Cisco Cisco Web Security Appliance S670 Troubleshooting Guide
504: The WSA has established a TCP connection with the web server and sent a GET request, but the WSA
never receives the HTTP response.
If the WSA sends an HTTP GET, but never receives a response, it will send a 504 Gateway Timeout error to
the client.
the client.
Typical causes for this are:
A firewall, IDS, IPS, or other packet inspection device is allowing the TCP connection, but blocking
the HTTP content from reaching the web server. In this case, the telnet test may help isolate which
kind of HTTP data is being blocked.
the HTTP content from reaching the web server. In this case, the telnet test may help isolate which
kind of HTTP data is being blocked.
•
The firewall block logs may quickly confirm if / why the device is blocking the WSA. Sometimes a firewall,
IPS, or IDS will block traffic and NOT log it appropriately. If this is the case, the only way to prove where
the TCP RST is coming from, is to obtain ingress and egress captures from the device. If a RST is being sent
out the ingress interface and no packets traveled through the egress side, the security device is definitely the
cause.
IPS, or IDS will block traffic and NOT log it appropriately. If this is the case, the only way to prove where
the TCP RST is coming from, is to obtain ingress and egress captures from the device. If a RST is being sent
out the ingress interface and no packets traveled through the egress side, the security device is definitely the
cause.
Testing connectivity with a web server using telnet
From the WSA CLI, run the telnet command:
WSA> telnet
Please select which interface you want to telnet from.
1. Auto
2. Management (192.168.15.200/24: wsa.hostname.com)
3. P1 (192.168.113.199/24: data.com)
[1]> 3
1. Auto
2. Management (192.168.15.200/24: wsa.hostname.com)
3. P1 (192.168.113.199/24: data.com)
[1]> 3
Enter the remote hostname or IP address.
[]> www.example.com
[]> www.example.com
Enter the remote port.
[25]> 80
[25]> 80
Trying 10.3.2.99...
Connected to www.example.com.
Escape character is '^]'.
Connected to www.example.com.
Escape character is '^]'.
Note: The "Connected" message in red, indicates that TCP successfully established between the WSA and web server.
An HTTP request can manually be sent through this telnet session as well. The following is a sample request that can
be typed after the "Connected" message:
be typed after the "Connected" message:
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−