The IPsec tunnel of the Firewall/VPN connection to the Web Security Service (WSS) data center either won't pass traffic or is going down and then not being reestablished (may stay connected for a time, but it keeps disconnecting).
Web Security Service
There are many potential causes for an IPsec tunnel to go down which may not be directly related to WSS. Common causes of IPsec tunnel disconnect include, but are not limited to:
Dead Peer Detection (DPD) is not enabled.
No tunnel monitoring method is in place.
Phase 1 and phase 2 timeout values are set too high.
Phase 2 timeout value is set higher than that of phase 1.
Traffic to the WSS data center over ports 80 and/or 443 is getting blocked.
DPD from WSS data center over port 500 is getting blocked (potentially by an application).
More than 1 IPsec tunnel has been created with the same egress IP, each one pointing to a different data-center.
Follow these steps to better optimize your environment for a seamless experience with WSS.