The user is unable to access a site via the Web Security Server (WSS) IPSec tunnel when in the corporate network.
The same user uses WSS Agent (Active Mode) and is able to access the site in question.
The device creating the IPSec tunnel to WSS has an access control list (ACL) which is blocking access to the specific domain/IP, therefore, the traffic never makes it to the WSS tunnel.
Web Security Service
Access Method: Firewall/VPN IPSec
3rd-party Firewall/VPN Device
To resolve this issue, remove the IP/domain in question from your firewall's IP blocklist.
To confirm that the IP/domain is not reaching the Web Security Service. You can run a report a forensic report and edit the report to add additional options.
If the report shows "No Data". It confirms that the Web Security service is not getting traffic for the domain in question.
Report data will be available within 5 to 15 minutes after reproducing the issue.