Proxy unable to established secure ICAP to CAS.

book

Article ID: 242326

calendar_today

Updated On:

Products

ProxySG Software - SGOS Content Analysis Software

Issue/Introduction

Proxy unable to establish the secure ICAP connection (on port 11344) to CAS where the health check shows "Down".

  icap.cas1
    Enabled   Check failed   DOWN
    Last status: Unable to connect to service.
    Successes (total): 281506   (last): Mon, 23 May 2022 02:34:45 GMT   (consecutive): 0
    Failures  (total): 413821   (last): Mon, 23 May 2022 02:56:23 GMT   (consecutive): 127   (external): 0
    Last response time: 27 ms   Average response time: 501 ms
    Minimum response time: 23 ms   Maximum response time: 10066 ms

However using the plain ICAP (on port 1344) works fine.

CAS is having two IPs where one configured on interface 0:0 (in this example, it 10.0.80.50) and the other one is being configured on interface 1:0 (in this example, it 10.0.80.30)

 

Cause

The issue is because on the Proxy, the configuration for the ICAP's service URL is using a different a IP or hostname that's been configured on the CAS.

Below is how it looks like on the Proxy where the IP been configured is 10.0.80.50:

This IP 10.0.80.50 is actually a valid IP been configured on CAS.

 

While on CAS, under the ICAP settings (Settings > ICAP), the certificate is having the Common Name of "10.0.80.30".

Where this IP 10.0.80.30 is an IP that's been configured on another interface in CAS.

The packet capture does not show an issue on the SSL handshake because the IP 10.0.80.50 is a valid IP that's been configured on CAS.

 

The CAS's ICAP_Connection logs shows there was no "test.exe" file been sent during the time when the Proxy performed the heath check test.

2022-05-23T10:52:09.890841+08:00 CAS1-10.0.80.30 info avservice[7959]: INFO     :  verdict not malicious.  Hash: 0000000000000000000000000000000000000000 Tenant: N/A Transaction: N/A
2022-05-23T10:53:29.909763+08:00 CAS1-10.0.80.30 info avservice[7959]: INFO     :  verdict not malicious.  Hash: 0000000000000000000000000000000000000000 Tenant: N/A Transaction: N/A
2022-05-23T10:54:49.928240+08:00 CAS1-10.0.80.30 info avservice[7959]: INFO     :  verdict not malicious.  Hash: 0000000000000000000000000000000000000000 Tenant: N/A Transaction: N/A

 

Below is an example on how in the CAS ICAP_Connection log shows when its working fine.

2022-05-23T10:35:02.252672+08:00 CAS1-10.0.80.30 info avservice[7959]: INFO     : RESPMOD:http://icap.health.check/test.exe  - -
2022-05-23T10:35:02.252902+08:00 CAS1-10.0.80.30 info avservice[7959]: INFO     : http://icap.health.check/test.exe verdict not malicious.  Hash: 610e973d05145fd4c3e6c97ff349907fdc8ec4b7 Tenant: N/A Transaction: N/A

Resolution

Change the IP or the hostname been configured on the Proxy to be the same as the CAS's certificate Common Name.

Below is an example on how the ICAP service URL on the Proxy supposed to look like:

Attachments