07-01-2016 03:25 PM
Hi,
I am fairly new to the Cisco WSA. I was recently promoted to an associate security analyst and have taken a few courses to prepare (SSFAMP, SSFIPS & SWSA) as well as had some guidance on the Cisco products through a consultant our company hired.
I have recently come across an issue with a website. The website has been white listed but the user is still unable to access the site. The user gets a cisco WSA block page stating "Based on your organization's access policies, access to this web site (https://www.example.com) has been blocked because the web category 'WhiteList' is not allowed".
When I run a policy trace to the web site using the user's IP address the results ultimately state the following:
Final Result
Request Blocked
Details: gateway timeout
Trace Session complete
I feel like I have exhausted all possibilities but can not figure out a solution.
07-06-2016 04:30 PM
Hi,
Get the accesslogs from WSA CLI when trying to access the site and experiencing the issue to see what actions the appliance taken and what Identity and policy it was using.
To grep the access logs for an entry, SSH into the WSA and run the following command from the CLI:
1. Grep
2. Enter the number of the log you wish to grep: 1 (for access logs)
3. Enter the regular expression to grep: <client IP>
4. Do you want this search to be case insensitive?: Y
5. Do you want to search for non-matching lines? [N]> N
6. Do you want to tail the logs?: Y
7. Do you want to paginate the output?: N
If you need help understanding the accesslogs output, you can share the output to this thread to review.
07-07-2016 09:45 AM
Thank you for the response Handy, very much appreciated. I will give this a try and report back. Do the logs take a while to populate? I seem to only get this far:
07-07-2016 04:31 PM
accesslogs will logs a complete transaction/traffic. If the connections or handshake is not even completed, it might not showing in the accesslogs.
Also if it is a gateway timeout, it might take longer to show up too.
If you taken packet capture from the WSA with client and server side connection, you should see the traffic in packet level more deeper.
07-07-2016 04:35 PM
So I left the session running and, after some time, putty just shuts down. No messages or anything. This occurred with 4 different attempts. To clarify, 4 different client IPs.
07-07-2016 06:23 PM
Would suggest taking packet capture in the WSA
GUI -> Support and Help -> Packet Capture (make sure taking the capture in the correct interface and also put the client and destination address to see client and server packets).
Also suggest to open a TAC case to get more in depth investigation for the issue
07-08-2016 09:18 AM
Will do Handy. Thanks again for all of your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide