Troubleshooting Issues with Nessus Plugin Updates that Traverse a ProxySG
Article ID: 169138
Updated On:
Products
ProxySG Software - SGOS
Issue/Introduction
Unable to update Nessus Vulnerability Assessment Tool via ProxySG in Explicit Connection.
Nessus Plugin Feed server IP: 50.31.149.100
E.g.
# nessuscli update --all
----- Fetching the newest updates from 50.31.149.100 -----
[error] Could not connect to 50.31.149.100 through proxy <ProxySG IP: 8080
[error] Nessus Plugins: Failed to send HTTP request to 50.31.149.100
Nessus Plugins: Failed
[error] Could not connect to 50.31.149.100 through proxy <ProxySG IP: 8080
[error] Nessus Core Components: Failed to send HTTP request to 50.31.149.100
Nessus Core Components: Failed
* Failed to update Nessus Plugins
* Failed to update Nessus Core Components
Nessus Plugin Feed server IP: 50.31.149.100
E.g.
# nessuscli update --all
----- Fetching the newest updates from 50.31.149.100 -----
[error] Could not connect to 50.31.149.100 through proxy <ProxySG IP: 8080
[error] Nessus Plugins: Failed to send HTTP request to 50.31.149.100
Nessus Plugins: Failed
[error] Could not connect to 50.31.149.100 through proxy <ProxySG IP: 8080
[error] Nessus Core Components: Failed to send HTTP request to 50.31.149.100
Nessus Core Components: Failed
* Failed to update Nessus Plugins
* Failed to update Nessus Core Components
Cause
Packet capture shows request with user-agent string Nessus/* and 406 Response. Reason is because the http CONNECT request header syntax is not acceptable. It is not accepted and 406 Response will be sent by ProxySG immediately without applying policy rules.
Request Header
CONNECT 50.31.149.100 :443 HTTP/1.1
Host: 50.31.149.100 :443
Connection: keep-alive
Proxy-Connection: Keep-Alive
User-Agent: Nessus/6.5.2
Response Header
HTTP/1.1 406 Not Acceptable
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Connection: close
Content-Length: 652
<TITLE>Request Error</TITLE>
Request Error (unsupported_protocol)
Your request used a protocol that is not currently supported.
For assistance, contact your network support team.
Request Header
CONNECT 50.31.149.100 :443 HTTP/1.1
Host: 50.31.149.100 :443
Connection: keep-alive
Proxy-Connection: Keep-Alive
User-Agent: Nessus/6.5.2
Response Header
HTTP/1.1 406 Not Acceptable
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Proxy-Connection: close
Connection: close
Content-Length: 652
<TITLE>Request Error</TITLE>
Request Error (unsupported_protocol)
Your request used a protocol that is not currently supported.
For assistance, contact your network support team.
Resolution
Workaround
By default ProxySG parse HTTP requests strictly and rejecting all syntax errors. A workaround is to configure ProxySG in CLI to tolerate certain syntax errors in HTTP requests.
> enable
# show http
# config t
#(config) http tolerant-request-parsing
NOTE: This will enable tolerant-request-parsing
Feedback
Yes
No
Powered by
