search cancel

Certain users cannot browse Websites with WSS Agent when connecting to GAEAD1


Article ID: 242946


Updated On:


Web Security Service - WSS


Users accessing internet via WSS using WSS Agent.

Most users working fine, but occasionally users cannot browse any sites via WSS despite tunnel being up - browser indicates connection errors to all Websites with no sites working.

When problem occurs, it often goes away when a user simply RECONNECTs their WSS Agent tunnels.

Workstation PCAPs shows TCP SYN requests going into WSS tunnel, but no responses ever received


WSS Agent


Routing issues within WSS when users assigned certain NATed IP addresses

Specific to GAEAD1 data center



Changed Proxy routing table and disabled return to sender to fix.

Additional Information

PCAPs (one specific session highlighted) on the WSS Proxy showed inbound TCP SYN requests with the corresponding ACK SYN responses that never appeared to get to the agent


Looking at the next hop device after the proxy, we could see the missing ACK SYNs. Turns out from the Proxy PCAP that they were sent out the wrong interface due to routing issues, and hence never reached next hop to agent, and hence agent.