WSS Agent reconnects take long time when a SEP location change is triggered
search cancel

WSS Agent reconnects take long time when a SEP location change is triggered


Article ID: 245375


Updated On:


Cloud Secure Web Gateway - Cloud SWG


WSS Agent is not allow to connect with WSS until the F5 VPN tunnel is UP.

SEP Agent running on WSS host with location services enabled, with the following expected behaviour:

  • When F5 VPN is not connected on a roaming host, SEP agent is in “public network" location and WSS Agent is disconnected.
  • After F5 VPN tunnel come up again, SEP location should change from “public network” to “VPN” location and trigger the WSS Agent to connect. 

Once the F5 VPN tunnel is UP, WSS Agent host should typically connect to the WSS service within 20-30 seconds but occasionally takes of the order of minutes to connect.



WSS Agent 8.x

Symantec Endpoint Protection client with location services enabled

F5 VPN clients with dynamic routing function base on DNS resolution



F5 routing policy not sending out CTC requests, causing WSS Agent to fail to get needed CTC information and continue retrying,  eventually fallback to last working cached configuration after a delay.


Added CTC and PFMS routes statically to F5 VPN setup, instead of using F5 big IP dynamic routing function base on DNS resolution.

This guaranteed correct next hop for CTC communication, and connections succeeded from that point on.

Additional Information

  • PCAP on public interface only shows DNS requests but not TCP connections to CTC

  • WSS Agent logs confirm CTC communication fails and we fallback to last known CTC response cached
  • Routing table on the host showing default routes into VPN (no specific routes for CTC service, or PFMS) but no requests seen coming onto CTC service
    • VPN logs indicate no requests seen coming into VPN tunnel for the CTC service