users accessing internet sites via Cloud SWG using IPSEC access method.

Velo Edge devices are responsible for establishing the IPSEC tunnel into Cloud SWG.

At most sites where Velo Edge devices are located, the Cloud SWG admin clearly sees two active tunnels but one site in Sofia, Bulgaria only shows one active tunnel to GROBU (would usually see GROBU and GPOWA).

Cloud SWG admin is convinced that there were always two active tunnels, and some recent events much have caused the change.

Velo Edge with SSE plugin to Cloud SWG.

Localisation zone updates caused an API endpoint used by Velo (/locations/findClosestIngress) to return extra information, which the Velo side did not handle correctly.

Remove and re-install the SSE configuration on the Velo Edge admin portal.

After the localisation changes, the API returned the following information for the Velo device in Bulgaria.

The first IP address is GROBU, the nearest POP with the second and third IP address being for the Polish POP. The first of the Polish POP IP addresses is only used by WSS Agents to connect, and does not handle any IPSEC traffic (the second Polish POP IP address ending in 164 handles the IPSEC traffic).

{\\\"name\\\":\\\"GROBU\\\",\\\"ip\\\":\\\"168.149.148.164\\\",\\\"city\\\":\\\"Bucharest\\\",\\\"country\\\":\\\"RO\\\"},
\{\\\"name\\\":\\\"GPOWA1\\\",\\\"ip\\\":\\\"103.9.99.170\\\",\\\"city\\\":\\\"Warsaw\\\",\\\"country\\\":\\\"PL\\\"},
\{\\\"name\\\":\\\"GPOWA\\\",\\\"ip\\\":\\\"103.9.99.164\\\",\\\"city\\\":\\\"Warsaw\\\",\\\"country\\\":\\\"PL\\\"}]}*"}",

Changing the API to not return WSS Agent IP addresses fixed the issue.