HSCN connectivity troubleshooting guide

After a problem has been verified you should begin by carrying out a basic network test:

Local network test

Ensure that your PC is correctly connected to the local network and can connect to other networks (specifically HSCN).

1. In the search bar type – command. This will bring up the command prompt box.
2. In the command prompt box type – ipconfig. This will provide the IP address of your computer and your default gateway. Make a note of the IP address of your default gateway.
3. Ping your default gateway. In the command prompt box type – ping x.x.x.x (where x.x.x.x is the IP address of your default gateway).
4. If this fails, you have a local network connectivity issue and you need to contact your local network administrator/IT support.

HSCN connectivity test

Next, you can test connectivity to HSCN by checking if you can communicate with a common point on HSCN. With the command prompt window open type:

Ping 194.72.7.132 or ping 155.231.231.3 (these are the IP addresses of the Transition Network (TN) and HSCN DNS servers).

If these tests were successful then you are connected to HSCN. At this point you can begin testing for your specific issue.

Issue 1 - cannot connect to another network location on HSCN or the TN (IP address)

Using the command prompt window attempt to ping the IP address of your proposed destination.

If ping was unsuccessful then you need to determine how far the network traffic got before it failed. 

In the command prompt window type - tracert x.x.x.x (where x.x.x.x is the IP address of the destination). A successful trace should look similar to the below:

If the trace fails to complete or a router intentionally does not respond to the Internet Control Message Protocol (ICMP) requests, then the below results will appear in the traceroute output:

Whilst ping and traceroute are rudimentary tests these results strongly indicate a routing incident, and your CNSP should be contacted to rule out a routing issue.

Note: a standard traceroute may time out in the middle due to routers intentionally not responding to the ICMP request. However, the traceroute should still reach the destination IP address. For a more comprehensive trace a Transmission Control Protocol (TCP) traceroute could be initiated, however Windows does not have a native TCP traceroute utility so advice on using a TCP traceroute falls out of the scope of this document.

Issue 2 - cannot connect to a web site, web application or web address (Uniform Resource Locator or URL) that is hosted on HSCN or the TN

Failure to connect to a web site or web application can often appear to be caused by a network issue when in fact the network is fine. This section addresses network and web related issues. 

Troubleshooting connectivity to a web site is usually more challenging than isolating a connectivity issue to a network address (IP address) because ping and traceroute are tools used to communicate with a physical or virtual device and may fail even though a network path to the web site is available. This is because a URL contains the protocol, domain name and path rather than just an IP address. Therefore, IP addresses and URLs have a one to many relationship.

Check for web related issues

1. Ensure that you have network connectivity to HSCN using the methods described in issue 1, above.
2. Test to ensure you have connectivity to a DNS server capable of resolving the URL:  in the command prompt window type – nslookup. The response should be the name and IP address of your DNS server. If nslookup fails you can ping the HSCN DNS server (155.231.231.3) 
3. If this fails then a potential DNS issue should be investigated, which is out of the scope of this guide. Further information is available on the HSCN/TN DNS page.
4. Open another tab, or window, in your browser and see if you can communicate with another website on HSCN other than the one causing the specific issue. For example, http://nww.digital.nhs.uk/.
5. If one or both web sites fail to connect then try to connect using an alternative web browser. If the connection fails on multiple browsers the browser error message should be reviewed.

“This site can’t be reached - <IP address> took too long to respond”

This error message usually indicates a network or routing issue. If HSCN connectivity has been confirmed, then there may be a routing issue to the specific service you are attempting to connect with. You should then consult your CNSP to investigate routing issues.

“The connection was interrupted” or “The connection was reset” or “The connection has timed out”

These messages generally indicate that something has changed since the webpage was last viewed or connection attempted.

You should clear the browser cache and cookie settings - take the appropriate steps depending upon the browser that you use. Note: clearing your browser cache and cookies may erase your browsing history, sign you out of sites requiring a password and delete saved passwords and usernames.

Next, clear the computer’s DNS cache. From a command prompt window type ipconfig /flushdns.

“Secure connection failed”

This error message will be followed by additional information, including an error code. The most common causes of this problem to be investigated are:

1. The web site cryptographic protocol (TLS) has been superseded and is now outdated. Some browsers will prevent access to a site with outdated cryptographic protocols. You can contact the web site administrator to check this.
2. Some desktop security products prevent access to certain secure sites unless secure socket layer (ssl) or transport layer security(tls) application protocol content filtering is enabled. You can consult your security product literature to check this.
3. Ensure that the computer that is being used to test connectivity is set to the correct date and time.

“Your connection is not secure”

Error occurs on all https sites - some browsers can detect that a secure connection has been intercepted and inspected, such as by a proxy or internet security program. This should be ruled out as a potential cause.

Error occurs on all https sites - some client Internet security products can intercept and scan encrypted connections. Consult your product literature.

Error occurs on only one https site: this indicates a certificate issue and is usually the result of:

• a missing intermediate certificate
• use of a self-signed certificate
• a faulty certificate

In the case of a single https site issue contact the web site administrator. 

Note: advanced investigation and analysis can be carried out using: 

• openssl’s s_client
• Telnet
• Netstat
• Online Subnet & IP calculators
• Speedtest.net
• Pathping
• Route

Discussion of these tools is out of the scope of this guide and you should familiarise yourself with them before using.

When contacting your CNSP to raise an incident please tell them:

• a brief description of the issue and your actions to investigate and/or resolve the issue
• the results you were anticipating
• if you're aware of other HSCN users experiencing the same issue
• if you’ve tried some basic tests to ensure that you have connectivity to HSCN (and what the results were)
• the IP address and/or the URL of the location you are attempting to communicate with
• a brief description of the service you are attempting to connect to

Provide as much detail as possible.