Solved

Netskope client SSL decryption issues

  • 7 June 2023
  • 4 replies
  • 227 views

Userlevel 2
  • Netskope Partner
  • 10 replies
Our Real-time protection policies are simple - block high risk websites, allow enterprise websites and alert uploads and downloads of social media. No NPA. We have multiple issues with traffic passing through Netskope SSL decryption.
 
Few issues we noticied so far (be it any browser - firefox, chrome, edge or tor)
- websites (with SSL decryption) are intermittently not loaded (one day they work fine, next day they won't and the cycle repeats again)
- websites (with SSL decryption) are extremely slow
- downloading objects like 200MB files takes high times (minutes to hours)
- few websites have their dynamic buttons disabled or not becoming live
- there are instances the websites failed won't show in debug logs, application & page events & alerts. Clearly killed by Netskope client, but not logged or sent to cloud. The websites works as soon as we mention in SSL BYPASS.
 
Same sites with SSL bypass
- websites (with SSL bypass) are loading every time without intermittent issues
- websites (with SSL bypass)) are loading faster every time
- downloading objects like 200MB files takes few seconds
- websites having their dynamic buttons work as expected.
 
So, our current workaround is, if any Netskope client complains about a website, we are adding them to SSL bypass. However, it beats the purpose of inspection because traffic left encrypted will not be further analyzed by Netskope. Important inspection and detection capabilities will not be useful. We have Netskope cases logged, but clear cause hasn't been found yet.
 
We believe Netskope client and cloud are rewriting headers and content which causes overload and minor delays are understandable. However, the performance dropping by 10 times is not ideal. Admin guide and KBs don't mention or talk about the throughput times or performance improving features, unlike onsite appliances where a company can pick high specification models for faster throughputs and higher performance.
 
We are reaching out to community to see if others noticed these issues & how they overcome issues instead of SSL Bypass. Please share your ideas.
icon

Best answer by Indu 23 June 2023, 08:47

View original

4 replies

Seeing similar behavior, especially with Google Docs, that we just posted about. 

Userlevel 2
Badge +11

@Indu - So far I did not see this behavior on our end. There is a KB article in Netskope that has very good breakdown on how to approach troubleshooting performance related issues. This will be a good start, pick an application run some test as per this KB article to see where the latency is. 

 

https://support.netskope.com/s/article/Netskope-Performance-Troubleshooting-Guide

 

Also, ensure few basic things that if user is connected to nearest POP, Netskope client is updated to latest stable golden release or current version which will have fixes that might improve certain things. If you have remote access VPN's and on-prem firewall VPN's running in full tunnel mode then ensure Netskope traffic is configured in split tunnel mode to directly connect to web instead of going through VPN tunnel. There might be a chance the nearest POP might have some outages or issues which might had a temporary effect. 

 

In case everything looking good and still not sure, open a support ticket and escalate it to your TAM to get better support.

 

Thanks

Userlevel 2
Badge +11

Also to add on to, ensure you are using DTLS tunnel for your client configurations.

 

https://docs.netskope.com/en/netskope-client-configuration.html#UUID-9f0bd5ec-2750-b8a4-9cfb-5d36a7ab5868_section-idm4622793005625632607891040957

Enabling DTLS option supersedes TLS (Transport Layer Security) tunnel for communication thereby improving the network process. TCP inherently slows the overall flow performance if the network has high latency and packet drops.  To overcome this issue, use DTLS tunnel (UDP tunnel). To know the current protocol, click the Client icon > Configurations > Tunnel Protocol.

Userlevel 2

Thanks ark007 for your suggestions. We are already following setup as per KB. Using Digital Experience Management, we noticed that client to Netskope POP latency is ok, but Netskope POP to app latency is high. We are dealing this with Netskope support.

Reply