https://community.cisco.com/t5/web-security/trace-issues/m-p/1131165#M464 <P>If I try a trace on a website which is allowed (say <A href="https://community.cisco.com/www.bbc.co.uk" target="_blank">www.bbc.co.uk</A> - News is allowed for all users/access policies) with a specific user whose group membership gets listed successfully and click trace, I get the following:<BR /><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">URL Check<BR />Object Size: 243 bytes<BR />MIME-Type: text/html<BR />Policy Match<BR />Decryption policy: None<BR />Routing policy: Global Routing Policy<BR />Access policy: Global Access Policy<BR />Final Result<BR />Request completed<BR />Details: Transaction permitted<BR />Trace session complete</PRE><BR /><BR />However if I keep the user the same, but change the URL to something that is not permitted (say, <A href="https://community.cisco.com/www.sex.com" target="_blank">www.sex.com</A> - Adult is blocked for all access policies), I get this:<BR /><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">URL Check<BR />Object Size: 187 bytes<BR />MIME-Type: text/html<BR />Policy Match<BR />Decryption policy: None<BR />Routing policy: Global Routing Policy<BR />Access policy: Global Access Policy<BR />Final Result<BR />Request completed<BR />Details: Transaction permitted<BR />Trace session complete</PRE><BR /><BR />If we change the IP to one that is in a specific access group, it is listed as blocked:<BR /><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><BR />URL Check<BR />URL Category: Adult/Sexually Explicit<BR />WBRS Score: 3.0<BR />Policy Match<BR />Decryption policy: None<BR />Routing policy: None<BR />Access policy: Bypass_IP<BR />Final Result<BR />Request blocked<BR />Details: Request blocked based on predefined URL category<BR />Trace session complete</PRE><BR /><BR />What's going on?! The website is actually blocked, but why doesn't the trace say so?</P> Thu, 11 Dec 2008 18:33:29 GMT AndrewR_ironport 2008-12-11T18:33:29Z https://community.cisco.com/t5/web-security/trace-issues/m-p/1131165#M464 <P>If I try a trace on a website which is allowed (say <A href="https://community.cisco.com/www.bbc.co.uk" target="_blank">www.bbc.co.uk</A> - News is allowed for all users/access policies) with a specific user whose group membership gets listed successfully and click trace, I get the following:<BR /><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">URL Check<BR />Object Size: 243 bytes<BR />MIME-Type: text/html<BR />Policy Match<BR />Decryption policy: None<BR />Routing policy: Global Routing Policy<BR />Access policy: Global Access Policy<BR />Final Result<BR />Request completed<BR />Details: Transaction permitted<BR />Trace session complete</PRE><BR /><BR />However if I keep the user the same, but change the URL to something that is not permitted (say, <A href="https://community.cisco.com/www.sex.com" target="_blank">www.sex.com</A> - Adult is blocked for all access policies), I get this:<BR /><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">URL Check<BR />Object Size: 187 bytes<BR />MIME-Type: text/html<BR />Policy Match<BR />Decryption policy: None<BR />Routing policy: Global Routing Policy<BR />Access policy: Global Access Policy<BR />Final Result<BR />Request completed<BR />Details: Transaction permitted<BR />Trace session complete</PRE><BR /><BR />If we change the IP to one that is in a specific access group, it is listed as blocked:<BR /><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><BR />URL Check<BR />URL Category: Adult/Sexually Explicit<BR />WBRS Score: 3.0<BR />Policy Match<BR />Decryption policy: None<BR />Routing policy: None<BR />Access policy: Bypass_IP<BR />Final Result<BR />Request blocked<BR />Details: Request blocked based on predefined URL category<BR />Trace session complete</PRE><BR /><BR />What's going on?! The website is actually blocked, but why doesn't the trace say so?</P> Thu, 11 Dec 2008 18:33:29 GMT https://community.cisco.com/t5/web-security/trace-issues/m-p/1131165#M464 AndrewR_ironport 2008-12-11T18:33:29Z https://community.cisco.com/t5/web-security/trace-issues/m-p/1131166#M465 <HTML><HEAD></HEAD><BODY><P>I believe i have had something similar,<BR />For me it was having multiple groups returned as "Authorised Groups" and the workaround for me was to remove all the other groups that are returned except the one I want to test for (i.e. that matches the access policy) and it appears to work</P></BODY></HTML> Fri, 12 Dec 2008 01:08:29 GMT https://community.cisco.com/t5/web-security/trace-issues/m-p/1131166#M465 john.phillips 2008-12-12T01:08:29Z https://community.cisco.com/t5/web-security/trace-issues/m-p/1131167#M466 <HTML><HEAD></HEAD><BODY><P>Andrew,<BR /><BR />Are you including an IP address in steps 1 and 2 above? <BR /><BR />I recommened filing a support ticket and having technical support investigate the issue deeper.</P></BODY></HTML> Fri, 12 Dec 2008 05:45:14 GMT https://community.cisco.com/t5/web-security/trace-issues/m-p/1131167#M466 jowolfer 2008-12-12T05:45:14Z https://community.cisco.com/t5/web-security/trace-issues/m-p/1131168#M467 <HTML><HEAD></HEAD><BODY><P>Unfortunately, yep, I am including a generic IP that's on our LAN. I'll open a ticket and see what they say!</P></BODY></HTML> Fri, 12 Dec 2008 18:39:51 GMT https://community.cisco.com/t5/web-security/trace-issues/m-p/1131168#M467 AndrewR_ironport 2008-12-12T18:39:51Z