Magic Transit Training
Slide 25 of 32
Troubleshooting Common Issues
Quick Reference Guide
Issue 1: Tunnel Health Check Failing
Check: Customer allows ICMP from Cloudflare IPs
Check: GRE tunnel is up on customer side
Check: No firewall blocking GRE (protocol 47)
Issue 2: Endpoint Health Check Failing
Check: Customer allows ICMP from Cloudflare IPs
Check: Target endpoint is reachable
Check: No ACLs blocking probes
Issue 3: Prefix Not Advertising
Check: IRR entries valid
Check: LOA approved
Check: Prefixes unlocked in Ninja Panel
Check: RPKI valid (if using RPKI)
Issue 4: Traffic Drops/MSS Issues
Check: MSS clamp applied (1436 or lower)
Check: Applied on WAN interface, not tunnel
← Previous
Jump to:
1. Magic Transit Onboarding: Step-by-Step T...
2. Learning Objectives
3. What is Magic Transit?
4. Onboarding Timeline Overview
5. Phase 1: Account Setup & Provisioning
6. Phase 1: SFDC Integration & Jira
7. Phase 2: IP Address Management (IPAM)
8. Phase 2: BYOIP Process (Detailed)
9. Phase 2: Adding Prefixes to IPAM
10. Phase 2: Leased IP Process
11. Phase 3: Conduit Configuration
12. Phase 3: Conduit YAML Configuration
13. Phase 3: Applying Conduit Configuration
14. Phase 3: Virtual Subnet & Anycast IPs
15. Phase 4: GRE Tunnel Setup (Customer Side...
16. Phase 4: Customer GRE Configuration Exam...
17. Phase 4: Critical - MSS Clamping
18. Phase 5: Static Routes
19. Phase 5: Health Checks
20. Phase 6: Go-Live Preparation
21. Phase 6: Go-Live Process
22. Phase 7: Advanced TCP Protection (ATP)
23. Phase 7: Steady State Verification
24. MTO Jira Workflow
25. Troubleshooting Common Issues
26. Key Takeaways
27. Resources & References
28. Q&A
29. Glossary: Key Terms & Definitions
30. Appendix: Conduit YAML Full Example
31. Appendix: Customer Router Templates
32. Appendix: MTCTL Commands Reference
Next →