Potentially since the last minor AsyncOS update (7.7.0-760 to 7.7.0-761), we have been experiencing issues with Ironport blocking access to web categories which are actually open.
For instance, we have users, whose policy allows them access to Business & Industry, being blocked. A policy trace proves they *should* be granted access:
Trace for URL: http://www.challengept.com
User Information User Name: HAYLEY-GROUP\cbosley Group Membership: HAYLEY-GROUP\cbosley, HAYLEY-GROUP\Domain Users, HAYLEY-GROUP\RDP Users, HAYLEY-GROUP\VPN-Users User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36 URL Check WBRS Score: 0.0 URL Category: Business and Industry Scanner "AVC" Verdict (Request): Unknown (Unknown) MIME-Type: text/html; charset=UTF-8 Scanner "AVC" Verdict (Response): Unknown (Unknown) Policy Match Cisco IronPort Data Security policy: None Decryption policy: None Routing policy: None Identity policy: Internal_Users Access policy: Level_3_Users Final Result Request completed Details: Transaction permitted Trace session complete
Yet, Ironport gives them this if they browse to the same URL:
Date: Wed, 22 Oct 2014 12:17:16 BST Username: HAYLEY-GROUP\cbosley@NTLM Source IP: 10.11.24.116 URL: GET http://www.challengept.com/ Category: Business and Industry Reason: BLOCK-WEBCAT Notification: WEBCAT
We have rebooted the Ironport and also set "Business & Industry" to blocked, then unblocked to try and refresh the policy but it hasn't made any difference.
Perhaps the oddest part is that when users get the blocked page, if they click 'back' in their browser, and retry the site, 9 out of 10 times it will let them in!
Has anyone else encountered a bug like this, and/or has a work-around?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :