Showing results for 
Search instead for 
Did you mean: 

Proxy not working on one of AD Server



I have two AD Server and 3 WSA managed by SMA. One of my AD server cannot access internet via one of the WSA, but from other WSA it can access internet. Other AD's can access internet via any WSA.


I can ping successfully to the WSA from that AD, when i do telnet from AD to WSA no response, but on WSA i can see it received request from Server on port 3128 in packet captures.

But if I try to access internet, i cannot see any packets on WSA packet capture. This WSA and AD server are both in same network, and WSA use this AD server for user Authentication (which works without any problem).

This server is also CA and DNS server. In Identities, this server is Exempt from authentication.


Any idea or troubleshooting methods i can use to find out whats going wrong.

There is nothing in grep access logs.



Cisco Employee

What is the proxy deployment method that you are using? are you using transparent mode (WCCP redirection) or explicit mode?

For WCCP redirection, make sure that the AD server address is allow to redirect traffic for HTTP or HTTPS to that WSA

If explicit mode, double check in the internet browser, to make sure that its own IP address is not exist in the bypass proxy setting of the browser.

If you need to see where the traffics(HTTP or HTTPS) from that AD server is going to, take packet capture from the client machine/AD server using wireshark and at the same time take packet capture as well from WSA to follow the packet from client machine and where are they going to.


Hi Handy,


We are using transparent mode for Web Proxy (WCCP Redirection and Explicit Forward)

I do not have WCCP interface for this network, because on server i am manually configuring proxy serttings to this WSA, so that means its Explicit Forward. All other clients use Explicit forwarding to this WSA.


How to check if AD Server is allowed to redirect traffic for HTTP or HTTPS to that WSA?


AD server is part of Identity on which authentication is set to Exempt from authentication. All my other AD servers are same, but they can access proxy services.


Only things is, on management interface  I have a route to this server, but same route is on other WSA as well.


I have tried unchecking bypass proxy settings still the same.


When I do packet capture, i can see the traffic from IE on Server to WSA (proxy interface not management) TCP SYN packet, but WSA never reply backs to the AD Server. If I do a ping, i can see ping request and reply from WSA.

I even cannot telnet to WSA on 3128, which i can do from any other device which works via Proxy. Again for Telnet, i can see packet capture on WSA, but WSA doesn't reply back to Server.




From your description, looks like you have proxy setting in your IE, therefore your proxy deployment is explicit mode.

If its transparent mode means that you are using WCCP redirection from either switch, router or firewall with WCCP protocol to redirect traffic to WSA and you would not have any proxy server checked in your IE.

In your IE, check under proxy server and advanced, to see anything in your "exceptions" box.

However from your advise from packet capture you are seeing SYN packet from AD server to WSA however no SYN ACK back from WSA.

check to see if you are using the correct port for the proxy in the IE

How many interface that you have set up in WSA (Management, P1, P2), if you are using P1 and P2 as well, make sure in IE you are pointing to the data interface of WSA (P1) not the management interface (if this is restricted to management only)


Yes, for WCCP redirection i have configuration on my core switch redirecting traffic to WSA, on WSA i have three WCCP configurations for that mainly for BYOD devices.

I have around 7 interface, M1, P1, and WCCP redirection interfaces. In my proxy settings i have configured P1 interface IP address which is data port, even i tried to connect to other 5 interfaces as well, WSA show SYN packet in packet capture but doesn't reply back, where on other client machines, if i configure those other interface as my proxy explicitly, it works. Only M1 is restricted to management traffic only, all others are data port.

I am using correct port in IE, even tried port 80 as well which is also configured in my Webproxy.


Its really strange behavior of WSA and AD server. Does certificate or any other can create issues?

In server logs, i am getting WSA Demo Certification verification fail errors every 1 minute, can certificates cause issue?

Proxy settings also seems fine on server, there is nothing in exceptions in advance proxy setting, but even irrespective of proxy settings, WSA should reply back to Telnet connection on 3128 or 80, it does for all other machines, but for this i cannot see reply for telnet connection as well.


This widget could not be displayed.