04-25-2024 06:40 AM
Hi we have 2 WSA out of which one WSA is showing 503 error for a specific Site. When i tried nslookup in WSA for that site it shows the server returned no data(in both WSA).
But the site is working in one WSA but not in the other and after 15 mins the site started Working anyone faced same issue?
This is happening for random sites but not frequently.
Anything else to be done?
Solved! Go to Solution.
04-26-2024 10:09 AM
dig uses UDP 53 to the server which you are defining,
it could be some other devices before your firewall which is not allowing this connection, or the traffic is going out from wrong interface.
you can specify the source interface in dig command:
dig [-s <source IP>] [@<IP address>] hostname [qtype]
# for example if:
# P2 IP address : 10.10.10.10
# DNS IP : 10.1.1.1
dig -s 10.10.10.10 @10.1.1.1 www.cisco.com A
Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
04-25-2024 10:09 AM
Hello @DK9
kindly:
[1] in explicit deployment, WSA is doing the name resolution, in transparent deployment ( WCCP, PBR,...) the client
[2] how many DNS server have you configured in your WSA? if you have more than one, maybe one of the DNS servers returning no data for nameresolution
WSA_CLI> dig @10.1.1.1 www.example.com
WSA_CLI> dig @10.2.2.2 www.example.com
[3] else I would say it is best to have a PCAP, maybe there are some issue from upstream ( blocked or delay or Un standard reply )
it is best to filter for both client IP and Webserver IP ( with logical or )
host x.x.x.x or host y.y.y.y
Please replae the x.x.x.x and y.y.y.y with client and server IP address
Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
04-26-2024 01:57 AM
Yaaa i have 2 but i am not getting any response for dig command whether dig command use the same 53 port for outside communication as we have firewall we have whitelisted only 53 port to 8.8.8.8.
I took the pcap too with the filter ip host xyzx.com .but in the pcap not seeing any traffic in the sni of that website
04-26-2024 05:14 AM
thanks for the updates ,
I would say, if there are not much load on WSA, try to capture PCAP without any filter, else you can filter for hosts and port 53
then please clear DNS cache ( GUI > network > DNS > Clear cache ) and try to re-produce the issue.
Side note, if you can have a PCAP from firewall at the same time, that might come in handy.
Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
04-26-2024 05:18 AM
Sure we will do that and check
Meanwhile any idea why i am not getting any output for dig command whether we need to open any ports in firewall for outside communication for dig command?as we have opened only port 53
04-26-2024 10:09 AM
dig uses UDP 53 to the server which you are defining,
it could be some other devices before your firewall which is not allowing this connection, or the traffic is going out from wrong interface.
you can specify the source interface in dig command:
dig [-s <source IP>] [@<IP address>] hostname [qtype]
# for example if:
# P2 IP address : 10.10.10.10
# DNS IP : 10.1.1.1
dig -s 10.10.10.10 @10.1.1.1 www.cisco.com A
Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
04-28-2024 09:31 PM
Ya it worked i think it was sending via the management interface thanks a loot
04-29-2024 04:49 AM
Thanks for the update @DK9
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide