Problem
The IXrouter can reach the internet, but does not come online. A company firewall does not actively block the connection.
Note
Refer to the following article to confirm that the IXrouter has internet access: Troubleshooting - unable to connect your IXrouter to the IXON Cloud.Cause
The company firewall has SSL inspection enabled. With SSL inspection, each network package is decrypted, read, encrypted, and signed with a new certificate. This new certificate isn’t trusted by the IXON Cloud. Thus, the IXrouter is unable to set up a VPN, Configuration, and Data logging connection.
Note that other terms could be used instead of SSL inspection, like SSL decryption, SSL Proxy, Deep Packet Inspection, or Forward Proxy Decryption.
Solution
Disable SSL inspection on the company firewall for network traffic from the IXrouter (source-based) or to the IXON domains listed here (destination-based). For guidance, consult the firewall manufacturer’s documentation or contact them directly.
Some examples for specific brands:
Fortinet
Under Policy & Objects > Firewall Policy, create a new rule that has Inspection Mode configured with Flow-based (not Proxy-based). For more information refer to the Fortinet documentation.
Palo Alto
Under Policies > Decryption, create a rule of the type ssl-forward-proxy that has the action no-decrypt. For more information refer to the Palo Alto documentation.
WatchGuard
Create a firewall policy rule that doesn’t have HTTPS-Proxy enabled. For more information refer to the WatchGuard documentation.