Secure Access Service Edge:Secure Access Service Edge:Use the network diagnostics feature

How it works

Two diagnostic types are available:

• End-to-end diagnostics: checks connectivity between office terminals and origin servers through the SASE POP cluster.

  End-to-end diagnostics requires the SASE client (V4.4.1 or later) to be installed and logged in on the user's office terminal. Connections are established through POPs in the SASE cluster.

  

• Application diagnostics: checks connectivity between the SASE POP cluster and origin servers only, without involving the client.

  Security baselines configured in the zero trust policy do not take effect during application diagnostics.

  

Prerequisites

Before you begin, make sure that:

• The SASE client installed on office terminals is V4.4.1 or later

• Connectivity is set up based on your deployment. See one of the following topics:

  • Business resources deployed in VPCs that are not connected to CEN

  • Business resources deployed in VPCs that are connected to CEN

  • Use a SASE connector

  • Use other Alibaba Cloud network instances

• Office applications are added to SASE. See Add an office application to SASE

• A zero trust policy is configured. See Configure a zero trust policy

Create a diagnostics task

1. Log on to the SASE console.

2. In the left-side navigation pane, choose Private Access > Network Diagnostics.

3. On the Network Diagnostics page, click Create Task.

4. In the Create Diagnostics Task panel, configure the following parameters.

   Parameter	Description
   Task type	Select End-to-end Diagnostics or Application Diagnostics.
   Task object	For end-to-end diagnostics: select a specific device for the target user. For application diagnostics: select a user group, because application policies are delivered at the user group level.
   Application protocol	Select TCP or UDP.
   Application address	For UDP: specify the IP address and port number of the application. Optionally, configure Probe Request and Response to verify that data packets reach the origin servers and return the expected response. If Probe Request is not configured, SASE sends a preset request automatically. If Response is not configured, any response is accepted.
   Access point	Select a POP in the SASE cluster. Select the POP nearest to the origin servers or business servers to reduce network latency. For end-to-end diagnostics, the default is Automatic Selection. For application diagnostics, select a POP from the drop-down list.

5. Click OK. The task is created and runs automatically.

View diagnostics results

1. After the task completes, find the task in the list and click View in the Actions column.

   

2. Review the diagnostics results. The results page displays a link diagram and network issue descriptions.

   Data	Description
   Link diagram	Visual representation of the network path through the SASE POP, with each segment marked as normal or abnormal.
   Network issue description	Text description of detected issues on each abnormal segment, to help you identify where connectivity breaks down.

3. If the connection is abnormal, use the link diagram and issue descriptions to identify the problem segment, then resolve the issue at that layer.

   

4. After resolving the issues, click Retry in the Actions column to run the task again.

Delete a diagnostics task

Find the task and click Delete in the Actions column.