Skip to main content

HSCN connectivity troubleshooting guide

This Health and Social Care Network (HSCN) connectivity troubleshooting guide will assist in isolating the cause of basic connectivity issues when using HSCN. It includes network connectivity, web page and web application connectivity issues.

This guide makes the following assumptions:

  1. A problem has been verified and the customer’s consumer network service provider (CNSP) has confirmed that the customer’s router has been successfully connected to HSCN in accordance with their agreed service readiness regime.
  2. The customer has connected to the customer premises equipment (CPE) and made the appropriate configuration changes to routers and firewalls allowing clients to communicate over HSCN.
  3. The testing is to be carried out on a PC or laptop with a Microsoft Windows operating system

The guide helps isolate the problem if the above have all been confirmed.

Internet Control Message Protocol and NHS Secure Boundary

A number of HSCN Consumer Network Service Providers (CNSPs) have chosen to connect to NHS Secure Boundary using Prisma Access for Clean Pipe.  If your HSCN CNSP has chosen this connection method it will no longer be possible to use Internet Control Message Protocol (ICMP) to test internet connectivity. All HSCN CNSPs were advised to carry out impact assessments and consult their customers when choosing how to connect to NHS Secure Boundary.

Users impacted by this can instead test internet connectivity by:

  • Attempting to connect to public websites generally available (for example, Google, BBC News).
  • Using Transmission Control Protocol (TCP) ping, an alternative to ICMP which is supported by the platform. is a TCP orientated ping alternative. A variety of TCP ping tools are available online and guidance on using TCP ping has been published by Microsoft

You should follow the standard process for contacting your CNSP, via your local service desk or network manager. Your CNSP will be able to provide further advice and guidance on testing access and connectivity

Troubleshooting to isolate the cause of an HSCN network problem

After a problem has been verified you should begin by carrying out a basic network test:

Local network test

Ensure that your PC is correctly connected to the local network and can connect to other networks (specifically HSCN).

  1. In the search bar type – command. This will bring up the command prompt box.
  2. In the command prompt box type – ipconfig. This will provide the IP address of your computer and your default gateway. Make a note of the IP address of your default gateway.
  3. Ping your default gateway. In the command prompt box type – ping x.x.x.x (where x.x.x.x is the IP address of your default gateway).
  4. If this fails, you have a local network connectivity issue and you need to contact your local network administrator/IT support.

HSCN connectivity test

Next, you can test connectivity to HSCN by checking if you can communicate with a common point on HSCN. With the command prompt window open type:

Ping 194.72.7.132 or ping 155.231.231.3 (these are the IP addresses of the Transition Network (TN) and HSCN DNS servers).

If these tests were successful then you are connected to HSCN. At this point you can begin testing for your specific issue.

Issue 1 - cannot connect to another network location on HSCN or the TN (IP address)

Using the command prompt window attempt to ping the IP address of your proposed destination.

If ping was unsuccessful then you need to determine how far the network traffic got before it failed. 

In the command prompt window type - tracert x.x.x.x (where x.x.x.x is the IP address of the destination). A successful trace should look similar to the below:

Successful trace in command prompt

If the trace fails to complete or a router intentionally does not respond to the Internet Control Message Protocol (ICMP) requests, then the below results will appear in the traceroute output:

command prompt traceroute output

Whilst ping and traceroute are rudimentary tests these results strongly indicate a routing incident, and your CNSP should be contacted to rule out a routing issue.

Note: a standard traceroute may time out in the middle due to routers intentionally not responding to the ICMP request. However, the traceroute should still reach the destination IP address. For a more comprehensive trace a Transmission Control Protocol (TCP) traceroute could be initiated, however Windows does not have a native TCP traceroute utility so advice on using a TCP traceroute falls out of the scope of this document.

Issue 2 - cannot connect to a web site, web application or web address (Uniform Resource Locator or URL) that is hosted on HSCN or the TN

Failure to connect to a web site or web application can often appear to be caused by a network issue when in fact the network is fine. This section addresses network and web related issues. 

Troubleshooting connectivity to a web site is usually more challenging than isolating a connectivity issue to a network address (IP address) because ping and traceroute are tools used to communicate with a physical or virtual device and may fail even though a network path to the web site is available. This is because a URL contains the protocol, domain name and path rather than just an IP address. Therefore, IP addresses and URLs have a one to many relationship.

Check for web related issues

  1. Ensure that you have network connectivity to HSCN using the methods described in issue 1, above.
  2. Test to ensure you have connectivity to a DNS server capable of resolving the URL:  in the command prompt window type – nslookup. The response should be the name and IP address of your DNS server. If nslookup fails you can ping the HSCN DNS server (155.231.231.3
  3. If this fails then a potential DNS issue should be investigated, which is out of the scope of this guide. Further information is available on the HSCN/TN DNS page.
  4. Open another tab, or window, in your browser and see if you can communicate with another website on HSCN other than the one causing the specific issue. For example, http://nww.digital.nhs.uk/.
  5. If one or both web sites fail to connect then try to connect using an alternative web browser. If the connection fails on multiple browsers the browser error message should be reviewed.

Common browser error messages

“This site can’t be reached - <IP address> took too long to respond”

This error message usually indicates a network or routing issue. If HSCN connectivity has been confirmed, then there may be a routing issue to the specific service you are attempting to connect with. You should then consult your CNSP to investigate routing issues.

“The connection was interrupted” or “The connection was reset” or “The connection has timed out”

These messages generally indicate that something has changed since the webpage was last viewed or connection attempted.

You should clear the browser cache and cookie settings - take the appropriate steps depending upon the browser that you use. Note: clearing your browser cache and cookies may erase your browsing history, sign you out of sites requiring a password and delete saved passwords and usernames.

Next, clear the computer’s DNS cache. From a command prompt window type ipconfig /flushdns.

“Secure connection failed”

This error message will be followed by additional information, including an error code. The most common causes of this problem to be investigated are:

  1. The web site cryptographic protocol (TLS) has been superseded and is now outdated. Some browsers will prevent access to a site with outdated cryptographic protocols. You can contact the web site administrator to check this.
  2. Some desktop security products prevent access to certain secure sites unless secure socket layer (ssl) or transport layer security(tls) application protocol content filtering is enabled. You can consult your security product literature to check this.
  3. Ensure that the computer that is being used to test connectivity is set to the correct date and time.

“Your connection is not secure”

Error occurs on all https sites - some browsers can detect that a secure connection has been intercepted and inspected, such as by a proxy or internet security program. This should be ruled out as a potential cause.

Error occurs on all https sites - some client Internet security products can intercept and scan encrypted connections. Consult your product literature.

Error occurs on only one https site: this indicates a certificate issue and is usually the result of:

  • a missing intermediate certificate
  • use of a self-signed certificate
  • a faulty certificate

In the case of a single https site issue contact the web site administrator. 

Note: advanced investigation and analysis can be carried out using: 

  • openssl’s s_client
  • Telnet
  • Netstat
  • Online Subnet & IP calculators
  • Speedtest.net
  • Pathping
  • Route

Discussion of these tools is out of the scope of this guide and you should familiarise yourself with them before using.

Further assistance

When contacting your CNSP to raise an incident please tell them:

  • a brief description of the issue and your actions to investigate and/or resolve the issue
  • the results you were anticipating
  • if you're aware of other HSCN users experiencing the same issue
  • if you’ve tried some basic tests to ensure that you have connectivity to HSCN (and what the results were)
  • the IP address and/or the URL of the location you are attempting to communicate with
  • a brief description of the service you are attempting to connect to

Provide as much detail as possible.

Last edited: 30 June 2020 9:00 am