Users successfully accessing internet sites via Cloud SWG using WSS Agent.

To provide protection against data leakage, a DLP integration was activated with a set of policies.

Users uploading data to DLP enabled sites were getting 503 errors, with following ICAP specific error reported back:

"Connection failure: Could not send data due to dropped connection by the ICAP server"

Access logs confirmed the same ICAP errors reported with additional info in ICAP status fields, and confirming that we could not fail open to serve the request:

 ICAP_COMMUNICATION_ERROR fail_open_unavailable 

DLP Enforcer server logs not showing any requests for the sites reporting 503 errors.

Cloud SWG.

DLP integration.

WSS Agent.

DLP configuration on Cloud SWG not complete.

Removed and re-added the DLP configuration within the Cloud SWG Portal.

Requests from the Proxy to upstream DLP service were missing one key identifier for this tenant, rendering the request invalid.