Troubleshooting

The following table lists some problems that may be encountered in configuring and establishing your tunnel, with some suggested actions.

Problem

Suggested actions

The GRE tunnel cannot be established

Check the settings for your tunnel against the recommended settings in the Configuration steps and Example device configuration sections.

Check the tunnel interface status.

For Cisco devices, use the command: show interfaces tunnel <tunnel_id>

For Juniper SRX, use the command: show interface gr-<interface_id>

Check whether you can ping the Forcepoint point of presence IP address from your firewall or router.

If yes, check whether you can ping the destination (PoP) inner tunnel address from your edge device.

If you cannot ping these addresses, ensure the expected GRE packets are leaving your edge device.

Check whether you can send a simple HTTP request and receive a response. Check whether you can send an HTTPS request and receive a response.

If not, ensure the expected GRE packets are leaving your edge device.

Check that IP protocol 47 (GRE) is enabled in your network.

If the edge device performing GRE encapsulation is behind another firewall, check that GRE packets are leaving the egress firewall and that outbound NAT is being performed.

If not, modify the firewall's rules to allow GRE traffic to be passed through, and to perform outbound NAT processing.

After performing these checks, if you have determined that GRE packets are successfully leaving your firewall or router, but no response is being received, contact Technical Support.

The GRE tunnel is established, but traffic is not flowing

Check that the TCP Maximum Segment Size (MSS) setting on your edge device is appropriate for your network configuration. Use the appropriate "show interface" command for your device to find the current MSS setting. For more information on MSS settings, see Maximum segment size (MSS).

Check that policy-based routing (PBR) is attached to the ingress interface and is configured to allow port 80/443 traffic through the GRE tunnel.

Check the tunnel status in the cloud portal, on the Web > Device Management page. This page gives an indication of the visibility of your tunnels to the cloud service.

Your tunnel has successfully established, but your policy settings are not being applied

Use the proxy query page to identify which policy is being applied. If necessary, revisit your policy settings. See Test your policies.

When browsing via HTTPS, the user receives a message saying that the connection was reset, or the site unexpectedly closed the connection

Check that the Forcepoint root CA has been imported to the user's browser.

When NTLM is enabled, the user receives an authentication prompt

Use the proxy query page to identify which policy is being applied. If necessary, revisit your policy settings. See Test your policies.

Check your NTLM settings. See Configure browsers for NTLM identification.

Ensure that your directory synchronization has successfully imported users and groups.

Block pages are not displaying for HTTPS sites

Ensure you have checked the Use certificate to serve notifications for HTTPS pages in the cloud portal, on the Web > Block & Notification Pages page, under Settings.

See Enable notification pages for HTTPS sites.

If you continue to have issues after checking the items above, please contact Technical Support.

Troubleshooting with HAR files

To help diagnose network issues, you can generate a HAR (HTTP Archive) file to log your browser's interaction with a particular website. HAR files can be generated using Google Chrome's Developer Tools, as well as other software packages.