Web sites accessed with dedicated IP address fails for North American users, when European users work fine
search cancel

Web sites accessed with dedicated IP address fails for North American users, when European users work fine

book

Article ID: 369344

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users accessing internet sites via Cloud SWG using WSS Agents.

Dedicated IP address feature enabled for a number of applications.

One specific application, accessed with dedicated IP feature enabled, works fine for users accessing Cloud SWG POPs in Europe but North American users get an error page with "tcp_error" reported instead of the Application page.

Environment

Cloud SWG.

WSS Agent access method (although will occur with all access methods).

Dedicated IP address feature enabled for application experiencing issue.

UPE policy pushed out to Cloud SWG.

Cause

Policy applicable to US users overwriting forwarding directive needed by dedicated IP address logic.

Resolution

Modify the policy so that condition applicable to North American users does not execute the "direct(yes)" statement.

 

Additional Information

Looking at a policy trace from the impacted Cloud proxy

  • DEI match for the example.com domain found and we start the process to forward the request to our dedicated IP gateway
  • We then MATCH on a condition that sets the direct(yes) directive. 
     
    MATCH:         condition=Example_Bypass direct(yes) reference_id(ExampleRuleID)

    This direct() directive actually overwrites the forward path to the NAT gateway and tells it to go direct. From the policy docs

    direct(): Used to prevent requests from being forwarded to a parent proxy or SOCKS server, when the appliance is configured to forward requests.
    When set to yes, <Forward> layer policy is not evaluated for the transaction.

  • Looking at the Example_Bypass condition to see how this matched, I can see that there’s something in here that would only impact North American users …

    define condition Example_Bypass
        category=Ireland_Whitelist group=Ireland_InternetAccess 
       category=NA_Whitelist group=NA_InternetAccess 
       category=UK_Whitelist condition=UK_InternetAccess 
       end

    Within the NA_Whitelist category, we see a reference to the dedicated IP domain.
     
    define category NA_Whitelist
    ...
        //example.com/  
    ...
    end
     
    As soon as we removed this, all started working fine.
Powered by Wolken Software