Users experiencing intermittent connectivity issues accessing internet via WSS Singapore (GSGRS1) site using SEP WTR

book

Article ID: 210387

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Singapore WSS data center recently went through maintenance window

Users accessing WSS with SEP WTR access method

Users logged into on premise VDI hosts and accessing internet via same egress IP address

Many users having no issues, yet some issues report that  they cannot get to sites

When problem happens, browser reports 'unable to connect' to site messages

 

Cause

DNS response for sep-wtr.threatpulse.net returning VIP for GSGRS1 (valid IP address for explicit traffic) and GSGSR11 (valid IP address for WSSA traffic, but cannot handle explicit requests!)

SEP WTR users resolving sep-wtr.threatpulse.net to GSGRS11 VIP would fail 

Resolution

Changed Akamai GEO DNS service so that DNS requests for sep-wtr.threatpulse.net in region only returns the GSGRS1 VIP.

Users do not need to do anything as change picked up automatically.

Additional Information

WSS had seperate clusters for IPSEC/Explicit and WSSA traffic. The WSSA traffic is handled by clusters that only access TCP/UDP 443 requests and drops requests for any other protocols.