Troubleshooting IPsec tunnels
The troubleshooting information describes some typical problems that you might encounter in configuring and establishing your IPsec tunnels, and the suggested actions for how to resolve the problems.
Problem | Suggested action |
---|---|
Your tunnel cannot be established |
On your Palo Alto device, navigate to to view the tunnel status. If the tunnel is down, check the settings for your tunnel against the supported settings and best practices.Check that the following items have been correctly configured in your device’s connection profile:
Check that the device’s IKE ID and pre-shared key match those configured in the Forcepoint ONE SSE. |
Your tunnel is up, but traffic is not flowing through the tunnel | On your Palo Alto device, navigate to
|
to view the tunnel status. If the tunnel is up:
Your device has previously connected, but cannot reestablish the tunnel |
Check the settings for your tunnel against the supported IPsec settings. In particular, check you are using supported DH group settings. When incorrectly set, these settings can cause problems at the renegotiation stage. Clear the IPsec security associations on your device, and attempt to re-establish the tunnel. Tip: While testing, temporarily set the Lifetime value for your connection to a low value (such as 10 minutes) to check whether the tunnel can successfully re-establish.
Once the tunnel is re-establishing correctly, revert the lifetime to the recommended value.
|
If you continue to have issues after checking all the items above, contact Forcepoint Technical Support.
Troubleshooting with HAR files
To help diagnose network issues, you can generate a .HAR (HTTP Archive) file to log your browser’s interaction with a particular website. HAR files can be generated using Google Chrome’s Developer Tools, as well as other software packages.