08-18-2013 05:08 AM
Hi All,
Good Day!
We have an issue with our Ironport WSA S670 appliance. We have around 35K users and have access to sites like facebook.com, youtube.com etc.
The issues is that at times certain sites are not accessible via proxy. For example we cannot access youtube.com, google.com etc while we can access msn.com, espn.com etc. Moreover when we try to bypass the proxy and access the sites directly all the sites works just fine.
This issue has been repeating many times and we checked the internet link, proxy etc for any issue. In the meantime the issue gets resolved mysteriously.
The total number of connections at these times are more than 20K. The CPU utilization never goes beyond 15% but the memory is always between 70 to 90% utilized.
What is the maximum number of connections WSA S670 appliance support? Is there any configurable limit for the connections that can be established? Will it cause any issue if a lot of users are watching videos on youtube.
Also the proxy is working in one-armed design. Will that cause any issue?
Please suggest.
Cheers,
Faiz
08-18-2013 07:43 PM
Hi,
What version code are you on?
Sent from Cisco Technical Support iPad App
08-19-2013 02:58 AM
Hi Trik,
The details are as follows:
Model: S670
Version: 7.1.4-053
Regards,
Faiz
08-20-2013 09:51 PM
Hi Faiz,
Have you grep'd for the access logs for an IP of a PC which is having the issue connecting when the URL fails ? Also what is the message that you recieve from the WSA when a failure occurs ? The version of code 7.1.4 - 053 is older code I would recommend at least moving to 7.5.0-833 but please read the release notes before you do and also back up your config file unchecking the box mask passwords when you choose to save the file.
Sincerely,
Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator
08-21-2013 01:10 AM
Hi Erik,
Thank you for the reply.
In the logs we see that the proxy is allowing the access. There are no blocks or such in the logs. Moreover, the problem is only with some sites. When we try to resolve these URLs from the proxy the do as well.
There is no error message, but the page just loads and loads for ever. We have still not got a hold on this.
I agree that we are running an older version of the code. I will plan for an upgrade soon.
Regards,
Faiz
08-21-2013 04:43 AM
Hi Erik,
Are there any known issues with this version. I am searching but I cant find any issues associated with this particular version.
I need to provide a supporting case to management with proper details in order to justify the upgrade.
Please assist.
Regards,
Faiz
08-21-2013 01:05 PM
Hi Faiz,
There are not any known issues in terms of URLs failing. I would perform a packet capture on the WSA. See my instructions below:
In order to obtain a simultaneous packet capture from the WSA & PC you will need to log into the GUI ->Support and Help -> Packet Capture -> Edit Settings -> Select the radial button No Filter.Please send me a packet capture from the WSA unfiltered. You will need to install wireshark on the PC or laptop you are testing from. It is a good idea to start the wireshark program from the PC first. I would recommend using www.iana.org as a test as it uses only on IP address.
When you have the captures completed I would first look at the WSA packet capture and use the following filter in wireshark http contains "www.iana.org". The various streams of communication will populate in the wireshark display. What you want to focus on is the streams that show the IP of the WSA and the IP of www.iana.org 192.0.32.8. We should see the following when you right mouse click the packet which shows the IP of the WSA going to the destination IP of www.iana.org:
WSA IP -------SYN-----> www.iana.org IP
WSA IP <--SYN/ACK-- www.iana.org IP
WSA IP -------ACK-----> www.iana.org IP
If you see this instead:
WSA IP -------SYN-----> www.iana.org IP
WSA IP -------SYN-----> www.iana.org IP
WSA IP -------SYN-----> www.iana.org IP
WSA IP -------SYN-----> www.iana.org IP
Then you have a problem in your network.
Sincerely,
Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator
08-22-2013 01:04 AM
Hi Erik,
Thank you for the detailed response.
I will try and carryout a packet captureas u sugested next time we face this issue.
However, since we are operating the Proxy in one-armed design, will that be an issue? Since the traffic has to enter and exit a single interface will it cause any delay?
What is the best practice considering that we have more than 30K users...?
Please suggest.
Regards,
Faiz
08-23-2013 02:42 PM
HI Faiz,
For best practices I would recommend speaking to a Sales Enginner to review your requirments as I cannot esitmate what would be best for your network.
Sincerely,
Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide