CISCO S300V: Policy Trace returns "gateway timeout"

jjimenez829 · ‎07-01-2016

Hi,
I am fairly new to the Cisco WSA. I was recently promoted to an associate security analyst and have taken a few courses to prepare (SSFAMP, SSFIPS & SWSA) as well as had some guidance on the Cisco products through a consultant our company hired.

I have recently come across an issue with a website. The website has been white listed but the user is still unable to access the site. The user gets a cisco WSA block page stating "Based on your organization's access policies, access to this web site (https://www.example.com) has been blocked because the web category 'WhiteList' is not allowed".

When I run a policy trace to the web site using the user's IP address the results ultimately state the following:

Final Result

Request Blocked

Details: gateway timeout

Trace Session complete

I feel like I have exhausted all possibilities but can not figure out a solution.

Handy Putra · ‎07-06-2016

Hi,

Get the accesslogs from WSA CLI when trying to access the site and experiencing the issue to see what actions the appliance taken and what Identity and policy it was using.

To grep the access logs for an entry, SSH into the WSA and run the following command from the CLI:
1. Grep
2. Enter the number of the log you wish to grep: 1 (for access logs)
3. Enter the regular expression to grep: <client IP>
4. Do you want this search to be case insensitive?: Y
5. Do you want to search for non-matching lines? [N]> N
6. Do you want to tail the logs?: Y
7. Do you want to paginate the output?: N

If you need help understanding the accesslogs output, you can share the output to this thread to review.

jjimenez829 · ‎07-07-2016

Thank you for the response Handy, very much appreciated. I will give this a try and report back. Do the logs take a while to populate? I seem to only get this far:

Handy Putra · ‎07-07-2016

accesslogs will logs a complete transaction/traffic. If the connections or handshake is not even completed, it might not showing in the accesslogs.

Also if it is a gateway timeout, it might take longer to show up too.

If you taken packet capture from the WSA with client and server side connection, you should see the traffic in packet level more deeper.

jjimenez829 · ‎07-07-2016

So I left the session running and, after some time, putty just shuts down. No messages or anything. This occurred with 4 different attempts. To clarify, 4 different client IPs.

Handy Putra · ‎07-07-2016

Would suggest taking packet capture in the WSA

GUI -> Support and Help -> Packet Capture (make sure taking the capture in the correct interface and also put the client and destination address to see client and server packets).

Also suggest to open a TAC case to get more in depth investigation for the issue

jjimenez829 · ‎07-08-2016

Will do Handy. Thanks again for all of your help.