Network diagnostics

How it works

The network diagnostics feature verifies the connection between your enterprise network and your office applications through the SASE cluster. It provides a visual representation of the network path, which you can use with corresponding error messages to troubleshoot connection issues.

You can run two types of diagnostics:

• End-to-end diagnostics: Checks network connectivity from a logged-in SASE client on an employee's terminal to an office application's origin server through a SASE cluster POP.

• Application diagnostics: Checks only the network connectivity between a SASE cluster POP and an office application's origin server.

Prerequisites

• The SASE client installed on the office terminal is version 4.4.1 or later.

• A network connection is established based on your business deployment. For more information, see one of the following topics:

  • Deploy business resources in a VPC that is not associated with CEN

  • Deploy business resources in a VPC that is associated with CEN

  • Use a SASE connector

  • Use other Alibaba Cloud network instances (VBR, CCN, or VPN Gateway)

• The office applications that you want to diagnose have been added. For more information, see Configure an office application.

• A zero trust policy has been configured. For more information, see Configure a zero trust policy .

Create a diagnostics task

1. Log on to the Secure Access Service Edge console.

2. In the left-side navigation pane, choose Private Access > Network Diagnostics.

3. On the Network Diagnostics page, click Create Task. In the Create Diagnostics Task panel, configure the following parameters:

   Parameter	Description
   Task type	Select the diagnostic type that best suits your business requirements: End-to-end diagnostics: Diagnoses the full network path from an employee's terminal to the origin server. Application diagnostics: Diagnoses only the connection between a SASE cluster POP and the origin server. Security baselines from zero trust policies do not apply to application diagnostics.
   Task object	Specify the user and application to diagnose. A specific device or a user group For end-to-end diagnostics, you must select a specific employee's device. For application diagnostics, you must select a user group. This is because application policies are applied at the user group level. Application protocol: The supported application protocols are TCP and UDP. Application address If you select UDP for the application protocol, you can configure a Probe Request and Response in addition to the application address and port. This verifies that data packets are delivered to the origin server and that the server returns the expected response. If you do not specify a probe request, SASE sends a default request. If you do not specify a response, any reply from the server is considered successful.
   Access point	Select a SASE cluster POP. To reduce network latency, select the POP that is geographically closest to your origin server. For end-to-end diagnostics, Automatic Selection is supported. For application diagnostics, you must manually specify a POP.

4. Click OK to create and automatically run the diagnostics task.

View diagnostics results

1. After the task is complete, click Operation in the View column to view the diagnostics results.

   The diagnostics results display the network path as a visual, end-to-end diagram. The path shows the following nodes: Client (username, IP address, and carrier information), POP Node (node address, DNS server, and resolution result), ENI Egress (IP address, VPC ID, and region), and Origin Server (address and VPC ID). The latency between each node is displayed in milliseconds (ms). The task list includes the Dispatch Time, User Configuration, Application Address, Task Type, Task Status, and Actions columns. You can filter tasks by task type or username.

2. If a connection issue exists, use the visual path and error messages to diagnose and resolve the problem.

   The diagnostics results show the connectivity status and latency between each node (source node, SASE cluster POP, public egress, and origin server) in a visual topology diagram. If a path segment is abnormal, the corresponding connection line turns into a red dashed line and displays an error icon. An error message, such as Target server is unreachable, please check your network or server status, is displayed at the top of the page. This helps you identify that the fault occurred between the public egress and the origin server, allowing you to perform targeted troubleshooting.

3. After you resolve the issue, you can click Operation in the Retry column to run the diagnostics again.

Delete a diagnostics task

To delete a diagnostics task you no longer need, click Operation in the Delete column.