ICAP 502 Bad Gateway response from Protection Engine
search cancel

ICAP 502 Bad Gateway response from Protection Engine


Article ID: 202682


Updated On:


Protection Engine for Cloud Services Protection Engine for NAS


Your ICAP connector receives an ICAP 502 Bad Gateway response from Symantec Protection Engine (SPE)

C: FILEMOD icap:// ICAP/1.0
C: Host:
C: X-Filepath: /tmp/test.txt
C: Connection: close
C: Encapsulated: null-body=0
S: ICAP/1.0 502 Bad Gateway
S: ISTag: "24CE0504214948822CCF6434E0C4F7AB"
S: Date: Tue Nov  3 21:59:25 2020 GMT
S: Service: Symantec Protection Engine/


SPE 7.x, 8.x


SPE cannot access the specified file at the location indicated in your connector's FILEMOD request. This is the only cause for an ICAP 502 Bad Gateway response.

Access can fail for reasons including but not limited to:

  • filename is incorrect
  • file does not exist at specified path
  • file is locked
  • the SPE service account does not have permissions to access the file
  • Antivirus software is preventing access

If the file path is for a network location (including locally mounted network storage such as an Azure blob or an AWS S3 bucket), then there may be a delay between when the scan request is created and when the file is actually available from SPE's perspective. For example, if your connector is monitoring the network storage, it may see the file as available and send the request before the file is available on the mount point, causing this result.


Ultimately, you will need to find the environmental factor that is causing file access to fail. Ensure the following:

  • filename is correct
  • file exists at specified path
  • file is not locked at the time SPE tries to scan
  • the SPE service account has permissions to access the file.
  • the connector is not sending the scan request before the file is available on the mount point
  • SPE has network access to the file if applicable
  • No other antivirus software is blocking access to the file or locking the file.

Additional Information

This response is not logged on SPE in either the scanning logs (<install dir>/log/) or the CSAPI logs if they have been enabled.