Solved: Re: Cisco WSA log shows 503 status code

DK9 · ‎04-25-2024

Hi we have 2 WSA out of which one WSA is showing 503 error for a specific Site. When i tried nslookup in WSA for that site it shows the server returned no data(in both WSA).

But the site is working in one WSA but not in the other and after 15 mins the site started Working anyone faced same issue?

This is happening for random sites but not frequently.

Tried clearing the DNS cache
dns ttl value is 15 min in WSA

Anything else to be done?

amojarra · ‎04-26-2024

@DK9

dig uses UDP 53 to the server which you are defining,

it could be some other devices before your firewall which is not allowing this connection, or the traffic is going out from wrong interface.

you can specify the source interface in dig command:

dig [-s <source IP>] [@<IP address>] hostname [qtype]
# for example if:
# P2 IP address : 10.10.10.10
# DNS IP : 10.1.1.1
dig -s 10.10.10.10 @10.1.1.1 www.cisco.com A

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

View solution in original post

amojarra · ‎04-25-2024

Hello @DK9

kindly:

[1] in explicit deployment, WSA is doing the name resolution, in transparent deployment ( WCCP, PBR,...) the client

[2] how many DNS server have you configured in your WSA? if you have more than one, maybe one of the DNS servers returning no data for nameresolution

WSA_CLI> dig @10.1.1.1 www.example.com
WSA_CLI> dig @10.2.2.2 www.example.com

[3] else I would say it is best to have a PCAP, maybe there are some issue from upstream ( blocked or delay or Un standard reply )

it is best to filter for both client IP and Webserver IP ( with logical or )

host x.x.x.x or host y.y.y.y
Please replae the x.x.x.x and y.y.y.y with client and server IP address

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

DK9 · ‎04-26-2024

Yaaa i have 2 but i am not getting any response for dig command whether dig command use the same 53 port for outside communication as we have firewall we have whitelisted only 53 port to 8.8.8.8.

I took the pcap too with the filter ip host xyzx.com .but in the pcap not seeing any traffic in the sni of that website

amojarra · ‎04-26-2024

@DK9

thanks for the updates ,

I would say, if there are not much load on WSA, try to capture PCAP without any filter, else you can filter for hosts and port 53

then please clear DNS cache ( GUI > network > DNS > Clear cache ) and try to re-produce the issue.

Side note, if you can have a PCAP from firewall at the same time, that might come in handy.

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

DK9 · ‎04-26-2024

Sure we will do that and check

Meanwhile any idea why i am not getting any output for dig command whether we need to open any ports in firewall for outside communication for dig command?as we have opened only port 53

amojarra · ‎04-26-2024

@DK9

dig uses UDP 53 to the server which you are defining,

it could be some other devices before your firewall which is not allowing this connection, or the traffic is going out from wrong interface.

you can specify the source interface in dig command:

dig [-s <source IP>] [@<IP address>] hostname [qtype]
# for example if:
# P2 IP address : 10.10.10.10
# DNS IP : 10.1.1.1
dig -s 10.10.10.10 @10.1.1.1 www.cisco.com A

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

DK9 · ‎04-28-2024

Ya it worked i think it was sending via the management interface thanks a loot

amojarra · ‎04-29-2024

Thanks for the update @DK9

rena168carper · ‎05-15-2024

@DK9 wrote:
Hi we have 2 WSA out of which one WSA is showing 503 error for a specific Site. When i tried nslookup in WSA for that site it shows the server returned no data(in both WSA).
But the site is working in one WSA but not in the other and after 15 mins the site started Working anyone faced same issue?
This is happening for random sites but not frequently.
Tried clearing the DNS cache
dns ttl value is 15 min in WSA
Anything else to be done?

Hello @DK9 LhiProviderPortal

Here is a solution for the problem you are facing:

"

Certainly! The 503 Service Unavailable error can occur due to various reasons. Let’s troubleshoot the issue step by step:

Check Resource Usage:
Ensure that the Web Security Appliance (WSA) is not overloaded in terms of CPU, memory, or other resources.
Monitor resource utilization and consider upgrading if necessary.
Check for Ongoing Maintenance:
Verify if there is any ongoing maintenance or updates on the WSA.
Sometimes maintenance can cause temporary unavailability.
Stop Running Processes:
Check if there are any processes consuming excessive resources.
Stop any unnecessary processes or services.
Reset Firewall:
Restart the WSA firewall service.
Sometimes a firewall rule might be blocking access.
Check Server Logs and Fix the Code:
Review server logs for any errors or warnings related to the specific site.
Fix any issues in the code or configuration.
Restart Your Server and Networking Equipment:
Restart the WSA and any networking equipment (routers, switches).
Sometimes a simple restart can resolve connectivity issues.
Check Your DNS:
Verify DNS settings on both WSAs.
Ensure that DNS resolution is working correctly.
Consider using an external DNS resolver (e.g., Google DNS) for testing.
Consider Random Site Behavior:
If the issue occurs randomly, monitor the behavior over time.
Investigate if there are patterns related to specific sites or times."

Hope you problem is resolve!!!

Best regards
Rena Carper