Cisco Cisco Web Security Appliance S670 Troubleshooting Guide
504: The WSA is receiving a TCP reset (RST) terminating the connection with the web server.
If the WSA receives a TCP reset packet on its upstream connection to the web server, the WSA will send a
504 Gateway Timeout error to the client.
504 Gateway Timeout error to the client.
Typical causes for this are:
1. The Cisco Layer 4 Traffic Monitor (L4TM) is blocking the WSA proxy from connecting the web server.
2. A firewall, IDS, IPS, or other packet inspection device is blocking the WSA.
2. A firewall, IDS, IPS, or other packet inspection device is blocking the WSA.
Troubleshooting steps:
First determine if the TCP RST is coming from the L4TM or from another device.
If the L4TM is blocking this traffic, the traffic will show up in the GUI reports under "Monitor −> L4 Traffic
Monitor". Otherwise, the RST is coming from a different device.
Monitor". Otherwise, the RST is coming from a different device.
L4TM Blocking:
It is recommended that if the L4TM is blocking, do not block on ports that the WSA proxy is also running on.
There are multiple reasons for this:
There are multiple reasons for this:
1. The WSA proxy provides a friendly error message in the case of problem, instead of just TCP resetting the
connection. This will help limit confusion from the end users when they are blocked.
2. The WSA proxy has the ability to scan and block specific content, whereas the L4TM blocks all traffic
matching an blacklisted IP address.
connection. This will help limit confusion from the end users when they are blocked.
2. The WSA proxy has the ability to scan and block specific content, whereas the L4TM blocks all traffic
matching an blacklisted IP address.
In order to configure the L4TM to not block on proxy ports, go to "GUI −> Security Services −> L4 Traffic
Monitor".
Monitor".
If the site is a known bad web site, but there are reasons why the traffic should be allowed, the site can be
white listed in:
"GUI −> Web Security Manager −> L4 Traffic Monitor −> Allow List"
white listed in:
"GUI −> Web Security Manager −> L4 Traffic Monitor −> Allow List"
Firewall / IDS / IPS Blocking:
If another device on the networking is blocking the WSA from connecting to the web server, it is
recommended to analyze the following:
recommended to analyze the following:
1. Firewall block logs
2. Ingress / Egress packet captures during the problem
2. Ingress / Egress packet captures during the problem
The block logs may quickly confirm if the device is blocking the WSA. Sometimes a firewall, IPS, or IDS
will block traffic and NOT log it appropriately. If this is the case, the only way to prove where the TCP RST
is coming from, is to obtain ingress and egress captures from the device. If a RST is being sent out the ingress
interface and no packets traveled through the egress side, the security device is definitely the cause.
will block traffic and NOT log it appropriately. If this is the case, the only way to prove where the TCP RST
is coming from, is to obtain ingress and egress captures from the device. If a RST is being sent out the ingress
interface and no packets traveled through the egress side, the security device is definitely the cause.