Documentation
|
Support
Troubleshooting
Troubleshooting
The following table lists some problems that may be encountered in configuring and establishing your tunnel, with some suggested actions.
Problem
Suggested actions
The GRE tunnel cannot be established
Check the settings for your tunnel against the recommended settings in the
Configuration steps
and
Example device configuration
sections.
Check the tunnel interface status.
For Cisco devices, use the command:
show interfaces tunnel <tunnel_id>
For Juniper SRX, use the command:
show interface gr-<interface_id>
Check whether you can ping the Forcepoint point of presence IP address from your firewall or router.
If yes, check whether you can ping the destination (PoP) inner tunnel address from your edge device.
If you cannot ping these addresses, ensure the expected GRE packets are leaving your edge device.
Check whether you can send a simple HTTP request and receive a response. Check whether you can send an HTTPS request and receive a response.
If not, ensure the expected GRE packets are leaving your edge device.
Check that IP protocol 47 (GRE) is enabled in your network.
If the edge device performing GRE encapsulation is behind another firewall, check that GRE packets are leaving the egress firewall and that outbound NAT is being performed.
If not, modify the firewall's rules to allow GRE traffic to be passed through, and to perform outbound NAT processing.
After performing these checks, if you have determined that GRE packets are successfully leaving your firewall or router, but no response is being received, contact Technical Support.
The GRE tunnel is established, but traffic is not flowing
Check that the TCP Maximum Segment Size (MSS) setting on your edge device is appropriate for your network configuration. Use the appropriate "show interface" command for your device to find the current MSS setting. For more information on MSS settings, see
Maximum segment size (MSS)
.
Check that policy-based routing (PBR) is attached to the ingress interface and is configured to allow port 80/443 traffic through the GRE tunnel.
Check the tunnel status in the cloud portal, on the
Web > Device Management
page. This page gives an indication of the visibility of your tunnels to the cloud service.
Your tunnel has successfully established, but your policy settings are not being applied
Use the proxy query page to identify which policy is being applied. If necessary, revisit your policy settings. See
Test your policies
.
When browsing via HTTPS, the user receives a message saying that the connection was reset, or the site unexpectedly closed the connection
Check that the Forcepoint root CA has been imported to the user's browser.
When NTLM is enabled, the user receives an authentication prompt
Use the proxy query page to identify which policy is being applied. If necessary, revisit your policy settings. See
Test your policies
.
Check your NTLM settings. See
Configure browsers for NTLM identification
.
Ensure that your directory synchronization has successfully imported users and groups.
Block pages are not displaying for HTTPS sites
Ensure you have checked the
Use certificate to serve notifications for HTTPS pages
in the cloud portal, on the
Web > Block & Notification Pages
page, under Settings.
See
Enable notification pages for HTTPS sites
.
If you continue to have issues after checking the items above, please contact Technical Support.
Troubleshooting with HAR files
To help diagnose network issues, you can generate a HAR (HTTP Archive) file to log your browser's interaction with a particular website. HAR files can be generated using Google Chrome's Developer Tools, as well as other software packages.
Troubleshooting
Copyright 2022 Forcepoint. All rights reserved.