To resolve issue#1, where CTC request is routed via an IP that is not registered in the WSS portal as a known location.
Recommended configuration: WSS Agent enters into Passive Mode
- Full-Tunnel: Add VPN server egress IP address.
- Split-Tunnel: Add VPN server egress IP address and make sure that CTC is routed through the VPN tunnel
Recommended Configuration with PAC file: WSS Agent Enters into Passive Mode
If you must use PAC file to force WSS Agent into Passive and are sending CTC requests through a proxy/PAC file whether it is a full-tunnel or split-tunnel mode.
- Add the egress IP address of your proxy server instead of the address of your VPN server.
- Make sure that CTC requests are SSL and Authentication exempted in your proxy configuration.
Note: Even when using a PAC file on a split tunnel, the network routing for CTC MUST be sent through the tunnel even if the proxy or PAC file is unavailable. This allows the WSS Agent to detect network changes using operating system APIs.
Note: Split-tunnel on REVERSE mode where the traffic for intranet applications bypasses the VPN tunnel while other traffic goes through the VPN tunnel. It is not a supported deployment type as it is not a use case that Broadcom has tested, validated or qualify the WSS agent against. While It could work, Broadcom does not recommend the implementation of this type of VPN mode.
Add A Network Location
- In the WSS Portal, Navigate to Connectivity > Locations.
- Click on Add Location and follow the wizard.
- For Full/Split-tunnel: Add the location as an IPSec Location with a dummy pre-shared key.
- For Full/Split-tunnel: Add the location as an Explicit location.
To resolve issue# 2, where CTC is responding incorrectly as ACTIVE, even though the request is coming from a registered/known network location by WSS
a WSS administrator can log in to the WSS management Portal and take the following steps:
- Navigate to Connectivity > Locations.
- Locate the location using the Search option.
- Select the location.
- Click on Edit.
- Click on Save.
- Open the WSS Agent UI and press Reconnect.
Note: These steps will force a WSS portal configuration update to our WSS Cloud Traffic Controller (CTC)
If the issue still persists, gather a WSS Agent diagnostics using SymDiag for the respective Operating System while reproducing the issue:
If you have a current Support Case for this issue, attach the .sdbz file to the support case using Symdiag or save the .sdbz file locally. Exit SymDiag and send the file to your Support Contact.