Guest

Preview Tool

Cisco Bug: CSCur12517 - Upstream/towers incorrectly marked as sick if XFF enabled & Via disabled

Last Modified

Mar 08, 2017

Products (1)

  • Cisco Web Security Appliance

Known Affected Releases

7.5.0-MR-833 7.5.2-HP2-304 7.7.0-757 8.0.6-078

Description (partial)

Symptom:
WSA incorrectly detects ScanSafe tower or upstream proxies as 'sick' and proxy logs will show messages like below

Info: PROX_CONNTRACK : 18 : Peer xxx:port was healthy, now sick.
Info: PROX_CONNTRACK : 20 : Peer xxx:port was sick, now healthy.
Info: PROX_CONNTRACK : 20 : Peer xxx:port was healthy, now sick.
Info: PROX_CONNTRACK : 21 : Peer xxx:port was sick, now healthy.
Info: PROX_CONNTRACK : 21 : Peer xxx:port was healthy, now sick.
Info: PROX_CONNTRACK : 22 : Peer xxx:port was sick, now healthy.
Info: PROX_CONNTRACK : 22 : Peer xxx:port was healthy, now sick.

Where
'xxx' represents the upstream proxies or ScanSafe Towers 
'port' represents the port used on upstream proxies/ScanSafe towers

Conditions:
The problem only happens when both of the below conditions are met:
------------------------------------------ 
(1) Upstream/ScanSafe Towers send a 5xx HTTP response
(2) Below settings are configured on WSA (Under GUI --> Security Services --> Web Proxy --> Generate Headers)
X-Forwarded-For: Send 
Request Side VIA: Do Not Send 
Response Side VIA: Do Not Send
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.