General connectivity issues after upgrade from 6.7.x to 7.3.x on Edge SWG (ProxySG)

Possible symptoms:

• IWA or Radius Authentication errors
• No Internet Access
• Can't install/edit/view VPM policy

Event Log errors related:

• 2024-06-13 12:00:04-00:00UTC  "Unexpected transaction termination on URL((null)), client IP(x.x.x.x), server IP(not available): Policy could not be compiled, possibly due to an upgrade problem"  31 3B0003:1  pe_evaluator_impl.cpp:714
• 2024-06-13 12:00:04-00:00UTC  "Policy failed to load because: Warning: Unreachable rule, conditions will be matched by a preceding rule: 'vpm-cpl:92    "  0 70000:64  cfg_proprietor.cpp:662

When trying to install VPM policy following error may occur:

• Error: Keyring does not have a certificate authority's certificate: 'default' policy-services-epilog:601

• Any Edge SWG (ProxySG) after upgrade from 6.7.x to 7.3.x

Version 7.3 added Policy Services feature.

As a part of Policy Services actions some risky Websites may be displayed in Isolated mode.

By default Isolation uses "default" keyring for SSL Interception. If this keyring is expired/invalid this may prevent VPM policy from loading and as a result malfunction of the Proxy.

To work around this issue, set the Web Isolation service to use a keying that contains a valid, non-expired CA certificate. Use the following command:

#(config isolation) issuer-keyring <valid_keyring> 

Alternatively, disable Web Isolation if you do not use the service:

#(config isolation) disable 

• Use Policy Services
• Configure Web Isolation