Netskope Community
-
Forums
ProductsCommunity Resources
-
Learn
Education, Training, Certification, and Thought LeadershipCommunity Resources
-
Groups
Community GroupsCommunity Resources
-
Events
Community Resources
- Support
- Netskope Community
- Products
- Private Access
- NPA and SSH/SCP Error
NPA and SSH/SCP Error
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2023 08:45 AM - edited 08-10-2023 08:46 AM
I have a private app configured to allow port 22 and users are able to use SSH and SCP successfully. Users are observing an intermittent issue when trying to SSH/SCP into the app and getting this error:
kex_exchange_identification: Connection closed by remote host Connection closed by 191.1.1.3 port 22
This error prevents user from starting a new SSH/SCP session, but all existing SSH/SCP sessions are fine when this error occurs. Usually if user retry's ssh after a while, the error goes away.
Is there any kind of SSH connection limiting in the NS Client or Publisher?
- Labels:
-
NPA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2023 09:37 AM - edited 08-10-2023 09:39 AM
I don't believe there is any limit within NPA itself to the number of SSH or other connection types. I'm wondering if the end application itself has a limit on the number of connections from a single host which could cause the behavior you're seeing. You could validate by taking a packet capture on the Publisher itself. If the reset is seen there from the remote host then that tells you that it's from the app itself rather than anything in NPA. One way you could also test or further validate this if you can't get details from the application administrator is to add additional Publishers to the app definition so connections will be load balanced meaning less connections from individual IP addresses. Just ensure that the additional Publishers can resolve the hostname and route/reach the IP address of the app.
Sam Shiflett
Netskope Solution Architect - North America
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2023 08:16 AM - edited 08-14-2023 08:17 AM
HI, we have 8 dedicated SSH Publishers already, so I don't think thats the issue. I am in the process of trying to enable packet capture on one of the them for troubleshooting. Also, I am trying to see if they have a load balancer in front of the apps and get the SSH logs from the app server itself. Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2023 09:17 AM
Additionally, this issue occurs due to a large number of SCP sessions being established by individual users and movement of large files up and down. I am researching whether the OSX file descriptor setting is set too low. Not sure what this setting is exactly since there is limited info talking about it.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- NPA and DNS resolution issues in Private Access for ZTNA
- Email DLP flow in Data Loss Prevention (DLP)
- O365 Reverse proxy - how to exclude Windows365 in Next Gen Secure Web Gateway (SWG)
- Netskope Client Installation on Windows Server 2016 in Next Gen Secure Web Gateway (SWG)
- AWS CLI SSL Certificate Errors on macOS in Next Gen Secure Web Gateway (SWG)
-
NPA
45 -
ztna
15 -
private access
14 -
publisher
9 -
Netskope Private Access
7 -
netskope client
6 -
Private App
5 -
NSClient
4 -
Private Apps
3 -
Browser Access
3 -
Re-authentication for Private Apps
3 -
Zero Trust
3 -
MacOS
3 -
SAML
2 -
sso
2 -
Client
2 -
okta
2 -
Private App Discovery
2 -
clientless
2 -
Authentication
2 -
client update
2 -
browser
2 -
DNS Resolver
2 -
AWS
2 -
Network Privete Access
2 -
multi tags for NPA apps
2 -
Config Update
1 -
ps-tip
1 -
fleet
1 -
ipsec
1 -
IDP
1 -
SCCM
1 -
App Discovery
1 -
Policy Hit Count
1 -
Threat Protection
1 -
User Group
1 -
Real-time Policy
1 -
Netskope Endpoint Client
1 -
Prelogon
1 -
PQDN
1 -
best practice
1 -
tunnel
1 -
Azure PaaS
1 -
FQDN
1 -
domain
1 -
Azure AD
1 -
file size
1 -
Support
1 -
Chrome
1 -
jamf
1 -
VPN Client
1 -
EC2
1 -
same access
1 -
Reverse Proxy
1 -
configuration
1 -
Auto Scaling
1 -
Home Office
1 -
Events
1 -
Netskope Agent
1 -
Home Access
1 -
update
1 -
APIv2
1 -
Preference VPN
1 -
DNS over TCP
1 -
Azure
1 -
SSL bypass
1 -
Preference NPA
1 -
install
1 -
Script
1 -
CASB
1 -
multi-user mode
1 -
CIDR
1 -
Automation
1 -
Pre-login
1 -
Best Practices
1 -
overlap
1 -
jumpcloud
1 -
CRL
1 -
NG-SWG
1 -
CIDR Overlap
1 -
traffic steering
1 -
PreLogon Tunnel
1
In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below
Sign In