Inspect the Dynamic Bypass List during incident to determine if there is a pattern, in particular the destination IP address(es) that has the highest Use Count. The list would state the reason why the IP(s) are added to the bypass list.
The command to view the bypass list is as below. In the example below, you may want to focus on the destination IP 22.214.171.124 due to the large 'Use Count'. The reason for the IP to be added is marked 'C' which is for Connect-Error
CF3x5#sh proxy-services dynamic-bypass
U - User policy A - Asymmetric route N - Non-HTTP
C - Connect error R - Receive error 5 - 5xx
Client IP address Server IP address Timeout (minutes) Use Count Reasons
126.96.36.199 188.8.131.52 28 2 C
184.108.40.206 220.127.116.11 15 3 N
* 18.104.22.168 53 10 C
* 22.214.171.124 24 3578 C
* 126.96.36.199 53 12 C
188.8.131.52 184.108.40.206 15 3 N
PCAP can then be used to filter based on the IP address in an attempt to determine the root cause
Access log can also be used to determine how frequent the error occurs and if it's expected. If the number of failures is relatively miniscule compared to the total request per OCS, the failures could be expected.
As an example, if the proxy is setup for targetted caching, it would be processing large number of requests heading for the same or small number of OCSes. It would not be impossible that some of these requests failed within the configured dynamic bypass timeout period resulting in the OCS IP being made a wildcard bypass entry and therefore bypassing large number of transaction and bytes.
In this case, you can avoid the OCS IP being wildcarded by increasing the server-threshold (default 4) and/or reduce the timeout (default 60) period. The value to set depends on the number and frequency of failure observed in the accesslog.
Here are the commands:
CF3x5#(config dynamic-bypass)server-threshold 12
CF3x5#(config dynamic-bypass)timeout 30