We have a pair of Ironport S370s for web content filtering and user activity monitoring. Client sessions are transparently redirected through them via WCCP from our core routers, and we're using Active Directory transparent authentication.
We have experienced several occasions where an external website will fail to load, or will not load completely when the client requesting the site is being redirected through the WSAs. When I exempt that client from going through the proxies (by way of the ACL controlling WCCP redirection), the sites load without trouble.
Nothing in the WSA logs show up as blocked. No config changes on the WSAs have shown to correct this issue - not even adding a custom URL category, adding these sites to the proxy bypass list, etc.
Typically when this happens, I can simply put in an ACL entry exempting traffic going to that website from WCCP redirection. However, the recent trouble spot has been a site that is using the Akamai CDN, and the component that seem to be the main culprit refers to a different service that appears to be hosted by a different CDN. The ACL has to use ip addresses, and as you know addresses on CDNs can change all the time.
Also note that I have an open TAC case on this specific issue, which I opened seven weeks ago. It's still not resolved, nor does it seem like any progress is being made, even after going up one escalation level. My experience to date with Ironport TAC support is that after an initial bit of activity, I simply stop hearing back from the TAC engineer when it turns out to be a non-trivial issue.
Does this sort of issue ring any bells for anyone out there? The particular site causing problems this time is a GIS software vendor, www.esri.com. The component that seems to be the hangup is something from fast.fonts.com.
If any of you Cisco folks would like to take a look at the case, it's 633663619.
