ProxySG & Advanced Secure Gateway

Dear All

   We found problem about cannot connect webpulse service  but we tried to do following recommend from KB as below already issues still occurred

https://support.symantec.com/en_US/article.TECH245752.html

we have  checked dns resolve webpulse.es.bluecoat.com suscess but status a communication error has occurred.

we tried to test health check result is failed.

Please help to recommend for this case you can see PCAP file from attachment.

Best Regards,

Chakuttha R.

Attachment(s)

bluecoat_Oct_26_2018_15_45_38_UTC.7z   798 KB 1 version

Dear Chakuttha,

Can you renew your Proxy Appliance certificate and monitor

SG#config t
SG#(config)ssl
SG#(config ssl)request-appliance-certificate
SG#(config ssl)show ssl keyring appliance-key

Hi Chakuttha,

I need PCAP with this filter "host webpulse.es.bluecoat.com"

for PCAP  you can see from attach file  above comment it have following your requirement already.

Dear Chakutha,

Can you share PCAP with this filter "host webpulse.es.bluecoat.com".

The above PCAP i can see only DNS resolution.

Dear Golandaz,

  For pcap host webpulse.es.bluecoat.com  Please see from file attachment.

Proxy IP : 192.168.99.4

Attachment(s)

Promise-bluecoat_Oct_30_2018_16_27_32_UTC_host_webpulse.e...es_   1 KB 1 version

Dear Chakutha,

Can you investigate from Your Fortigate firewall i can see only SYN Packet for most of the Webspulse IP'S.

180.172.142.115/103.246.38.202/46.235.158.215 for this IP's there is No "ACK" Packet that need to investigate from firewall.

Also for Webpulse IP 199.116.169.242 there is "RST" Packet .

I have attach screenshot of the PCAP

BR

Aboonaim

----------

If you are satisfied with an answer, please click "Accept Solution"

Thank you for your response.

Webpulse IP 199.116.169.242 there is "RST" Packet.

Could you help to recommend what possible webpulse ip send RST packet back.

Dear Chakutha,

Mostly seem your firewall rule is doing SSL interception and secondly there is no "ACK" Packet for rest of the webpusle IP's so you need to check from fortigate team too.

Hi

 drtr.service status still check failed. we check with firewall team they not do SSL interception on Firewall and they allow destination and service any already.

or

i must open this case to Symantec Support ?

Dear Chakutha,

Can you collect PCAP on Firewall and also refer this KB. Also if you open ticket if there is no "ACK" Packet they will also inform you check from upstream device.

https://support.symantec.com/en_US/article.ALERT2594.html

Can you ping any of these IP addresses? From the ProxySG? From another computer in the same network?

The RST packets have different characteristics and seem to come from different devices, so if a firewall is the culprit it's probably not the same firewall for 54.64.46.133 and 199.116.169.242 and especially not a firewall at that location.

Dear All,

   we can resolve this issues already. we found customer have policy forward host for any traffice after we tried to disable this layer.

drtr.service status back to normal. 

Thank you everyone so much for your help and recommend.