Edge SWG (formerly ProxySG) unable to established secure ICAP to CAS.
search cancel

Edge SWG (formerly ProxySG) unable to established secure ICAP to CAS.

book

Article ID: 242326

calendar_today

Updated On:

Products

ProxySG Software - SGOS Content Analysis Software

Issue/Introduction

ProxySG unable to establish the secure ICAP connection (port 11344) to CAS where the health check shows "Down".

  icap.cas1
    Enabled   Check failed   DOWN
    Last status: Unable to connect to service.
    Successes (total): 281506   (last): Mon, 23 May 2022 02:34:45 GMT   (consecutive): 0
    Failures  (total): 413821   (last): Mon, 23 May 2022 02:56:23 GMT   (consecutive): 127   (external): 0
    Last response time: 27 ms   Average response time: 501 ms
    Minimum response time: 23 ms   Maximum response time: 10066 ms

However using the non-secure ICAP (on port 1344) works fine.

CAS has two IPs configured, one on interface 0:0 (in this example, 10.0.80.50) and the other one is configured on interface 1:0 (in this example, 10.0.80.30)

 

Cause

The issue is because on the ProxySG, the configuration for the ICAP's service URL is configured with a different IP or hostname than whats been configured on the CAS.

Below is what it looks like on the ProxySG where the IP has been configured is 10.0.80.50:

The IP10.0.80.50 is actually a valid IP configured on CAS.

 

On CAS, under the ICAP settings (Settings > ICAP), the certificate has the Common Name of "10.0.80.30".

Where IP 10.0.80.30 is an IP that's configured on another interface in CAS.

The packet capture does not show an issue on the SSL handshake because the IP 10.0.80.50 is a valid IP that's been configured on CAS.

 

The CAS's ICAP_Connection logs show there was no "test.exe" file sent during the time when the ProxySG performed the heath check.

2022-05-23T10:52:09.890841+08:00 CAS1-10.0.80.30 info avservice[7959]: INFO     :  verdict not malicious.  Hash: 0000000000000000000000000000000000000000 Tenant: N/A Transaction: N/A
2022-05-23T10:53:29.909763+08:00 CAS1-10.0.80.30 info avservice[7959]: INFO     :  verdict not malicious.  Hash: 0000000000000000000000000000000000000000 Tenant: N/A Transaction: N/A
2022-05-23T10:54:49.928240+08:00 CAS1-10.0.80.30 info avservice[7959]: INFO     :  verdict not malicious.  Hash: 0000000000000000000000000000000000000000 Tenant: N/A Transaction: N/A

 

Below is a working example from CAS ICAP_Connection log.

2022-05-23T10:35:02.252672+08:00 CAS1-10.0.80.30 info avservice[7959]: INFO     : RESPMOD:http://icap.health.check/test.exe  - -
2022-05-23T10:35:02.252902+08:00 CAS1-10.0.80.30 info avservice[7959]: INFO     : http://icap.health.check/test.exe verdict not malicious.  Hash: 610e973d05145fd4c3e6c97ff349907fdc8ec4b7 Tenant: N/A Transaction: N/A

Resolution

Change the IP or the hostname configured on the ProxySG to be the same as the CAS's certificate Common Name.

Below is a working example on ICAP service URL on the ProxySG.

Attachments

Powered by Wolken Software