VeloCloud Edge device has SSE integration into Cloud SWG.

Activating the changes correctly shows that the Velo Edge device appears in the Cloud SWG Portal location.

VeloCloud Edge monitoring shows two IPSEC tunnels successfully established with Cloud SWG side.

Users browsing to any Web site fail to get any response - the standard browser connectivity error shows that the site cannot be reached.

Authentication initially enabled, but disabled for troubleshooting purposes without any change in behaviour.

PCAPs on the client side show TCP SYN outbound requests to any Web site being accessed without any responses back.

Cloud SWG.

VeloCloud Edge device.

Bug with Common Criteria Firewall policy on the Edge.

Disable the common criteria firewall policy on the Edge device configuration (visible from the Connectivity options as shown as enabled below).

PCAPs on the Cloud SWG side showed the inbound TCP SYN requests were responded to with corresponding server SYN ACK's which never made it to the client.

Since the server SYNs were coming back over the IPSEC tunnel, something on the Edge was blocking it from being routed to the user.

Looking at all enabled Edge configuration options, Edge admin disabled any non default options and identified the common criteria firewall as being the culprit.