ICAP healthchecks are failing on the ProxySG.
ICAP traffic is not being sent to the Content Analysis (CA) device.
Pinging the CA from the ProxySG is successful.
GUI access to the CA device is successful.
There is no error message returned in either the GUI or the eventlogs however a pcap taken on the ProxySG filtered on the CA's IP address will show
"ICAP/1.0 403 Forbidden: not in access list"
The customer had an access control list enabled on the CA device which did not match the proxies IP address.
The following commands are valid for version 2.3.5.1, consult the the CLI admin guide for other versions
The following command will show the list of allowed subnets, from the CA device enter enable mode then type
show running-config icap access-list
the output from this command should include the following