Repeatedly getting the error message below in Unified Agent (UA) logs, as well as a CTC response with "ACTIVE(POSTCHK)" with the IP addresses of three data centers: 

Setting client to RETRY because of a tunnel error

Attempting to connect to cloud via TCP

Ensure traffic generated by UA is not being intercepted by other security measures between the client and your gateway.  This includes putting it on the bypass lists of any intrusion detection, network inspection, or protocol detection systems that inspect traffic on your internal network.  These disrupt the flow of packets that are meant to form a tunnel and cause UA to fail to establish a connection to a data center.

Refer to: Required Locations, Ports, and Protocols