04-25-2024 06:40 AM
Hi we have 2 WSA out of which one WSA is showing 503 error for a specific Site. When i tried nslookup in WSA for that site it shows the server returned no data(in both WSA).
But the site is working in one WSA but not in the other and after 15 mins the site started Working anyone faced same issue?
This is happening for random sites but not frequently.
Anything else to be done?
Solved! Go to Solution.
04-26-2024 10:09 AM
dig uses UDP 53 to the server which you are defining,
it could be some other devices before your firewall which is not allowing this connection, or the traffic is going out from wrong interface.
you can specify the source interface in dig command:
dig [-s <source IP>] [@<IP address>] hostname [qtype]
# for example if:
# P2 IP address : 10.10.10.10
# DNS IP : 10.1.1.1
dig -s 10.10.10.10 @10.1.1.1 www.cisco.com A
Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
04-25-2024 10:09 AM
Hello @DK9
kindly:
[1] in explicit deployment, WSA is doing the name resolution, in transparent deployment ( WCCP, PBR,...) the client
[2] how many DNS server have you configured in your WSA? if you have more than one, maybe one of the DNS servers returning no data for nameresolution
WSA_CLI> dig @10.1.1.1 www.example.com
WSA_CLI> dig @10.2.2.2 www.example.com
[3] else I would say it is best to have a PCAP, maybe there are some issue from upstream ( blocked or delay or Un standard reply )
it is best to filter for both client IP and Webserver IP ( with logical or )
host x.x.x.x or host y.y.y.y
Please replae the x.x.x.x and y.y.y.y with client and server IP address
Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
04-26-2024 01:57 AM
Yaaa i have 2 but i am not getting any response for dig command whether dig command use the same 53 port for outside communication as we have firewall we have whitelisted only 53 port to 8.8.8.8.
I took the pcap too with the filter ip host xyzx.com .but in the pcap not seeing any traffic in the sni of that website
04-26-2024 05:14 AM
thanks for the updates ,
I would say, if there are not much load on WSA, try to capture PCAP without any filter, else you can filter for hosts and port 53
then please clear DNS cache ( GUI > network > DNS > Clear cache ) and try to re-produce the issue.
Side note, if you can have a PCAP from firewall at the same time, that might come in handy.
Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
04-26-2024 05:18 AM
Sure we will do that and check
Meanwhile any idea why i am not getting any output for dig command whether we need to open any ports in firewall for outside communication for dig command?as we have opened only port 53
04-26-2024 10:09 AM
dig uses UDP 53 to the server which you are defining,
it could be some other devices before your firewall which is not allowing this connection, or the traffic is going out from wrong interface.
you can specify the source interface in dig command:
dig [-s <source IP>] [@<IP address>] hostname [qtype]
# for example if:
# P2 IP address : 10.10.10.10
# DNS IP : 10.1.1.1
dig -s 10.10.10.10 @10.1.1.1 www.cisco.com A
Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
04-28-2024 09:31 PM
Ya it worked i think it was sending via the management interface thanks a loot
04-29-2024 04:49 AM
Thanks for the update @DK9
05-15-2024 10:32 PM
@DK9 wrote:Hi we have 2 WSA out of which one WSA is showing 503 error for a specific Site. When i tried nslookup in WSA for that site it shows the server returned no data(in both WSA).
But the site is working in one WSA but not in the other and after 15 mins the site started Working anyone faced same issue?
This is happening for random sites but not frequently.
- Tried clearing the DNS cache
- dns ttl value is 15 min in WSA
Anything else to be done?
Hello @DK9 LhiProviderPortal
Here is a solution for the problem you are facing:
"
Certainly! The 503 Service Unavailable error can occur due to various reasons. Let’s troubleshoot the issue step by step:
Check Resource Usage:
Ensure that the Web Security Appliance (WSA) is not overloaded in terms of CPU, memory, or other resources.
Monitor resource utilization and consider upgrading if necessary.
Check for Ongoing Maintenance:
Verify if there is any ongoing maintenance or updates on the WSA.
Sometimes maintenance can cause temporary unavailability.
Stop Running Processes:
Check if there are any processes consuming excessive resources.
Stop any unnecessary processes or services.
Reset Firewall:
Restart the WSA firewall service.
Sometimes a firewall rule might be blocking access.
Check Server Logs and Fix the Code:
Review server logs for any errors or warnings related to the specific site.
Fix any issues in the code or configuration.
Restart Your Server and Networking Equipment:
Restart the WSA and any networking equipment (routers, switches).
Sometimes a simple restart can resolve connectivity issues.
Check Your DNS:
Verify DNS settings on both WSAs.
Ensure that DNS resolution is working correctly.
Consider using an external DNS resolver (e.g., Google DNS) for testing.
Consider Random Site Behavior:
If the issue occurs randomly, monitor the behavior over time.
Investigate if there are patterns related to specific sites or times."
Hope you problem is resolve!!!
Best regards
Rena Carper
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide