Troubleshooting

The following table lists some problems that may be encountered in configuring and establishing your tunnel, with some suggested actions.

Problem	Suggested actions
No traffic is reaching the cloud service	Check the tunnel status in the cloud portal, on the Web > Device Management page. This page gives an indication of the visibility of your tunnels to the cloud service.
Your tunnel cannot be established	Use the appropriate show command for your device to display the tunnel status. If the tunnel is down, check the settings for your tunnel against the recommended settings detailed in the article IPsec configuration settings. Check that the following items have been correctly configured in your device’s connection profile: Connection IP address Pre-shared key IKE protocol IKE cipher IKE ID IKE ID DH group IPsec encryption algorithm In the cloud portal, check that the device’s egress IP is configured correctly.
Your tunnel is up, but traffic is not flowing through the tunnel	Use the appropriate show command for your device to display the tunnel status. If the tunnel is up: Verify that the tunnel connectivity monitoring address (116.50.59.230) can be pinged via the tunnel. Check that the IPsec policy is configured to allow port 80 and 443 traffic through the tunnel. If the edge device supports issuing an HTTP request via a utility such as curl or Wget, check that you can successfully receive an HTTP response from the proxy. Capture traffic on the edge device and check if the traffic is being routed through the tunnel.
Your device has previously connected, but cannot re-establish the tunnel	Check the settings for your tunnel against the recommended settings detailed in Recommended settings and best practices. In particular, check you are using supported DH group settings. When incorrectly set, these settings can cause problems at the renegotiation stage. Clear the IPsec security associations on your device, and attempt to re-establish the tunnel. Tip: While testing, temporarily set the Lifetime value for your connection to a low value (such as 10 minutes) to check whether the tunnel can successfully re-establish. Once the tunnel is re-establishing correctly, revert the lifetime to the recommended value.
Your tunnel has successfully established, but your policy settings are not being applied	Use the proxy query page to identify which policy is being applied. If necessary, revisit your policy settings. See Test your policies.
The policy test page is showing the correct policy, but some HTTPS connections are being closed. (HTTP requests are working.)	Ensure you have checked the Use certificate to serve notifications for HTTPS pages in the cloud portal, on the Web > Block & Notification Pages page, under Settings. See Enable notification pages for HTTPS sites.
End users see authentication popups when browsing; NTLM identification is not working	Use the proxy query page to identify which policy is being applied. If necessary, revisit your policy settings. See Test your policies. Check your NTLM settings. See Set up end-user authentication and Configure browsers for NTLM identification. Ensure that your directory synchronization has successfully imported users and groups.
Block pages are not displaying for HTTPS sites	Ensure you have checked the Use certificate to serve notifications for HTTPS pages in the cloud portal, on the Web > Block & Notification Pages page, under Settings. See Enable notification pages for HTTPS sites.

If you continue to have issues after checking all the items above, please contact Technical Support.