Forwarding to a non-DNS resolvable URL will cause a 503 response code error if protocol detection is disabled.
Article ID: 272895
Updated On:
Products
ISG Proxy
ProxySG Software - SGOS
Issue/Introduction
The user is getting a 503 response code when trying to browse a URL or domain name.
The DNS on the proxy is unable to resolve the domain name or URL.
The URL has a forwarding policy to an IP since it is not DNS resolvable.
The 'Detect Protocol' option on the proxy service is disabled.
Only HTTPS website is affected. HTTP works fine.
The policy trace will look like the one below:
CONNECT tcp://www.example.com:443/
...
verdict: EXCEPTION(tcp_error): Request could not be handled
...
server.response.code: 0
client.response.code: 503
Cause
The issue is that the proxy had the 'Detect Protocol' option on the proxy service disabled.
When the protocol detection is disabled, the forwarding request cannot be handed over to the SSL proxy, thus the request will be tunneled through. In the TCP tunnel, the proxy would not be able to apply the forwarding policy and try to resolve the domain name but since the proxy DNS is unable to resolve the domain name, it fails to connect to the server, thus the 503 response code.
The failed request is on secure HTTPS protocol but going to the same destination using plain HTTP, it will be successful even though the protocol detection is disabled because the proxy does not need to hand off the HTTP request to the SSL proxy, thus it will match the forwarding policy and works fine.
Resolution
Enable the 'Detect Protocol' option in the proxy service.
Feedback
Yes
No
Powered by
