Solved: Cisco WSA log shows 503 status code

DK9 · ‎04-25-2024

Hi we have 2 WSA out of which one WSA is showing 503 error for a specific Site. When i tried nslookup in WSA for that site it shows the server returned no data(in both WSA).

But the site is working in one WSA but not in the other and after 15 mins the site started Working anyone faced same issue?

This is happening for random sites but not frequently.

Tried clearing the DNS cache
dns ttl value is 15 min in WSA

Anything else to be done?

amojarra · ‎04-26-2024

@DK9

dig uses UDP 53 to the server which you are defining,

it could be some other devices before your firewall which is not allowing this connection, or the traffic is going out from wrong interface.

you can specify the source interface in dig command:

dig [-s <source IP>] [@<IP address>] hostname [qtype]
# for example if:
# P2 IP address : 10.10.10.10
# DNS IP : 10.1.1.1
dig -s 10.10.10.10 @10.1.1.1 www.cisco.com A

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

View solution in original post

amojarra · ‎04-25-2024

Hello @DK9

kindly:

[1] in explicit deployment, WSA is doing the name resolution, in transparent deployment ( WCCP, PBR,...) the client

[2] how many DNS server have you configured in your WSA? if you have more than one, maybe one of the DNS servers returning no data for nameresolution

WSA_CLI> dig @10.1.1.1 www.example.com
WSA_CLI> dig @10.2.2.2 www.example.com

[3] else I would say it is best to have a PCAP, maybe there are some issue from upstream ( blocked or delay or Un standard reply )

it is best to filter for both client IP and Webserver IP ( with logical or )

host x.x.x.x or host y.y.y.y
Please replae the x.x.x.x and y.y.y.y with client and server IP address

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

DK9 · ‎04-26-2024

Yaaa i have 2 but i am not getting any response for dig command whether dig command use the same 53 port for outside communication as we have firewall we have whitelisted only 53 port to 8.8.8.8.

I took the pcap too with the filter ip host xyzx.com .but in the pcap not seeing any traffic in the sni of that website

amojarra · ‎04-26-2024

@DK9

thanks for the updates ,

I would say, if there are not much load on WSA, try to capture PCAP without any filter, else you can filter for hosts and port 53

then please clear DNS cache ( GUI > network > DNS > Clear cache ) and try to re-produce the issue.

Side note, if you can have a PCAP from firewall at the same time, that might come in handy.

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

DK9 · ‎04-26-2024

Sure we will do that and check

Meanwhile any idea why i am not getting any output for dig command whether we need to open any ports in firewall for outside communication for dig command?as we have opened only port 53

amojarra · ‎04-26-2024

@DK9

dig uses UDP 53 to the server which you are defining,

it could be some other devices before your firewall which is not allowing this connection, or the traffic is going out from wrong interface.

you can specify the source interface in dig command:

dig [-s <source IP>] [@<IP address>] hostname [qtype]
# for example if:
# P2 IP address : 10.10.10.10
# DNS IP : 10.1.1.1
dig -s 10.10.10.10 @10.1.1.1 www.cisco.com A

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

DK9 · ‎04-28-2024

Ya it worked i think it was sending via the management interface thanks a loot

amojarra · ‎04-29-2024

Thanks for the update @DK9