Troubleshoot the Global Secure Access client: Advanced diagnostics
This document provides troubleshooting guidance for the Global Secure Access client. It explores each tab of the Advanced diagnostics utility.
Introduction
The Global Secure Access client runs in the background and routes relevant network traffic to Global Secure Access. It doesn't require user interaction. The advanced diagnostics tool makes the client's behavior visible to the administrator and helps with troubleshooting.
Launch the advanced diagnostics tool
To launch the advanced diagnostics tool:
- Right-click the Global Secure Access client icon in the system tray.
- Select Advanced Diagnostics. If enabled, User Account Control (UAC) prompts for elevation of privileges.
Overview tab
The advanced diagnostics Overview tab shows general configuration details about the Global Secure Access client:
- Username: The Microsoft Entra user principal name of the user who authenticated to the client.
- Device ID: The ID of the device in Microsoft Entra. The device must be joined to the tenant.
- Tenant ID: The ID of the tenant that the client points to, which is the same tenant the device is joined to.
- Forwarding Profile ID: The ID of the forwarding profile currently in use by the client.
- Forwarding Profile last checked: The time when the client last checked for an updated forwarding profile.
- Client version: The version of the Global Secure Access client that is currently installed on the device.
Health check tab
The Health check tab executes common tests to verify that the client works correctly and that its components are running. For deeper coverage of the Health check tab, see Troubleshoot the Global Secure Access client: Health check tab.
Forwarding profile tab
The Forwarding profile tab shows the list of current, active rules that are set for the forwarding profile. The tab contains the following information:
- Forwarding profile ID: The ID of the forwarding profile currently in use by the client.
- Forwarding profile last checked: The time when the client last checked for an updated forwarding profile.
- Refresh details: Select to reload the forwarding data from the client's cache (in case it was updated from the last refresh).
- Policy tester: Select to show the active rule for a connection to a specific destination.
- Add filter: Select to set filters to see only a subset of the rules according to a specific set of filter properties.
- Columns: Select to choose the columns to display in the table.
The rules section shows the list of rules grouped by each workload (M365 rules, Private access rules, Internet access rules). This list only includes rules for the workloads activated in your tenant.
Tip
If a rule contains several destinations, such as a fully qualified domain name (FQDN) or an IP range, the rule will span several rows, with one row for each destination.
For each rule, the available columns include:
- Priority: The priority of the rule. Rules with higher priority (smaller numerical value) take precedence over rules with lower priority.
- Destination (IP/FQDN): The destination of the traffic by FQDN or by IP.
- Protocol: The network protocol for the traffic: TCP or UDP.
- Port: The destination port of the traffic.
- Action: The action that the client takes when outgoing traffic from the device matches the destination, protocol, and port. The supported actions are tunnel (route to Global Secure Access) or bypass (go directly to the destination).
- Hardening: The action when traffic should be tunneled (routed to Global Secure Access) but the connection to the cloud service fails. The supported hardening actions are block (drop the connection) or bypass (let the connection go directly to the network).
- Rule ID: The unique identifier of the rule in the forwarding profile.
- Application ID: The ID of the private application associated with the rule. This column is relevant only for private applications.
Hostname acquisition tab
The Hostname acquisition tab allows for the collection of a live list of client-acquired hostnames, based on the FQDN rules in the forwarding profile. Each hostname is shown in a new row.
- Start collecting: Select to begin the live collection of acquired hostnames.
- Export CSV: Select to export the list of acquired hostnames to a CSV file.
- Clear table: Select to clear the acquired hostnames displayed in the table.
- Add filter: Select to set filters to see only a subset of the acquired hostnames according to a specific set of filter properties.
- Columns: Select to choose the columns to display in the table.
For each hostname, the available columns include:
- Timestamp: The date and time of each FQDN hostname acquisition.
- FQDN: The FQDN of acquired hostname.
- Generated IP address: The IP address generated by the client for internal purposes. This IP is shown in the traffic tab for connections that are established to the corresponding FQDN.
- Acquired: Shows Yes or No to indicate if an FQDN matches a rule in the forwarding profile.
- Original IP address: The first IPv4 address in the DNS response for the FQDN query. If the end-user device DNS server doesn’t return an IPv4 address for the query, the original IP address column shows a blank value.
Traffic tab
The traffic tab allows for the collection of a live list of connections opened by the device, based on the rules in the forwarding profile. Each connection is shown in a new row.
- Start collecting: Select to begin the live collection of connections.
- Export CSV: Select to export the list of connections to a CSV file.
- Clear table: Select to clear the connections displayed in the table.
- Add filter: Select to set filters to see only a subset of the connections according to a specific set of filter properties.
- Columns: Select to choose the columns to display in the table.
For each connection, the available columns include:
- Timestamp begin: The time when the operating system opened the connection.
- Timestamp end: The time when the operating system closed the connection.
- Connection status: Indicates whether the connection is still active or is already closed.
- Protocol: The network protocol for the connection; either TCP or UDP.
- Destination FQDN: The destination FQDN for the connection.
- Source port: The source port for the connection.
- Destination IP: The destination IP for the connection.
- Destination port: The destination port for the connection.
- Correlation vector ID: a unique ID attributed to each connection that can be correlated with Global Secure Access traffic logs in the portal. Microsoft Support can also use this ID to investigate internal logs related to a specific connection.
- Process name: The name of the process that opened the connection.
- Process ID: The ID number for the process that opened the connection.
- Bytes sent: The number of bytes sent from the device to the destination.
- Bytes received: The number of bytes received by the device from the destination.
- Channel: The channel to which the connection was tunneled; can be Microsoft 365, Private Access, or Internet Access.
- Flow ID: The internal ID number for the connection.
- Rule ID: The identifier for the forwarding profile rule used to determine the actions for this connection.
- Action: The action that was taken for this connection; possible actions are:
- Tunnel: The client tunneled the connection to the Global Secure Access service in the cloud.
- Bypass: The connection goes directly to the destination through the device's network with no intervention by the client.
- Block: The client blocked the connection (only possible in Hardening mode).
- Hardening: Indicates whether hardening was applied to this connection; can be Yes or No. Hardening applies when the Global Secure Access service isn't reachable from the device.
Advanced log collection tab
The advanced log collection tab allows for the collection of verbose logs of the client, the operating systems, and the network traffic during a specific period. The logs are archived to a ZIP file that can be sent to the administrator or Microsoft Support for investigation.
- Start recording: Select to begin recording the verbose logs. You need to reproduce the issue while recording. If you cannot reproduce the issue at will, instruct users to collect logs for as long as needed until the issue reappears. The log collection will include several hours of Global Secure Access activity.
- Stop recording: After reproducing the issue, select this button to stop the recording and save the collected logs to a ZIP file. Share the ZIP file with support for troubleshooting assistance.
When you stop advanced log collection, the folder that contains the log files opens. By default, this folder is C:\Program Files\Global Secure Access Client\Logs. The folder contains a zip file as well as two event trace log (ETL) files. If needed, you can remove the zip files after issues are resolved, however it is best to leave the ETL files. These are circular logs and removing them can create issues with future log collection.
The following files are collected:
| File | Description | ||
|---|---|---|---|
| Application-Crash.evtx | Application log filtered by event ID 1001. This log is useful when services are crashing. | ||
| BindingNetworkDrivers.txt | Result of "Get-NetAdapterBinding -AllBindings -IncludeHidden" showing all the modules bound to network adapters. This output is useful to identify if non-Microsoft drivers are bound to the network stack | ||
| ClientChecker.log | Results of the Global Secure Access client health checks. These results are easier to analyze if you load the zip file in the Global Secure Access client (see [Analyze Global Secure Access client logs on a dfferent device than where they were collected](troubleshoot-global-secure-access-client-advanced-diagnostics.md#Analyze Global Secure Access client logs on a dfferent device than where they were collected) | ||
| DeviceInformation.log | Environment variables including OS version and Global Secure Access client version. | ||
| dsregcmd.txt | Output of dsregcmd /status showing device state including Microsoft Entra Joined, Hybrid Joined, PRT details, and Windows Hello for Business details | ||
| filterDriver.txt | Windows Filtering Platform filters | ||
| ForwardingProfile.json | The json policy that was delivered to the Global Secure Access client and includes the Global Secure Access service edge IP address your Global Secure Access client is connecting to (*.globalsecureaccess.microsoft.com) as well as forwarding profile rules | ||
| GlobalSecureAccess-Boot-Trace.etl | Global Secure Access client debug logging | ||
| GlobalSecureAccess-Boot-Trace.etl | Global Secure Access client debug logging | ||
| Multiple .reg files | Global Secure Access client registry exports | ||
| hosts | Host file | ||
| installedPrograms.txt | Windows installed apps, which can by useful to understand what might be causing issues | ||
| ipconfig.txt | Ipconfig /all output including IP address and DNS servers that have been assigned to the device | ||
| Kerberos_info.txt | Output of klist, klist tgt, and klist cloud_debug. This output is useful for troubleshooting kerberos issues, and SSO with Windows Hello for Business | ||
| LogsCollectorLog.log and LogsCollectorLog.log.x | Logs for the log collector process itself. These logs are useful if you are having issues with Global Secure Access log collection | ||
| Multiple .evtx | Exports of multiple Windows event logs | ||
| NetworkInformation.log | Output of route print, Name Resolution Policy Table (NRPT) table, and latency results for Global Secure Access connectivity test. This output is useful to troubleshoot NRPT issues. | ||
| RunningProcesses.log | Running processes | ||
| systeminfo.txt | System information including hardware, OS versions, and patches | ||
| systemWideProxy.txt | Output of netsh winhttp show proxy | ||
| userConfiguredProxy | Output of proxy settings in the registry | ||
| userSessions.txt | User session list | ||
| DNSClient.etl | DNS client logs. These logs are useful for diagnosomg DNS resolution issues. Open with Event Log viewer, or filter to the specific names of interest with PowerShell: Get-WinEvent -Path .\DNSClient.etl -Oldest | where Message -Match replace with name/FQDN | Out-GridView |
| InternetDebug.etl | Logs collected using "netsh trace start scenario=internetClient_dbg capture=yes persistent=yes" | ||
| NetworkTrace.etl | Net capture taken with pktmon | ||
| NetworkTrace.pcap | Network capture including traffic inside the tunnel | ||
| NetworkTrace.txt | Pkmon trace in text format | ||
| wfplog.cab | Windows Filtering Platform logs |
Useful Network Traffic Analyzer filters
In some instances, you may need to investigate traffic within the Global Secure Access service tunnel. By default, a network capture will only show encrypted traffic. Instead, analyze the network capture created by Global Secure Access advanced log collection in a network traffic analyzer.
Analyze Global Secure Access client logs on a different device than where they were collected
In many cases, you may need to analyze the data your users collect using your own device. To accomplish this, open the Global Secure Access client on your device, open Advanced Diagnostic tool, and then click the folder icon to the far right of the menu bar. From here, you can navigate to the zip file or the GlobalSecureAccess-Trace.etl file. Loading the zip file also loads information including tenant ID, device ID, client version, health check, and forwarding profile rules as if you were troubleshooting locally on the device used for data collection.