Hi Trik,

The details are as follows:

Model: S670

Version: 7.1.4-053

Regards,

Faiz

Hi Faiz,

Have you grep'd for the access logs for an IP of a PC which is having the issue connecting when the URL fails ? Also what is the message that you recieve from the WSA when a failure occurs ? The version of code 7.1.4 - 053 is older code I would recommend at least moving to 7.5.0-833 but please read the release notes before you do and also back up your config file unchecking the box mask passwords when you choose to save the file.

Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

Hi Erik,

Thank you for the reply.

In the logs we see that the proxy is allowing the access. There are no blocks or such in the logs. Moreover, the problem is only with some sites. When we try to resolve these URLs from the proxy the do as well.

There is no error message, but the page just loads and loads for ever. We have still not got a hold on this.

I agree that we are running an older version of the code. I will plan for an upgrade soon.

Regards,

Faiz

Hi Erik,

Are there any known issues with this version. I am searching but I cant find any issues associated with this particular version.

I need to provide a supporting case to management with proper details in order to justify the upgrade.

Please assist.

Regards,

Faiz

Hi Faiz,

There are not any known issues in terms of URLs failing. I would perform a packet capture on the WSA. See my instructions below:

In order to obtain a simultaneous packet capture from the WSA & PC you will need to log into the GUI ->Support and Help -> Packet Capture -> Edit Settings -> Select the radial button No Filter.Please send me a packet capture from the WSA unfiltered. You will need to install wireshark on the PC or laptop you are testing from. It is a good idea to start the wireshark program from the PC first.  I would recommend using www.iana.org as a test as it uses only on IP address.

When you have the captures completed I would first look at the WSA packet capture and use the following filter in wireshark http contains "www.iana.org". The various streams of communication will populate in the wireshark display. What you want to focus on is the streams that show the IP of the WSA and the IP of www.iana.org 192.0.32.8. We should see the following when you right mouse click the packet which shows the IP of the WSA going to the destination IP of www.iana.org:

WSA IP -------SYN-----> www.iana.org IP

WSA IP <--SYN/ACK-- www.iana.org IP

WSA IP -------ACK-----> www.iana.org IP

If you see this instead:

WSA IP -------SYN-----> www.iana.org IP

WSA IP -------SYN-----> www.iana.org IP

WSA IP -------SYN-----> www.iana.org IP

WSA IP -------SYN-----> www.iana.org IP

Then you have a problem in your network.

Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

Hi Erik,

Thank you for the detailed response.

I will try and carryout a packet captureas u sugested next time we face this issue.

However, since we are operating the Proxy in one-armed design, will that be an issue? Since the traffic has to enter and exit a single interface will it cause any delay?

What is the best practice considering that we have more than 30K users...?

Please suggest.

Regards,

Faiz

HI Faiz,

For best practices I would recommend speaking to a Sales Enginner to review your requirments as I cannot esitmate what would be best for your network.

Sincerely,

Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator