ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

WSS Agent remains ACTIVE when connected from a known network location

book

Article ID: 227767

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Cloud Traffic controller (CTC) signals the WSS Agent to remain in an ACTIVE mode when coming from a known network location, registered under the WSS portal.

Cause

WSS Agent attempts to establish a connection to the Cloud Traffic Controller (CTC): ctc.threatpulse.com, and portal.threatpulse.com, which it must do to determine whether it is on a protected network. When WSS Agent detects that it is on a protected network, it goes into PASSIVE mode automatically.

If the WSS Agent remains ACTIVE, there could be multiple reasons for this behavior:

  1. CTC request is routed via an IP that is not registered in the WSS portal as a known location.
  2. CTC is responding incorrectly as ACTIVE, even though the request is coming from a registered/known network location by WSS

Environment

  • Web Security Service
  • WSS Agent
  • Third-party VPN provider

Resolution

To resolve issue#1, where CTC request is routed via an IP that is not registered in the WSS portal as a known location.

Recommended configuration: WSS Agent enters into Passive Mode

  1. Full-Tunnel: Add VPN server egress IP address.
  2. Split-Tunnel: Add VPN server egress IP address and make sure that CTC is routed through the VPN tunnel

Recommended Configuration with PAC file: WSS Agent Enters into Passive Mode

If you must use PAC file to force WSS Agent into Passive and are sending CTC requests through a proxy/PAC file whether it is a full-tunnel or split-tunnel mode.

  1.  Add the egress IP address of your proxy server instead of the address of your VPN server.
  2. Make sure that CTC requests are SSL and Authentication exempted in your proxy configuration.

    Note: Even when using a PAC file on a split tunnel, the network routing for CTC MUST be sent through the tunnel even if the proxy or PAC file is unavailable. This allows the WSS Agent to detect network changes using operating system APIs.  
     
    Note: Split-tunnel on REVERSE mode where the traffic for intranet applications bypasses the VPN tunnel while other traffic goes through the VPN tunnel. It is not a supported deployment type as it is not a use case that Broadcom has tested, validated or qualify the WSS agent against. While It could work, Broadcom does not recommend the implementation of this type of VPN mode.

Add A Network Location

  1. In the WSS Portal, Navigate to Connectivity > Locations.
  2. Click on Add Location and follow the wizard.
    • For Full/Split-tunnel:  Add the location as an IPSec Location with a dummy pre-shared key.
    • For Full/Split-tunnel: Add the location as an Explicit location.

 

To resolve issue# 2, where CTC is responding incorrectly as ACTIVE, even though the request is coming from a registered/known network location by WSS

a WSS administrator can log in to the WSS management Portal and take the following steps:

  1. Navigate to Connectivity > Locations.
  2. Locate the location using the Search option.
  3. Select the location.
  4. Click on Edit.
  5. Click on Save.
  6. Open the WSS Agent UI and press Reconnect.

Note: These steps will force a WSS portal configuration update to our WSS Cloud Traffic Controller (CTC)

If the issue still persists, gather a WSS Agent diagnostics using SymDiag for the respective Operating System while reproducing the issue:

If you have a current Support Case for this issue, attach the .sdbz file to the support case using Symdiag or save the .sdbz file locally. Exit SymDiag and send the file to your Support Contact.

Attachments