Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6434
Views
0
Helpful
4
Replies

TCP_CLIENT_REFRESH_MISS/200 and TCP_DENIED/407 for same URL

AntonyPaul!
Level 1
Level 1

‎02-19-2019 02:26 AM

Hello,

 

Our SOC have advised us they are seeing a very high number of syslog alerts for our cisco web security proxy with the below details:

 

I am not clear exactly what is causing this and how we can stop these errors, can anyone advise?

 

I added one domain to a proxy auth exemption list but given the huge number of alerts we are seeing for so many different domains this is not a solution that can be applied for all

 

Their findings below, thank you:

 

>>Possible Misconfiguration on "Cisco WSA" which is causing multiple URL's being both, denied and allowed.

>>Below are the two events that we can mostly,

1) TCP_DENIED/407 : This is getting denied as its needs authentication on proxy before it reaches the URL.

2) TCP_CLIENT_REFRESH_MISS/200 : This signifies that the request is successful without any problems.

>>Based on the above and the findings we did, we see that, when URL is not working, it needs authentication and when URL is working, authentication was not needed.

>>Below is an example of a single URL being both allowed (TCP_CLIENT_REFRESH_MISS/200) and denied (TCP_DENIED/407):

URL: tunnel://lrs.cmbackbone.net:443/

-----Not Working :
TCP_DENIED/407 0 CONNECT tunnel://lrs.cmbackbone.net:443/ - NONE/- - OTHER-NONE-Domain_Authenticated_Identity-NONE-NONE-NONE-NONE <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"> -

-----Response code 407 : It is for authentication to a proxy, not the OCS. This is sent only if the request was sent explicitly to the proxy. A 407 cannot be sent to a client while using WSA as transparent proxy, as the client does not know the proxy exists. If this is the case, the client will most likely FIN or RST the TCP socket.


-----Working:
TCP_CLIENT_REFRESH_MISS/200 3051 CONNECT tunnel://lrs.cmbackbone.net:443/ "DOMAIN\\firstname.surname@AD" DEFAULT_PARENT/Access12.cws.sco.cisco.com - DEFAULT_CASE_12-DefaultGroup-Domain_Authenticated_Identity-NONE-NONE-NONE-DefaultGroup <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.45,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"> -

------Response code 200 : This signifies that the request is successful without any problems.

Kindly find the attached sheet for all denied and allowed URL's.

2 people had this problem
Labels:
0 Helpful
4 Replies 4

Lokesh Kumar Lal
Cisco Employee
Cisco Employee

‎02-19-2019 05:27 AM

Whats the WSA version and type of Authentication?

Regards,
Lokesh K. Lal
Engineering Product Manager
Cisco Systems Inc.

Please don't forget to rate useful posts
0 Helpful

AntonyPaul!
Level 1
Level 1
In response to Lokesh Kumar Lal

‎02-19-2019 05:32 AM

S300V - 10.5.2-072

AD Realm authentication using NTLMSSP
0 Helpful

Lokesh Kumar Lal
Cisco Employee
Cisco Employee
In response to AntonyPaul!

‎02-19-2019 06:03 AM

thanks, can you send in that excel you were refering to, with example websites that you run into issues with and the access log? 

Regards,
Lokesh K. Lal
Engineering Product Manager
Cisco Systems Inc.

Please don't forget to rate useful posts
0 Helpful

Ken Stieers
VIP
VIP

‎02-19-2019 05:31 AM

Are you using CDO or ISE-PIC to feed authentication to the WSA?

There are apps that don't handle web auth but will do web page requests ( E.g. Microsoft Outlook) so the web requests made by the app won't work until the user hits a webpage with a browser that does auth.

CDO and ISE-PIC (or ISE with PxGrid) will scrape login events from your AD boxes and feed the WSA auth info without the user having to hit an external page in a browser first.

0 Helpful
Customers Also Viewed These Support Documents