Cisco Cisco Web Security Appliance S670 Troubleshooting Guide
502 / 504 GATEWAY_TIMEOUT errors when
browsing to certain sites
browsing to certain sites
Document ID: 118079
Contributed by Vladimir Sousa and Siddharth Rajpathak, Cisco TAC
Engineers.
Engineers.
Jul 25, 2014
Contents
Question:
Question:
Why do we see 502 / 504 GATEWAY_TIMEOUT errors when browsing to certain sites?
Symptoms: Users are receiving 502 or 504 gateway timeout errors from the Cisco WSA when browsing to
certain websites
certain websites
Users are receiving 502 or 504 gateway timeout errors when browsing to websites. Access logs would either
show 'NONE/504' or 'NONE/502'
show 'NONE/504' or 'NONE/502'
Sample Access log line:
1233658928.496 153185 10.10.70.50 NONE/504 1729 GET http://www.example.com/ −
DIRECT/www.example.com − .......
DIRECT/www.example.com − .......
There are many reasons why WSA may return a 502 or 504 gateway timeout error. Although these error
responses are similar, it's important to understand the subtle differences between them.
responses are similar, it's important to understand the subtle differences between them.
Here are a few examples of the types of scenarios that may occur:
502: The WSA has attempted to establish a TCP connection with the web server, but has not received
a SYN/ACK.
a SYN/ACK.
•
504: The WSA is receiving a TCP reset (RST) terminating the connection with the web server.
•
504: The WSA is not getting a response from a required service prior to communicating with the web
server, such as DNS is failing.
server, such as DNS is failing.
•
504: The WSA has established a TCP connection with the web server and sent a GET request, but the
WSA never receives the HTTP response.
WSA never receives the HTTP response.
•
Below are examples of each scenario and more details regarding potential issues:
502: The WSA has attempted to establish a TCP connection with the web server, but has not received a
SYN/ACK.