Content Gateway error: "502: Tunnel connection failed"
- Article Number: 000003874
- Products: Forcepoint V10000 Appliance, Forcepoint V20000 Appliance, Forcepoint V5000 Appliance, Forcepoint Virtual Appliance, Forcepoint Web Security, Forcepoint X Series Appliance, TRITON AP-WEB, Web Filter & Security, Web Security Gateway, Web Security Gateway Anywhere, Web Security and Web Filter
- Version: 8.5, 8.4, 8.3, 8.2, 8.1, 8.0, 7.8, 7.7, 7.6, 7.5, 7.1, 7.0
- Last Published Date: June 09, 2020
Problem Description
The Content Gateway error.log shows a site with the error: "502: Tunnel connection failed" |
Resolution
"Tunnel Connection Failed" means that the proxy cannot establish a connection to the origin servers. If that is the case, then investigation must be done on the network. The wget command will show if it is able to resolve the site in question. Using CLI in 8.3-8.5 via SSH
Using Appliance Manager’s Command Line Utility in 7.0-8.2
Example of a failed wget command: FQDN of Content Gateway>(diagnose)# wget --url forcepoint.com --module proxy --2018-09-13 17:13:59-- http://forcepoint.com/ Resolving forcepoint.com... 54.191.140.180 Connecting to forcepoint.com|54.191.140.180|:80... failed: Connection timed out. Example of successful wget command: <FQDN of Content Gateway>(diagnose)# wget --url forcepoint.com --module proxy --2018-09-13 17:13:59-- http://forcepoint.com/ Resolving forcepoint.com... 54.191.140.180 Connecting to forcepoint.com|54.191.140.180|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://www.forcepoint.com/ [following] --2018-09-13 17:14:04-- https://www.forcepoint.com/ Resolving www.forcepoint.com... 54.191.140.180 Connecting to www.forcepoint.com|54.191.140.180|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 94580 (92K) [text/html] Saving to: “index.html” If other HTTPS sites are working, then the issue may be coming from the origin site as some sites are not proxy friendly. In this instance, bypassing SSL Decryption or tunneling the URL in SSL may be necessary. Bypassing SSL Decryption:
Important Adding a URL to Incidents as Tunnel will bypass all policy enforcement for the websites from that domain. Use with caution.
Keyword: Content Gateway; error.log; 502; Tunnel connection failed; proxy; wget; incident; ssl decryption; bypass; origin server; url; application |
Article Feedback
Want 24/7 Tech Support?
Learn more