Looks like I'm having the

Khaim_Helms1 · ‎11-23-2015

I have a user that has an access policy applied to them to be allowed access to the URL category Job Search. When I do a policy trace, it comes back with transaction permitted, but is still getting the Block page stating that they are not allowed: Block - URL Cat. When I look at the access logs in the CLI, I find this (internal IP address and username changed and striked through):

1448294967.774 1 999.999.999.999 TCP_DENIED/403 0 GET http://www.indeed.com/ "username" NONE/- - BLOCK_WEBCAT_12-DefaultGroup-NALAD-NONE-NONE-NONE-NONE <IW_job,3.4,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_job,-,"-","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-"> - Auth SSO_TUI - ID = 46578059 "23/Nov/2015:10:09:27 -0600", User Agent "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)"

I don't know where the TCP_Denied/403 is coming from.

Khaim_Helms1 · ‎11-25-2015

The user was not hitting theiur appropriate access policy. Restarting the proxy services fixed the whole issue.

Atazazuddin Shaikh · ‎11-25-2015

Thanks for reaching out, This is documented as following software defect:

https://tools.cisco.com/bugsearch/bug/CSCuu49389

Fix is available now, with the version 8.5.3 build, Please open a TAC case (with the serial #) so we can provision the release for your Appliance.

Regards,
Zack

Paul Cardelli · ‎11-30-2015

Looks like I'm having the same issue on version 8.8.0-085

Paul Cardelli · ‎11-30-2015

Just wanted to confirm, that this is the same issue, and Kicking or restarting the proxy service was the fix.

WSA access policy issue