Netskope NCCSA NSK101 Question # 36 Topic 4 Discussion

To monitor IPsec tunnels to a Netskope data plane, it is essential to ensure the stability and responsiveness of the tunnels. The recommended steps involve enabling monitoring mechanisms that detect and respond to tunnel failures. Here’s a detailed explanation of the two recommended steps:

Enable IKE Dead Peer Detection (DPD) for each tunnel:

Explanation: IKE Dead Peer Detection (DPD) is a method used to detect if the peer (remote endpoint of the tunnel) is no longer available or reachable. By enabling DPD, the device can automatically detect and tear down the IPsec tunnel if the peer does not respond, allowing for quick re-establishment of the tunnel if needed.

Implementation: Configure DPD in the IPsec settings of the perimeter device. This ensures that if the Netskope data plane is unreachable, the tunnel is automatically terminated and re-negotiated.

Send ICMP requests to the Netskope location's Probe IP:

Explanation: Sending ICMP requests (ping) to the Netskope location's Probe IP helps in monitoring the availability and latency of the connection to the Netskope data plane. If the ICMP requests fail, it indicates a potential issue with the connectivity.

Implementation: Set up regular ICMP requests (ping) from the perimeter device to the Netskope Probe IPs. This allows for continuous monitoring of the tunnel’s health and immediate detection of connectivity issues.

References:

REST API v2 Overview - Netskope Knowledge Portal

Using the REST API v2 dataexport Iterator Endpoints - Netskope Knowledge Portal

Using the REST API v2 UCI Impact Endpoints - Netskope Knowledge Portal