WSS Agent machine is on-premise and should connect to the service through an explicit proxy. All the hosts running the WSS Agent are configured with an explicit proxy configuration.

The WSS Agent hosts are not allowed to resolve external names using the DHCP configured DNS server.

The WSS Agent is failing to connect to the service and "No Route to CTC" error message is displayed on the agent status.

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/cloud-swg/help/conn-matrix/conn-about-wssa/wssa-on-premises.html

Make sure that all WSS Agent hosts can reach the CTC service at ctc.threatpulse.com.

CTC requests will be sent through the proxy. In order to set up the network detection system with the operating system, ctc.threatpulse.com MUST be resolvable and there must be a route to it. 

Internal DNS servers can be configured to resolve it to an internal IP address (and the address does not need to be reachable).

A forced reconnect will use the proxy server, even without recognizing the network change. Details on how to do a programmatic reconnect can be found here