Getting ERR_TUNNEL_CONNECTION_FAILED in browser when accessing any secure site on non-standard port
search cancel

Getting ERR_TUNNEL_CONNECTION_FAILED in browser when accessing any secure site on non-standard port

book

Article ID: 267997

calendar_today

Updated On: 03-19-2024

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users are not able to access secure sites on non-standard ports (i.e.  via Cloud SWG (formerly known as WSS) with the following access methods:

  1. Explicit proxy
  2. Explicit Over IPsec (Trans-Proxy)
  3. WSS Agent active with selective intercept

Getting generic error message ERR_TUNNEL_CONNECTION_FAILED in browser as follows

WSS Report shows Verdict as connect_method_denied.

Resolution

To allow access to secure sites on non-standard ports with the following access methods, remove the affected sources(i.e. Location, Client IP address, Subnets) or destinations(i.e. domain, Category, Web Application, Subnet) from the Content and Malware Scanning Exemptions and Activate Policy to resolve this issue.

  1. Explicit proxy
  2. Explicit Over IPsec (Trans-Proxy)
  3. WSS Agent active with selective intercept

Reference Techdocs links:

Exempt a Source From Cloud SWG Malware Scanning
Exempt a Destination From Malware Scan

Important Note:

When affected sources(i.e. Location, Client IP address, Subnets) or destinations(i.e. domain, Category, Web Application, Subnet) is added to the Content and Malware Scanning Exemptions Cloud SWG will basically disable protocol detection hence we can see request is getting denied at TCP layer (i.e. Refer to the WSS Report snapshot mentioned in the issue description). As soon as we remove it from the Content and Malware Scanning Exemptions request gets handed off from TCP layer to HTTP proxy and it gets allowed.

Powered by Wolken Software