Wsa is showing 503 service unavailable in logs

DK9 · ‎08-27-2024

Hi team,

This issue is happening for some time we have 2 wsa and both wsa are in different location and these wsa is showing 503 error for some specific sites.and that is happening intermittently .

When we do the nslookup the result is coming with proper ip but in the access logs there is no server ip .also after clearing the dns cache the issue is getting resolved.

We have kept the wsa dns ttl time as 300 sec.in pcap we are not seeing any dns query sent to public dns server for this specific site hence we assume wsa is checking in internal dns cache and giving these 503 error any idea how to resolve this?

amojarra · ‎08-28-2024

Hello @DK9

Hope you are doing fine

Thank you so much for the detailed information.

[1] May I ask you please add below tring to your Access log Custom Fileds

[Client Port = %F, Server IP = %k, Server Port = %p]

you can use this link as a referene :

https://www.cisco.com/c/en/us/support/docs/security/secure-web-appliance-virtual/220456-configure-performance-parameter-in-acces.html

[2] from PCAP can you see WSA is reaching the Correct Web Site IP Address.

[3] can you please check for the website IP address in the BYPASS LOGS :

"bypasslogs" Type: "Proxy Bypass Logs" Retrieval: FTP Poll

[4] Kindly advise if you are using Transparent Deployment or Explicit?

[5] have you tried other browsers as well?

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++

DK9 · ‎09-01-2024

Ya we tried other browsers and the wsa is not resolving the ip address in the access logs as server ip is not showing in access logs.

It is in forward modethere is nothing in bypass logs too.

amojarra · ‎09-02-2024

Thanks DK9

in Transparent proxy such as WCCP, WSA is not doing the Name resolution, we get the IP from client side, and we figure out the domain name from SNI in the client hello.

in Explicit deployment, WSA is in charge of Name resolution.

you can test the name resolution in WSA's CLI via "dig" or NSLOOKUP command :

https://www.cisco.com/c/en/us/support/docs/security/secure-web-appliance-virtual/220558-troubleshoot-secure-web-appliance-dns-se.html

Im not sure if you did item [1] in my previous message (adding[Client Port = %F, Server IP = %k, Server Port = %p] ... ) if so and there are no server IP , I would say

[1] please check the system logs to see if there are any DNS related Error

[2] you can have a PCAP filter for DNS to see from which interface the DNS query are going out and correct it if it is wrong,

lets say if they are going via Management and you are expecting the traffic to go via P1, you can add manual route entry in the WSA to access DNS server(s) via P1's gateway.

[3] do some manual DNS queries to see if the name servers are replying. and having PCAP running.

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++