Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
New Member

Trace Issues

If I try a trace on a website which is allowed (say www.bbc.co.uk - News is allowed for all users/access policies) with a specific user whose group membership gets listed successfully and click trace, I get the following:

URL Check
Object Size: 243 bytes
MIME-Type: text/html
Policy Match
Decryption policy: None
Routing policy: Global Routing Policy
Access policy: Global Access Policy
Final Result
Request completed
Details: Transaction permitted
Trace session complete


However if I keep the user the same, but change the URL to something that is not permitted (say, www.sex.com - Adult is blocked for all access policies), I get this:
URL Check
Object Size: 187 bytes
MIME-Type: text/html
Policy Match
Decryption policy: None
Routing policy: Global Routing Policy
Access policy: Global Access Policy
Final Result
Request completed
Details: Transaction permitted
Trace session complete


If we change the IP to one that is in a specific access group, it is listed as blocked:

URL Check
URL Category: Adult/Sexually Explicit
WBRS Score: 3.0
Policy Match
Decryption policy: None
Routing policy: None
Access policy: Bypass_IP
Final Result
Request blocked
Details: Request blocked based on predefined URL category
Trace session complete


What's going on?! The website is actually blocked, but why doesn't the trace say so?

3 REPLIES
New Member

Re: Trace Issues

I believe i have had something similar,
For me it was having multiple groups returned as "Authorised Groups" and the workaround for me was to remove all the other groups that are returned except the one I want to test for (i.e. that matches the access policy) and it appears to work

New Member

Re: Trace Issues

Andrew,

Are you including an IP address in steps 1 and 2 above?

I recommened filing a support ticket and having technical support investigate the issue deeper.

New Member

Re: Trace Issues

Unfortunately, yep, I am including a generic IP that's on our LAN. I'll open a ticket and see what they say!

176
Views
0
Helpful
3
Replies
CreatePlease login to create content