Troubleshooting IPsec tunnels

The troubleshooting information describes some typical problems that you might encounter in configuring and establishing your IPsec tunnels, and the suggested actions for how to resolve the problems.

Problem	Suggested action
Your tunnel cannot be established	On your Palo Alto device, navigate to Network > IPsec Tunnels to view the tunnel status. If the tunnel is down, check the settings for your tunnel against the supported settings and best practices. Check that the following items have been correctly configured in your device’s connection profile: Tunnel destination address (Forcepoint ONE datacenter's FQDN or IP address) Supported IPsec Settings Pre-shared key Check that the device’s IKE ID and pre-shared key match those configured in the Forcepoint ONE SSE.
Your tunnel is up, but traffic is not flowing through the tunnel	On your Palo Alto device, navigate to Network > IPsec Tunnels to view the tunnel status. If the tunnel is up: Verify that the tunnel connectivity monitoring address can be pinged via the tunnel. Verify that the security zones are configured to allow traffic between the zones. If the edge device supports issuing an HTTP request via a utility such as curl or Wget, check that you can successfully receive an HTTP response through the tunnel. Capture traffic on the edge device and check if the traffic is being routed through the tunnel.
Your device has previously connected, but cannot reestablish the tunnel	Check the settings for your tunnel against the supported IPsec settings. In particular, check you are using supported DH group settings. When incorrectly set, these settings can cause problems at the renegotiation stage. Clear the IPsec security associations on your device, and attempt to re-establish the tunnel. Tip: While testing, temporarily set the Lifetime value for your connection to a low value (such as 10 minutes) to check whether the tunnel can successfully re-establish. Once the tunnel is re-establishing correctly, revert the lifetime to the recommended value.

Problem

Suggested action

Your tunnel cannot be established

On your Palo Alto device, navigate to Network > IPsec Tunnels to view the tunnel status. If the tunnel is down, check the settings for your tunnel against the supported settings and best practices.

Check that the following items have been correctly configured in your device’s connection profile:

Tunnel destination address (Forcepoint ONE datacenter's FQDN or IP address)
Supported IPsec Settings
Pre-shared key

Check that the device’s IKE ID and pre-shared key match those configured in the Forcepoint ONE SSE.

Your tunnel is up, but traffic is not flowing through the tunnel

On your Palo Alto device, navigate to Network > IPsec Tunnels to view the tunnel status. If the tunnel is up:

Verify that the tunnel connectivity monitoring address can be pinged via the tunnel.
Verify that the security zones are configured to allow traffic between the zones.
If the edge device supports issuing an HTTP request via a utility such as curl or Wget, check that you can successfully receive an HTTP response through the tunnel.
Capture traffic on the edge device and check if the traffic is being routed through the tunnel.

Your device has previously connected, but cannot reestablish the tunnel

Check the settings for your tunnel against the supported IPsec settings.

In particular, check you are using supported DH group settings. When incorrectly set, these settings can cause problems at the renegotiation stage.

Clear the IPsec security associations on your device, and attempt to re-establish the tunnel.

Tip: While testing, temporarily set the Lifetime value for your connection to a low value (such as 10 minutes) to check whether the tunnel can successfully re-establish. Once the tunnel is re-establishing correctly, revert the lifetime to the recommended value.

If you continue to have issues after checking all the items above, contact Forcepoint Technical Support.

Troubleshooting with HAR files

To help diagnose network issues, you can generate a .HAR (HTTP Archive) file to log your browser’s interaction with a particular website. HAR files can be generated using Google Chrome’s Developer Tools, as well as other software packages.