Troubleshooting

The following table lists some problems that may be encountered in configuring and establishing your tunnel, with some suggested actions.

Problem Suggested actions

The GRE tunnel cannot be established

Problem	Suggested actions
The GRE tunnel cannot be established	Check the settings for your tunnel against the Forcepoint ONE SSE tunnel info and edge device configurations. Check the tunnel interface status using the `show interface tunnel <tunnel_id>` command. Check whether you can send a simple HTTP request and receive a response. Check whether you can send an HTTPS request and receive a response. If not, ensure the expected GRE packets are leaving your edge device. Check that IP protocol 47 (GRE) is enabled in your network. If the edge device performing GRE encapsulation is behind another firewall, check that GRE packets are leaving the egress firewall and that outbound NAT is being performed. If not, modify the firewall’s rules to allow GRE traffic to be passed through, and to perform outbound NAT processing. After performing these checks, if you have determined that GRE packets are successfully leaving your firewall or router, but no response is being received, contact Forcepoint Technical Support.
The GRE tunnel is established, but traffic is not flowing	Check that the TCP Maximum Segment Size (MSS) setting on your edge device is appropriate for your network configuration. Use the appropriate `show interface` command for your device to find the current MSS setting. Check that policy-based routing (PBR) is attached to the ingress interface and is configured to allow traffic through the GRE tunnel. Check the tunnel status in the Forcepoint ONE SSE portal under Analyze > Tunnels page. This page gives an indication of the visibility of your tunnels to the service.

Check the settings for your tunnel against the Forcepoint ONE SSE tunnel info and edge device configurations.
Check the tunnel interface status using the show interface tunnel <tunnel_id> command.
Check whether you can send a simple HTTP request and receive a response. Check whether you can send an HTTPS request and receive a response.
If not, ensure the expected GRE packets are leaving your edge device.
Check that IP protocol 47 (GRE) is enabled in your network.
If the edge device performing GRE encapsulation is behind another firewall, check that GRE packets are leaving the egress firewall and that outbound NAT is being performed. If not, modify the firewall’s rules to allow GRE traffic to be passed through, and to perform outbound NAT processing.

After performing these checks, if you have determined that GRE packets are successfully leaving your firewall or router, but no response is being received, contact Forcepoint Technical Support.

The GRE tunnel is established, but traffic is not flowing

Check that the TCP Maximum Segment Size (MSS) setting on your edge device is appropriate for your network configuration. Use the appropriate show interface command for your device to find the current MSS setting.
Check that policy-based routing (PBR) is attached to the ingress interface and is configured to allow traffic through the GRE tunnel.
Check the tunnel status in the Forcepoint ONE SSE portal under Analyze > Tunnels page. This page gives an indication of the visibility of your tunnels to the service.

If you continue to have issues after checking the items above, contact Forcepoint Technical Support.

Troubleshooting with HAR files

To help diagnose network issues, you can generate a HAR (HTTP Archive) file to log your browser’s interaction with a particular website. HAR files can be generated using Google Chrome’s Developer Tools, as well as other software packages.