Unable to establish IPSec tunnel from Firewall to the Web Security Service


Article ID: 168374


Updated On:


Web Security Service - WSS


There are many possible factors that might cause the IPSec tunnel to fail to connect to the Web Security Service (WSS).


  1. Incorrect Pre-Shared key (PSK)
  2. Incorrect Exchange Mode
  3. NAT rule enabled
  4. NAT-T enabled
  5. Wrong peer IP address



Web Security Service


Verify the following:

  1. PSK value that's entered on the firewall configuration must match the PSK value configured for the Location in your ThreatPulse portal.
  2. Exchange Mode must be set to main mode (WSS does not support aggressive mode).
  3. NAT for traffic that's sent to WSS should be disabled.
  4. NAT-T should be disabled.
  5. Peer IP Address is the WSS destination data-center IP address (Data Center IP addresses for Web Security Service).

If these do not fix the connection, contact Technical Support for assistance.

Provide the Cloud Network team with the Firewall IPSec logs and Firewall Egress IP.