Clients behind a Virtual System configured as Non Transparent HTTP/HTTPS Proxy are not able to connect to any site.
Traffic capture in FW Monitor (sk30583) shows that traffic from Clients passes all Inbound chains.
Kernel debug ('fw ctl debug -m fw + drop') does not show any drops related to these Clients and HTTP/HTTPS Proxy.
Disabling the HTTP/HTTPS Proxy on the involved Virtual System and installing the policy resolves the issue.
Kernel debug ('fw ctl debug -m WS all') shows that Virtual System sends a trap to User Space, which is not processes, and that eventually DNS resolving fails:
; Date Time;[vs_X];[tid_0];[fwN_0];fw_send_kmsg: No buffer for tsid 11;
; Date Time;[vs_X];[tid_0];[fwN_0];...:{connection} [SID: ...] ws_connection_dns_send_rad_trap: [ERROR]: fw_send_kmsg() failed;
... ... ...
; Date Time;[vs_X];[tid_0];[fwN_0];...:{connection} [SID: ...] ws_async_create_proxy_connection: [ERROR]: rad_kernel_api_async_get_resource failed;
... ... ...
; Date Time;[vs_X];[tid_0];[fwN_0];...:{connection} [SID: ...] ws_dns_proxy_resolve: [ERROR]: ws_async_create_proxy_connection failed;
; Date Time;[vs_X];[tid_0];[fwN_0];...:{connection} [SID: ...] ws_create_proxy_connection: [ERROR]: ws_dns_proxy_resolve failed;
; Date Time;[vs_X];[tid_0];[fwN_0];...:{connection} [SID: ...] ws_create_proxy_connection: ERROR ;
; Date Time;[vs_X];[tid_0];[fwN_0];...:{connection} [SID: ...] ws_open_proxy_connection: [ERROR]: ws_create_proxy_connection failed;
; Date Time;[vs_X];[tid_0];[fwN_0];...:{session} [SID: ...] ws_http_session_client_read: [ERROR]: failed to open session;
; Date Time;[vs_X];[tid_0];[fwN_0];...:{connection} [SID: ...] ws_connection_read_handler: [WARNING]: read request from session failed sn: 0x...;
Cause
Virtual System fails to resolve URLs because no wsdnsd process (DNS Resolver for HTTP/HTTPS Proxy in R77.30 and above) is not reachable from the context of Virtual System.