cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2366
Views
0
Helpful
4
Replies

Policy Trace returning Policy Match Access Policy Null

biakorofidorel
Level 1
Level 1

Hi Guys

I have an issue with my WSA. when I run a policy trace on my WSA - it doesn't seem to match on some URL like www.google.com.

The result of this, is that the WSA is blocking all the request to this site
Does anyone have any suggestions as to how resolve this.

Two examples bellow.

1.URL Check
WBRS Score: 3.2
URL Category: Search Engines and Portals
Scanner "AVC" Verdict (Request): Google (Search Engine)

Policy Match
Cisco Data Security policy: None
Decryption policy: None
Routing policy: Global Routing Policy
Identification Profile: WHO
Access policy: (null)

Final Result
Request blocked
Details: Gateway timeout
Trace session complete

2.URL Check
WBRS Score: 3.4
URL Category: Pornography

Policy Match
Cisco Data Security policy: None
Decryption policy: None
Routing policy: None
Identification Profile: WHO
Access policy: Business_Hours

Final Result
Request blocked
Details: Request blocked based on URL category
Trace session complete

4 Replies 4

Handy Putra
Cisco Employee
Cisco Employee

From the policy trace provided for google.com, you are getting 'gateway timeout' error that could indicate there is network issue for that destination.

Normal scenario when WSA getting gateway timeout is that WSA received the request and pass the request out however does not get any response from next hop or hops after it.

Also check if you have L4TM enabled (checked if T1/T2 interface is plug in) in WSA and make sure not blocking google.com

Hello Handy, Kindly find attached what i'm getting on the tail. All HTTP traffic is being reject and not macthing at all with any access policies. But when i have try a URL wich is explicitly block, as you could see bellow its matching and blocking, but for all other authorise URL, its not matching at all. Any advise here ?? Press Ctrl-C to stop. 1461914839.032 150668 10.4.12.70 NONE/504 0 GET http://vassg142.crl.omniroot.com/vassg142.crl - DIRECT/vassg142.crl.omniroot.com - OTHER-NONE-WHO-NONE-NONE-NONE-DefaultGroup - 1461914989.194 150011 10.4.12.70 NONE/504 0 GET http://crl3.digicert.com/ssca-sha2-g1.crl - DIRECT/crl3.digicert.com - OTHER-NONE-WHO-NONE-NONE-NONE-DefaultGroup - 1461915139.805 149993 10.4.12.70 NONE/504 0 GET http://crl.microsoft.com/pki/crl/products/MicrosoftRootAuthority.crl - DIRECT/crl.microsoft.com - OTHER-NONE-WHO-NONE-NONE-NONE-DefaultGroup - 1461915140.938 149998 10.4.12.70 NONE/504 0 GET http://emupdate.avast.com/files/emupdate/patches.ini - DIRECT/emupdate.avast.com - OTHER-NONE-WHO-NONE-NONE-NONE-DefaultGroup - 1461915144.833 750002 10.4.12.70 NONE/504 0 GET http://su.ff.avast.com/R/A2MKIGJiYWFlZDUwNzQ2YjRmNWRhMDczZmFiY2UxNWQ2OWUzEgQEJwQWGL8DIgH-KgcIBBC1kYpBOK-RjFBCIN80j4T5VTu7KBT-Eo-g2cFw4W9WSTKdxyOUwsJaGeqASICDmAg= - DIRECT/su.ff.avast.com - OTHER-NONE-WHO-NONE-NONE-NONE-DefaultGroup - 1461915171.690 149993 10.4.12.70 NONE/504 0 GET http://emupdate.avast.com/files/emupdate/updates.xml - DIRECT/emupdate.avast.com - OTHER-NONE-WHO-NONE-NONE-NONE-DefaultGroup - 1461915290.681 150609 10.4.12.70 NONE/504 0 GET http://crl3.digicert.com/DigiCertBaltimoreCA-2G2.crl - DIRECT/crl3.digicert.com - OTHER-NONE-WHO-NONE-NONE-NONE-DefaultGroup - 1461915440.910 150002 10.4.12.70 NONE/504 0 GET http://crl3.digicert.com/sha2-ha-server-g1.crl - DIRECT/crl3.digicert.com - OTHER-NONE-WHO-NONE-NONE-NONE-DefaultGroup - 1461915591.309 225646 10.4.12.70 NONE/504 0 POST http://vl.ff.avast.com/v1/touch - DIRECT/vl.ff.avast.com - OTHER-NONE-WHO-NONE-NONE-NONE-DefaultGroup - 1461915670.376 750003 10.4.12.70 NONE/504 0 GET http://su.ff.avast.com/R/A2MKIGJiYWFlZDUwNzQ2YjRmNWRhMDczZmFiY2UxNWQ2OWUzEgQEJwQWGL8DIgH-KgcIBBC1kYpBOK-RjFBCIN80j4T5VTu7KBT-Eo-g2cFw4W9WSTKdxyOUwsJaGeqASICDmAg= - DIRECT/su.ff.avast.com - OTHER-NONE-WHO-NONE-NONE-NONE-DefaultGroup - 1461919265.473 648 10.4.12.70 TCP_DENIED/403 0 GET http://www.dailymotion.com/ - NONE/- - BLOCK_CUSTOMCAT_12-Business_Hours-WHO-NONE-NONE-NONE-NONE - 1461919277.355 0 10.4.12.70 TCP_DENIED/403 0 GET http://www.dailymotion.com/favicon.ico - NONE/- - BLOCK_CUSTOMCAT_12-Business_Hours-WHO-NONE-NONE-NONE-NONE - 1461919277.397 0 10.4.12.70 TCP_DENIED/403 0 GET http://www.dailymotion.com/favicon.ico - NONE/- - BLOCK_CUSTOMCAT_12-Business_Hours-WHO-NONE-NONE-NONE-NONE -

From logs provided, means that the WSA is having issues in sending the request out to the internet and most likely the WSA is not getting response back from outside or next hop of WSA.

This is matching from the logs that WSA is getting NONE\504 means that it is gateway timeout.

This not occurring if you set the policy to block, since WSA will block the traffic first and will not send the traffic out to internet/next hop since already blocked by its policy.

Would suggest running packet capture to see who is not responding back to WSA request. Also recommend to open TAC case to investigate deeper.

MBelyakin
Level 1
Level 1

I had the same situation. WSA included the P1 port in the nexus 5596, which was off the port.
It turned out that the blocking rule on porn worked and determined group. And when were not included in the blocking rule, then the request is not left and were given Access policy: (null).
Turned on the port helped