"ICAP 403 Forbidden not in access list" seen in ProxySG healthcheck PCAP when trying to connect to Content Analysis

book

Article ID: 170749

calendar_today

Updated On:

Products

Content Analysis Software - CA

Issue/Introduction

ICAP healthchecks are failing on the ProxySG.
ICAP traffic is not being sent to the Content Analysis (CA) device.
Pinging the CA from the ProxySG is successful.
GUI access to the CA device is successful.


 

There is no error message returned in either the GUI or the eventlogs however a pcap taken on the ProxySG filtered on the CA's IP address will show
"ICAP/1.0 403 Forbidden: not in access list"
 

Cause

The customer had an access control list enabled on the CA device which did not match the proxies IP address.

Resolution

The following commands are valid for version 2.3.5.1, consult the the CLI admin guide for other versions

The following command will show the list of allowed subnets, from the CA device enter enable mode then type

show running-config icap access-list 

the output from this command should include the following

icap access-list [ x.x.x.x/x ]
 
where x.x.x.x/x is the subnet that is allowed to send ICAP traffic to the CA device
 
To clear out the entire access list run the following command (in config mode):

no icap access-list
 
If you just want to remove one access list entry:
 
no icap access-list 192.168.1.221/32
 
alternatively the list can be set by running this command (make sure you change the subnets to meet your own requirements):

access-list icap 192.0.2.0/24,192.0.3.0/24