Users accessing internet sites via Cloud SWG using WSS Agents on Windows.

A global bypass list exists for domains whose traffic should go direct and not via Cloud SWG.

After all Cloud SWG tenants were upgraded to include 'Advanced Agent Traffic Manager' features such as 'Traffic bypass rules' where different bypass lists can apply to different users/groups, users could not access one specific application that had worked prior to the change.

The failing application domain was bypassed from Cloud SWG, yet traffic was logged as going through Cloud SWG and failing.

No recent changes had been made to the bypass list and Portal showed that all expected bypasses, including our problem domain, were listed as expected (Domain and IP bypass lists included correct number of entries that were seen prior to enabling Advanced Agent Traffic Manager for this tenant.

Symdiag confirmed that the in-tunnel PCAPs showed TCP SYN requests going to the domain that should have been bypassed.

Cloud SWG.

WSS Agent.

WSS bypass list configured.

Unknown although assumption is that there was a corruption of a single domain.

Manually removed and re-added the problem domain to the bypass list.

WSS Agent logs confirmed the 'number of bypass domains' matched the number of domains configured.

PCAPs from public interface showed that the DNS resolution matched and a valid IP address was returned.

PCAPs from the in-tunnel interface showed requests being sent to Cloud SWG via tunnel.

WSS Agent debug logs not showing any bypass despite matching domain.