The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Clients behind a Virtual System configured as Non Transparent HTTP/HTTPS Proxy are not able to connect to any site
| Solution ID |
sk107313 |
| Product |
VSX, Enterprise Appliances |
| Version |
R77.30 |
| OS |
Gaia |
| Platform / Model |
2000, 4000, 12000 VSX, 13000, 21000 VSX, IP1280, IP2450, Intel/PC, VSX-1, UTM-1, Power-1 |
| Date Created |
01-Sep-2015
|
| Last Modified |
04-Jan-2016
|
Symptoms
Clients behind a Virtual System configured as Non Transparent HTTP/HTTPS Proxy are not able to connect to any site.
Traffic capture in FW Monitor (sk30583) shows that traffic from Clients passes all Inbound chains.
Kernel debug ('fw ctl debug -m fw + drop') does not show any drops related to these Clients and HTTP/HTTPS Proxy.
Disabling the HTTP/HTTPS Proxy on the involved Virtual System and installing the policy resolves the issue.
Kernel debug ('fw ctl debug -m WS all') shows that Virtual System sends a trap to User Space, which is not processes, and that eventually DNS resolving fails:
; Date Time;[vs_X];[tid_0];[fwN_0];fw_send_kmsg: No buffer for tsid 11;
; Date Time;[vs_X];[tid_0];[fwN_0];...:{connection} [SID: ...] ws_connection_dns_send_rad_trap: [ERROR]: fw_send_kmsg() failed;
... ... ...
; Date Time;[vs_X];[tid_0];[fwN_0];...:{connection} [SID: ...] ws_async_create_proxy_connection: [ERROR]: rad_kernel_api_async_get_resource failed;
... ... ...
; Date Time;[vs_X];[tid_0];[fwN_0];...:{connection} [SID: ...] ws_dns_proxy_resolve: [ERROR]: ws_async_create_proxy_connection failed;
; Date Time;[vs_X];[tid_0];[fwN_0];...:{connection} [SID: ...] ws_create_proxy_connection: [ERROR]: ws_dns_proxy_resolve failed;
; Date Time;[vs_X];[tid_0];[fwN_0];...:{connection} [SID: ...] ws_create_proxy_connection: ERROR ;
; Date Time;[vs_X];[tid_0];[fwN_0];...:{connection} [SID: ...] ws_open_proxy_connection: [ERROR]: ws_create_proxy_connection failed;
; Date Time;[vs_X];[tid_0];[fwN_0];...:{session} [SID: ...] ws_http_session_client_read: [ERROR]: failed to open session;
; Date Time;[vs_X];[tid_0];[fwN_0];...:{connection} [SID: ...] ws_connection_read_handler: [WARNING]: read request from session failed sn: 0x...;
Cause
Virtual System fails to resolve URLs because no wsdnsd process (DNS Resolver for HTTP/HTTPS Proxy in R77.30 and above) is not reachable from the context of Virtual System.
Solution
|
Note: To view this solution you need to
Sign In
.
|
