ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

WSSA isn't going passive with full-tunnel VPN even though the egress IP address is from a known location


Article ID: 221344


Updated On:


Web Security Service - WSS Web Security Service - WSS


WSSA is active even though going through a full tunnel VPN in which the egress IP address is coming from a known location and should be going passive

CTC failed (12175)
CTC: Using CL from file cache
CTC: using the connect list cached in memory


WSSA is trying to connect to  The request is being SSL intercepted and an unexpected certificate is being returned to WSSA.  This causes the request to CTC (cloud traffic controller) to fail.  Because the agent had successfully connected to the service previously, it uses that cached response to connect to the service and go active.


In order for WSSA to go passive, please disable SSL interception for any traffic destined to  This will cause CTC to get a proper response from CTC and go passive.

Additional Information

Error 12175 is a Microsoft error.  It has the following meaning:



One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server. To determine what type of error was encountered, check for a WINHTTP_CALLBACK_STATUS_SECURE_FAILURE notification in a status callback function. For more information, see WINHTTP_STATUS_CALLBACK.

Microsoft URL: