Troubleshooting
The following table lists some problems that may be encountered in configuring and establishing your tunnel, with some suggested actions.
Problem | Suggested actions |
---|---|
No traffic is reaching the cloud service |
Check the tunnel status in the cloud portal, on the page. This page gives an indication of the visibility of your tunnels to the cloud service. |
Your tunnel cannot be established |
Use the appropriate show command for your device to display the tunnel status. If the tunnel is down, check the settings for your tunnel against the recommended settings detailed in the article IPsec configuration settings. Check that the following items have been correctly configured in your device’s connection profile:
In the cloud portal, check that the device’s egress IP is configured correctly. |
Your tunnel is up, but traffic is not flowing through the tunnel |
Use the appropriate show command for your device to display the tunnel status. If the tunnel is up:
|
Your device has previously connected, but cannot re-establish the tunnel |
Check the settings for your tunnel against the recommended settings detailed in Recommended settings and best practices. In particular, check you are using supported DH group settings. When incorrectly set, these settings can cause problems at the renegotiation stage. Clear the IPsec security associations on your device, and attempt to re-establish the tunnel.
Tip: While testing, temporarily set the Lifetime value for your connection
to a low value (such as 10 minutes) to check whether the tunnel can successfully re-establish. Once the tunnel is re-establishing correctly, revert the lifetime to the recommended
value.
|
Your tunnel has successfully established, but your policy settings are not being applied |
Use the proxy query page to identify which policy is being applied. If necessary, revisit your policy settings. See Test your policies. |
The policy test page is showing the correct policy, but some HTTPS connections are being closed. (HTTP requests are working.) |
Ensure you have checked the Use certificate to serve notifications for HTTPS pages in the cloud portal, on the page, under Settings. See Enable notification pages for HTTPS sites. |
End users see authentication popups when browsing; NTLM identification is not working |
Use the proxy query page to identify which policy is being applied. If necessary, revisit your policy settings. See Test your policies. Check your NTLM settings. See Set up end-user authentication and Configure browsers for NTLM identification. Ensure that your directory synchronization has successfully imported users and groups. |
Block pages are not displaying for HTTPS sites |
Ensure you have checked the Use certificate to serve notifications for HTTPS pages in the cloud portal, on the page, under Settings. See Enable notification pages for HTTPS sites. |
If you continue to have issues after checking all the items above, please contact Technical Support.