search cancel

Access logs for the ProxySG appliance and WSS contain multiple ICAP_COMMUNICATION_ERROR messages from Content Analysis responses

book

Article ID: 254970

calendar_today

Updated On:

Products

Content Analysis Software ProxySG Software - SGOS Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Depending on whether you set Content Analysis to serve or block password-protected archives, you might see an increase in ICAP_COMMUNICATION_ERROR messages in the ProxySG and Web Security Service (WSS) access logs.

The following flowchart shows the responses Content Analysis returns to the ProxySG appliance and WSS, and the actions the ProxySG appliance and WSS take.

Example Access Log Outputs

The following access log outputs are examples of the logs generated when Content Analysis is set to serve and block, and a user tries to download password-protected files. When set to serve, the logs contain ICAP_NO_MODIFICATION or ICAP_REPLACEMENT_REQUIRED. When set to block, the logs contain ICAP_COMMUNICATION_ERROR.

Example of access log when Content Analysis is set to serve

2022-11-29 22:09:50 1265 200 TCP_NC_MISS GET 10.169.31.53 80 /testfile500kb.zip "icap-error-code: password_protected, icap-error-details: File is password protected; File: testfile500kb.zip; Sub File: ; Vendor: McAfee, Inc.; Engine version: 6300.9389.412886189; Pattern version: 10546.0; Pattern date: 2022/11/29" ICAP_NO_MODIFICATION - 10.169.74.61 - -

Example of access log when Content Analysis is set to block

2022-11-29 22:09:21 1230 200 TCP_NC_MISS_RST GET 10.169.31.53 80 /testfile500kb.zip "icap-error-code: password_protected, icap-error-details: File is password protected; File: testfile500kb.zip; Sub File: ; Vendor: McAfee, Inc.; Engine version: 6300.9389.412886189; Pattern version: 10546.0; Pattern date: 2022/11/29" ICAP_COMMUNICATION_ERROR - 10.169.74.61 - fail_closed

Resolution

If you see communication errors in the ProxySG and WSS access logs and you have the password-protected archive set to block, these communication errors are normal and expected behavior.

Note: When other options from the Policies for Anti-virus exceptions list are set to block, you might also see an increase in ICAP_COMMUNICATION_ERROR messages in the access logs. For more information on each option, see the Content Analysis documentation on setting AV scanning behavior.

Attachments