"ICAP 403 Forbidden not in access list" seen in ProxySG healthcheck PCAP when trying to connect to Content Analysis


Article ID: 170749


Updated On:


Content Analysis Software - CA


ICAP healthchecks are failing on the ProxySG.
ICAP traffic is not being sent to the Content Analysis (CA) device.
Pinging the CA from the ProxySG is successful.
GUI access to the CA device is successful.


There is no error message returned in either the GUI or the eventlogs however a pcap taken on the ProxySG filtered on the CA's IP address will show
"ICAP/1.0 403 Forbidden: not in access list"


The customer had an access control list enabled on the CA device which did not match the proxies IP address.


The following commands are valid for version, consult the the CLI admin guide for other versions

The following command will show the list of allowed subnets, from the CA device enter enable mode then type

show running-config icap access-list 

the output from this command should include the following

icap access-list [ x.x.x.x/x ]
where x.x.x.x/x is the subnet that is allowed to send ICAP traffic to the CA device
To clear out the entire access list run the following command (in config mode):

no icap access-list
If you just want to remove one access list entry:
no icap access-list
alternatively the list can be set by running this command (make sure you change the subnets to meet your own requirements):

access-list icap,