Error: "No ICAP server is available" and can't access any web sites in a ProxySG or Advanced Secure Gateway deployment

book

Article ID: 171723

calendar_today

Updated On:

Products

Content Analysis Software - CA Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

All users receive a "No ICAP server is available" message in their web browsers when trying to go to any website on ProxySG or Advanced Secure Gateway (ASG).

ICAP Error (icap_error)

An error occurred while performing an ICAP operation: Server unavailable: No ICAP server is available to process request.

There could be a network problem, the ICAP service may be misconfigured, or the ICAP server may have reported an error.

Cause

There are several possible causes:

  1. The Content Analysis appliance is down and your ICAP policy is set to Deny the client request if an error occurs during ICAP processing.
  2. The antivirus license is invalid or expired.
  3. Secure ICAP settings are inconsistent, or SSL is configured incorrectly.

Resolution

There are several possible solutions to this problem.

Solution 1: If the Content Analysis appliance is down and your ICAP policy is set to Deny the client request if an error occurs during ICAP processing, users will not be able to browse the Internet — all requests will be denied. Thus, if you have enabled malware scanning on the ProxySG or ASG appliance before setting up Content Analysis, users will not have web access. Therefore, it’s important to have the Content Analysis appliance up and running before you enable malware scanning.

To avoid the inevitable support calls that result from lack of web access when the Content Analysis appliance is down, you may want to consider changing the ICAP policy to Continue without malware scanning. With this setting, users will be able to browse the Internet when the Content Analysis appliance is down. However, this opens up the network to potential viruses being downloaded during the Content Analysis downtime. (Although desktop virus scanners might provide some protection from malware.) See "Add Content Analysis for In-Path Threat Detection" in the ProxySG First Steps WebGuide for details on changing the default setting.


Solution 2: The antivirus license might be invalid or expired. To check the status of the antivirus license on Content Analysis, select System > Licensing

 

Solution 3: If you are using secure ICAP, this issue can be caused by inconsistent secure ICAP settings for the ICAP service, Content Analysis, and ICAP policy, or incorrect SSL configuration for secure ICAP. For information on how to set up secure ICAP see: Configuring Secure ICAP by importing certificate CAS/ICAP Server to ProxySG

and check out: Integrating Content Analysis 2.2 with other Symantec Products: ProxySG and Malware Analysis for detailed information about secure ICAP.

Attachments