search cancel

Cannot access any SAC segment Application with Safari after WSS Agent tunnel is up

book

Article ID: 254117

calendar_today

Updated On:

Products

Secure Access Cloud Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

WSS Agent enabled on MacOS and used to access SAC segment Applications.

WSS Agent tunnel up successfully after authenticating with SAML.

Using Safari to access the segment Application (points to an internal Web server) via DNS fails.

Using Chrome after that to access the same Application worked. Once done, the Safari access worked too until removed from the MacSO DNS cache.

Can always access the segment App via IP address.

Environment

WSS integration with SAC.

Using WSS Agent with Split DNS to send DNS requests for SAC segment Application into corporate RFC 1918 DNS server IP address.

WSS Agent 8.2.1 running on MacOS.

Cause

DNS handling when source port defined as a 0.

DNS handling when DNS AAAA response returned before A response.

Resolution

Upgrade to WSS Agent 8.2.3 or greater.

Additional Information

PCAPs from Symdiag confirm DNS requests sent into SAC configured DNS server correctly.

When the DNS server is configured to send IPv6 and IPv4 responses, and the IPv6 response comes in before the IPv4 response, the agent does not snoop it correctly. The end result is that the WSS Agent do not send the connection request into WSS.