KB Article | Forcepoint Support

Content Gateway error: "502: Tunnel connection failed"

Article Number: 000003874
Products: Forcepoint V10000 Appliance, Forcepoint V20000 Appliance, Forcepoint V5000 Appliance, Forcepoint Virtual Appliance, Forcepoint Web Security, Forcepoint X Series Appliance, TRITON AP-WEB, Web Filter & Security, Web Security Gateway, Web Security Gateway Anywhere, Web Security and Web Filter
Version: 8.5, 8.4, 8.3, 8.2, 8.1, 8.0, 7.8, 7.7, 7.6, 7.5, 7.1, 7.0
Last Published Date: June 12, 2019

Problem Description

The Content Gateway error.log shows a site with the error:
"502: Tunnel connection failed"

Resolution

"Tunnel Connection Failed" means that the proxy cannot establish a connection to the origin servers. If that is the case, then investigation must be done on the network. The wget command will show if it is able to resolve the site in question.

Using CLI in 8.3-8.5 via SSH

Using an SSH tool, log into the C interface IP as admin
Type: diag
Type: wget –url <url in question> --module proxy
Press Enter

Using Appliance Manager’s Command Line Utility in 7.0-8.2

Appliance Manager > Administration > Toolbox > Command Line Utility section > Click Launch Utility.
Component: Select Content Gateway.
Command: Select wget-proxy.
URL: Type Full URL of the problem website.
Proxy IP: the P1 interface IP address.
Port: type 8080 or the Proxy Port assigned in Content Gateway.
User Name: type none
Password: type none
Click Run.

If a “connection timed out” error is returned, it means there is an issue with the end-site not allowing the connection.

Example of a failed wget command:

FQDN of Content Gateway>(diagnose)# wget --url forcepoint.com --module proxy
--2018-09-13 17:13:59-- http://forcepoint.com/
Resolving forcepoint.com... 54.191.140.180
Connecting to forcepoint.com|54.191.140.180|:80...
failed: Connection timed out.

Example of successful wget command:
<FQDN of Content Gateway>(diagnose)# wget --url forcepoint.com --module proxy
--2018-09-13 17:13:59-- http://forcepoint.com/
Resolving forcepoint.com... 54.191.140.180
Connecting to forcepoint.com|54.191.140.180|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.forcepoint.com/ [following]
--2018-09-13 17:14:04-- https://www.forcepoint.com/
Resolving www.forcepoint.com... 54.191.140.180
Connecting to www.forcepoint.com|54.191.140.180|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 94580 (92K) [text/html]
Saving to: “index.html”

If other HTTPS sites are working, then the issue may be coming from the origin site as some sites are not proxy friendly. In this instance, bypassing SSL Decryption or tunneling the URL in SSL may be necessary.

Bypassing SSL Decryption:

Navigate to Forcepoint Security Manager > Settings > Scanning Options
In version 8.5: Go to Bypasses.
In versions 7.0-8.4: Go to SSL Decryption Bypass.
Scroll to the Destinations section.
Click Add.
Under Hostnames, URLs, IP addresses, or IP address ranges, type *.domain.com for the URL in question.
Click OK to save the Destination Entry.
Click OK to save the SSL Decryption Bypass change.
Click Save and Deploy to deploy the change.

Creating an incident as tunnel:
Important Adding a URL to Incidents as Tunnel will bypass all policy enforcement for the websites from that domain. Use with caution.

In Content Gateway > Configure > SSL > Incidents > Add a Website tab.
Type the wildcard domain for the URL (*.domain.com).
Select By URL.
Under Action, select Tunnel.
Click OK.

If the issue continues, raise a case with Technical Support.

Article Feedback

Is the article related to the topic you are looking for?
Yes No

Did the information in this article answer your question or resolve your issue?
Yes No

Comments

Thank you for the feedback and comments.

Tools & Links

Featured Articles Home Upgrade Centers Support Videos

Want 24/7 Tech Support?

Learn more