 

Curious if others are seeing this issue. 
Thanks!


9 replies

Userlevel 4
Badge +12

What version are the NSAgents? We dealt with these issues but way back around R105/106. We had to do a global JAMF disable of IPv6 at one point.

Userlevel 2
Badge +6

Were using latest 109, this issue appeared to be a problem in 108 as well when we deployed NS in org. 

Userlevel 4
Badge +12

Our org is predominantly Macintosh (thousands and thousands) and we haven't seen any of these issues since R105/106. Is anything in the logs?

Userlevel 2
Badge +6

Stuff like this:
2023/10/18 10:48:21.862277 stAgentNE p434 t53767 critical nsDNSProcessor.cpp:149 dnsProcessor Failed to get DNS resolver values
2023/10/18 10:48:21.993231 stAgentNE p434 t16007 info networkMonitor.cpp:358 networkMonitor New Network Change event received
2023/10/18 10:48:21.994177 stAgentNE p434 t16007 info networkMonitor.cpp:337 networkMonitor Best route interface new ip 0.0.0.0

Netskope support is blaming the dongles, but there are no issues with NS is disabled. 


Userlevel 4
Badge +12

You don't happen to also use a VPN software like Global Protect/Any Connect do you?

Userlevel 2
Badge +6

We use a version of openVPN (Pritunl). But we have at least 2 users that don't use it and are still having same issue.   The VPN client is bypassed per NS recommendations. 

Userlevel 2
Badge +6

Curious, are you still actively shutting off ipv6 via JAMF on your fleet?

Badge +7

@mdmeow12123 am only disabling IPv6 on specific clients when DNS failures occur. It seems to only affect those clients using a public IPv6 address (starts with 2001:xxxx) and with some ISP's or some Android phone hotspots. For these reasons, we have not disabled IPv6 for everyone. Also, this was only reported for our Windows clients. 

Badge +5

Why did you ask if they were using a VPN such as GlobalProtect/AnyConnect?  Is there something that is conflicting between the two?

 

Reply