Can't connect? Harmony SASE's Internet Connection Troubleshooting Guide
This article describes the basic troubleshooting steps in case of connection issues.
- This article aims to provide Harmony SASE users with basic steps to restore connectivity in case of a malfunction with the Harmony SASE agent connectivity.
- The steps in this article should be followed in numerical order.
Step 1: Change the Connection Protocol
The Harmony SASE Client (also referred to as the "Agent") offers two major VPN protocols through which you can connect to your public and private gateways:
- WireGuard
- OpenVPN
- Your Harmony SASE client may be set to "Default," meaning your workspace administrator controls this setting. It can only be modified by either an Admin or a Manager using a Policy rule under OS-Specific Configurations.
- "Default" is set to the Wireguard protocol for most workspaces.
Both VPN protocols are highly effective in terms of speed and security. However, depending on your local machine connectivity and internet connection, one protocol may perform better than the other. If you experience reduced performance or are unable to connect using one protocol, you can try switching to the other protocol to see if that improves your connection.
- Open your Harmony SASE application. Click the gear wheel at the bottom left corner and open Settings.
- Open the Protocols tab.
- Try another protocol.
- For example, if you are set to Default or Wireguard try the OpenVPN protocol.Always-On VPN
- If you have the "Always-On VPN" feature active via User-Groups Policies, you will need to disable it before being able to change the protocol.
- If you are not the Harmony SASE Admin, contact with your Harmony SASE Admin to disable this feature.
- For example, if you are set to Default or Wireguard try the OpenVPN protocol.
Step 2: Make sure your firewall allows incoming and outgoing traffic
- US Tenant:
- The Harmony SASE agent will attempt to establish a Transport Layer Security (TLS) connection to https://api.perimeter81.com using TCP port 443
- After authenticating, the Harmony SASE agent will attempt to pull configurations from the SDP Controller: sdp.perimeter81.com using TCP port 5050.
- swg-pu-lb-production.safersoftware.net using port 50051 for URL category queries.
- yarkon.perimeter81.com using port 50051 for agent usage information.
- EU Tenant:
- The Harmony SASE agent will attempt to establish a Transport Layer Security (TLS) connection to https://api.eu.sase.checkpoint.com using TCP port 443
- After authenticating, the Harmony SASE agent will attempt to pull configurations from the SDP Controller: sdp.eu.sase.checkpoint.com using TCP port 5050.
- swg-pu-lb-production.safersoftware.net using port 50051 for URL category queries.
- yarkon.eu.sase.checkpoint.com using port 50051 for agent usage information.
You can find the list of Gateway IPs that are used by your private network by navigating to your private Networks within the Admin Console:
Depending on the connection protocol chosen, you may need to enable inbound and outbound traffic using the following service ports:
UDP | TCP | |
WireGuard | 51821, 8000, 8055 | |
OpenVPN | 1194, 636 | 1195, 8443 |
Other protocols, such as ICMP (ping) are not supported on the gateways.
Step 3: Help us diagnose the issue and open a support ticket
As part of the troubleshooting methodology, we'd like to find out the scope of the problem:
- Can you connect to the network using another computer or mobile device? Please try connecting using another machine or your mobile device as a test.
The Harmony SASE agent is available across all major platforms: Click here to test using another Operating system. - Can you connect to the Perimeter81 network from another WiFi or local network? Please try another network or Mobile Hotspot to see if the connection is available.
Open a support ticket and attach your findings. Make sure to include
- A full description of the issue, including:
- What are the steps you are taking? (For example: "Whenever I open my MacBook lid, the Harmony SASE agent stops working")
- What is the expected result? (For example: "I expect to be able to connect using Wireguard, but all of our users can only use the OpenVPN protocol")
- What is the error you are seeing? (For example: "Unable establish SSL connection") Can you attach a screenshot?
- When was the last time that this issue happened to you?
- Is this the first time it happened, or did it occur in the past? If it happened before, when did the issue first start?
- The log files from the device that experienced the issue.How do I query the logs?If you're unsure where the log files are located or how to securely send them to our team, click here to read more.
- Your Harmony SASE Agent version. Please check for updates before opening a ticket.
- Your Operating System version. Are the latest updates and patches installed?
Our Support team works around the clock, ensuring stable usage of the Harmony SASE system.
When working on a ticket, we may ask leading questions to understand the nature of the problem. We appreciate your patience and cooperation in advance.