Solved: WSA S170 problems after AsyncOs upgrade 10.1.0

esa.mannisto · ‎02-01-2017

Hi,

We upgraded our WSA S170 appliance successfully to AsyncOs 10.1.0-204 for Web.

After that we have notice several webpages not working properly.

for example Facebook looks like this:

'nß0)lªßCF¤ªõð%¢&ýP‰1nè_þý—Àà˜À˜–í¸¯ÏïIÍUMåÑ}0gÇÏsìMÈ†@²q,dG#Û²X–Œ$çI×]Q_ÑÜ|î÷õÿùI"®÷}ºïho>ßž3s** ˆ‚ß±«( (*„ÅÞeÄ'HFK_~U-¹JkÙš¡h ÿcdrº›ÔÔê¯©$»k%–H<ü"“Î'ùy7²ü3ˆ„Dˆ À lÊûUå=ºwúTWšæêûÿuå›ðŒdøˆ]ˆNŸÒzšO.¤~|ï}OŽžf7GÒÚ‰4kŸ3c8€3^ 'X¯V2È<Ÿ€Œ¢¦d.;ÿT.“Îé~:ÇÕ/Š2uÿ?•¦ýõŒ$äzÒ•8Th‰ƒð½zU:ýŽ»{fÏ°OÏ® ž‰«þ¯õôÍ‚xldÎveÈà³0 fþË7ÕW Ö)žsÑyÜ§ôÁåÚÓ‡Ä¯ª´ûö}ÏÀÃ ž9€Ìq÷íþ=ðxŒÊP†Â)eÈ!‘rÊ‹ÎEíütN©uå¦s÷ r¥R%J”.jWé!5±X¯óßfòü@Â©µ±”:Ìnÿ) )BÌu¢“vïbåàÓ=,ÒiŒVšWVñ’Û÷Ç˜ý Ñ”®w}_Æ´/wM™—¤>k2æ¿§¯s¨¿ CU†–â¾{0lHr2£õ÷CM{{)ä÷YÈ=†jèîKâ;±KC

Any help?

BR

-Esa-

Tao Yang · ‎02-05-2017

It looks like hitting a known defect "CSCvc92979 Website access issues due to WSA 10.1 appending incorrect Accept-Encoding headers"

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc92979

View solution in original post

it · ‎02-02-2017

Hi, exact same problem here. WSA S170 upgraded to 10.1.0-204. Facebook looks exactly as you show since the upgrade. I think it is related to the https decryptor and the certificate it uses. I generated new 2048 certificate but it does not seem to make any difference. I know very little about WSA so might not have done it correctly. Our marketing department is going crazy without the facebook access and I am not sure ho to proceed now as I cannot find any relevant information. Thanks Vita

Tao Yang · ‎02-05-2017

It looks like hitting a known defect "CSCvc92979 Website access issues due to WSA 10.1 appending incorrect Accept-Encoding headers"

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc92979

it · ‎02-07-2017

Seems to be exactly the case as in the link. Thanks for the info. I used the workaround as mentioned in the above link but I can't possibly add all the affected sites into a decryption policy rule as there is too many. What I found out though is, that we can open the affected sites successfully if we use Google Chrome version 53 and above. What does not work in IE or Edge works fine in the Chrome.

Tao Yang · ‎02-07-2017

Thanks for confirmation. The fix would be released soon.

Please rate or mark the question as answered if this helps.

John Stone · ‎02-10-2017

Is the updater site down because of this? Ever since the upgrade to 10.1.0-204 we get the following error:

Failure downloading upgrade list: Connection failed: <aplib.dns.SSLConnectError
host="update-manifests.sco.cisco.com" port="443" errors=[TimeoutError()]

Tao Yang · ‎02-14-2017

It looks like a different issue based on the error message.

esa.mannisto · ‎02-07-2017

Thanks Tao for this information!

We have exactly this case.

As it@ptc.cz below says, it is not possibly add all sites to policy and after all, it doesn't help e.g. with Facebook. After policy add it still comes out with bad rendering with Win7 + IE11.

I just hope that Cisco will fix this very soon.

-Esa-

esa.mannisto · ‎02-14-2017

There is new information about this bug.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc92979

I did that and Facebook start to work again properly.

I still waiting for real fix.

-Esa-