Request Error: network_not_allowed
search cancel

Request Error: network_not_allowed

book

Article ID: 220013

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Request Error

Your request could not be processed.  Access to "(RFC 1918 IP address)" is not allowed through this proxy.

This could be caused by a misconfiguration, or possibly a malformed request.

Tech support information: network_not_allowed

Cause

The host that is being accessed via the Internet through WSS is resolving the host to an RFC1918 IP address.  The Internet routers do not allow non-routable IP addresses on the Internet.  Because there isn't a route to a non-routable IP address, the WSS proxy has to return an error. 

To determine if the host resolves to a non-routable IP address, you can do a dig or nslookup on the host.  Sometimes the host will be load balanced between two IP addresses, one of which is valid.  This means that the website might intermittently work.

Resolution

Since the DNS records are controlled by a third-party entity, WSS isn't able to fix the issue.  The best way to resolve this kind of an error is to contact the DNS admin of the misconfigured site and have them fix their DNS record.  If that is not possible to do, then another option is to bypass the site from the WSS service and go direct.

Additional Information

Pertinent information from RFC1918:

   The Internet Assigned Numbers Authority (IANA) has reserved the
   following three blocks of the IP address space for private internets:

     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)


   Because private addresses have no global meaning, routing information
   about private networks shall not be propagated on inter-enterprise
   links, and packets with private source or destination addresses
   should not be forwarded across such links. Routers in networks not
   using private address space, especially those of Internet service
   providers, are expected to be configured to reject (filter out)
   routing information about private networks. If such a router receives
   such information the rejection shall not be treated as a routing
   protocol error.

   Indirect references to such addresses should be contained within the
   enterprise. Prominent examples of such references are DNS Resource
   Records and other information referring to internal private
   addresses. In particular, Internet service providers should take
   measures to prevent such leakage.
Powered by Wolken Software