cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
577
Views
0
Helpful
3
Replies
Highlighted
Beginner

WSA S170 : PBR GATEWAY_TIMEOUT

Hi,

 

We are running a S170 with version 8.5.2-027 for Web.

It used to run in explicit proxy mode and everything is fine.

To ease network and clients computers management, we've enable transparent mode.

 

Network->Transparent redirection is set to 'Layer 4 switch or no device'.

M1 is on a dedicated route, P1 is connected to the internal network and P2 is connected to the ISP line.

Web proxy service listen on ports 80 and 3128.

 

When doing a classic "explicit proxy" request, everithing is fine :

$ telnet 172.31.255.253 80
Trying 172.31.255.253...
Connected to 172.31.255.253.
Escape character is '^]'.

GET http://www.google.com

HTTP/1.0 302 Found
Cache-Control: private
Location: http://www.google.fr/?gfe_rd=cr&ei=4ioeVtDSCKex8wep-4LoBw
Date: Wed, 14 Oct 2015 10:13:54 GMT
Server: GFE/2.0

 

However, when doing "transparent-like" request, I instantly get a GATEWAY_TIMEOUT :

$ telnet 172.31.255.253 80
Trying 172.31.255.253...
Connected to 172.31.255.253.
Escape character is '^]'.
GET / HTTP/1.1
Host: www.google.com

HTTP/1.1 504 Gateway Timeout
Mime-Version: 1.0
Date: Wed, 14 Oct 2015 10:15:42 GMT
Via: 1.1 cisco-s170:80 (Cisco-WSA/8.5.2-027)
Content-Type: text/html
Connection: keep-alive
Content-Length: 2272

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Notification: Gateway Timeout</title>

 

What could be wrong with the setup ?

 

Thanks,

Ionel

3 REPLIES 3
Highlighted
Cisco Employee

Hi Lonel,

Would recommend to run packet capture from client machine and at the same time from WSA appliance (with no filter) to see where the packets are going and to see if the WSA received the redirected packets from PBR appliance and process the requests correctly.

recommend to capture on all interfaces in WSA for the capture (m1, P1 and P2)

Highlighted

Hi Handy,

As it does not work as expected with the PBR appliance, my tests are run by connecting directly using telnet on port 80 of the S170 appliance and issuing "by hand" what should be an HTTP request.

The first thing I notice in packet trace is that transparent proxy connection does not issue DNS requests.

That is, when doing

GET / HTTP/1.1
Host: www.perdu.com

the appliance does not issue a DNS request to resolve www.perdu.com.

All others explicitly-proxied connections are resolved by the appliance.

Ionel

Highlighted

That is expected behaviour in transparent mode as the client the one that performing DNS since the client only knows it make a request to the website directly and do not know there is web proxy in the middle.

Please see below for the difference between transparent mode and explicit mode:

http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117940-qa-wsa-00.html

For your case you need to make sure that WSA is receiveing requests from the PBR switch that redirect users traffic to WSA (at least WSA should see the 3 way handshakes) and also make sure that there is route from WSA to users for the return traffic.

Would still recommend to run pcap from client machine and at the same time from WSA with no filter (to see client and server side connections)