KB Article | Forcepoint Support

Problem Description

The Websense Content Gateway (WCG) error.log shows a site with a "Tunnel connection failed" error.

Resolution

"Tunnel Connection Failed" means that the proxy cannot establish a connection to the origin servers.  If that is the case, then investigation must be done on the network.  The wget command will show if it is able to resolve the site in question.

Using CLI in 8.3-8.5 via SSH
  1. Using an SSH tool, log into the C interface IP as admin
  2. Type: diag
  3. Type: wget –url <url in question> --module proxy
  4. Press Enter
 
Using Appliance Manager’s Command Line Utility in 7.0-8.2
  1. Appliance Manager > Administration > Toolbox > Command Line Utility section > Click Launch Utility.
  2. Component: Select Content Gateway.
  3. Command: Select wget-proxy.
  4. URL: Type Full URL of the problem website.
  5. Proxy IP:  the P1 interface IP address.
  6. Port: type 8080 or the Proxy Port assigned in Content Gateway.
  7. User Name: type none
  8. Password: type none
  9. Click Run.
If a “connection timed out” error is returned, it means there is an issue with the end-site not allowing the connection.
 
Example of a failed wget command:
 
FQDN of Content Gateway>(diagnose)# wget --url forcepoint.com --module proxy
--2018-09-13 17:13:59--  http://forcepoint.com/
Resolving forcepoint.com... 54.191.140.180
Connecting to forcepoint.com|54.191.140.180|:80...
failed: Connection timed out.
 
Example of successful wget command:
 <FQDN of Content Gateway>(diagnose)# wget --url forcepoint.com --module proxy
--2018-09-13 17:13:59--  http://forcepoint.com/
Resolving forcepoint.com... 54.191.140.180
Connecting to forcepoint.com|54.191.140.180|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.forcepoint.com/ [following]
--2018-09-13 17:14:04--  https://www.forcepoint.com/
Resolving www.forcepoint.com... 54.191.140.180
Connecting to www.forcepoint.com|54.191.140.180|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 94580 (92K) [text/html]
Saving to: “index.html”
 
If other HTTPS sites are working, then the issue may be coming from the origin site as some sites are not proxy friendly. In this instance, bypassing SSL Decryption or tunneling the URL in SSL may be necessary.
 
Bypassing SSL Decryption:
  1. Navigate to Forcepoint Security Manager > Settings > Scanning Options
  2. In version 8.5: Go to Bypasses.
  3. In versions 7.0-8.4: Go to SSL Decryption Bypass.
  4. Scroll to the Destinations section.
  5. Click Add.
  6. Under Hostnames, URLs, IP addresses, or IP address ranges, type *.domain.com for the URL in question.
  7. Click OK to save the Destination Entry.
  8. Click OK to save the SSL Decryption Bypass change.
  9. Click Save and Deploy to deploy the change.
Creating an incident as tunnel:
Important Adding a URL to Incidents as Tunnel will bypass all policy enforcement for the websites from that domain. Use with caution.
  1. In Content Gateway > Configure > SSL > Incidents > Add a Website tab.
  2. Type the wildcard domain for the URL (*.domain.com).
  3. Select By URL.
  4. Under Action, select Tunnel.
  5. Click OK.
If the issue continues, raise a case with Technical Support.

Article Feedback



Thank you for the feedback and comments.