Cisco Cisco Web Security Appliance S190 Mode D'Emploi
A-7
AsyncOS 8.8 for Cisco Web Security Appliances User Guide
Appendix A Troubleshooting
Identity Services Engine Problems
Step 2
Create a Decryption Policy that uses the custom URL category created in
Step 1
as part of its
membership, and set the action for the custom URL category to Pass Through.
Alert: Problem with Security Certificate
Typically, the root certificate information you generate or upload in the appliance is not listed as a trusted
root certificate authority in client applications. By default in most web browsers, when users send
HTTPS requests, they will see a warning message from the client application informing them that there
is a problem with the website’s security certificate. Usually, the error message says that the website’s
security certificate was not issued by a trusted certificate authority or the website was certified by an
unknown authority. Some other client applications do not show this warning message to users nor allow
users to accept the unrecognized certificate.
root certificate authority in client applications. By default in most web browsers, when users send
HTTPS requests, they will see a warning message from the client application informing them that there
is a problem with the website’s security certificate. Usually, the error message says that the website’s
security certificate was not issued by a trusted certificate authority or the website was certified by an
unknown authority. Some other client applications do not show this warning message to users nor allow
users to accept the unrecognized certificate.
Note
Mozilla Firefox browsers: The certificate you upload must contain
“basicConstraints=CA:TRUE” to work with Mozilla Firefox browsers. This constraint allows
Firefox to recognize the root certificate as a trusted root authority.
“basicConstraints=CA:TRUE” to work with Mozilla Firefox browsers. This constraint allows
Firefox to recognize the root certificate as a trusted root authority.
Identity Services Engine Problems
•
•
•
Tools for Troubleshooting ISE Issues
The following can be useful when troubleshooting ISE-related issues:
•
The ISE test utility, used to test the connection to the ISE server, provides valuable
connection-related information. This is the Start Test option on the Identity Services Engine page;
see
connection-related information. This is the Start Test option on the Identity Services Engine page;
see
.
•
ISE and Proxy Logs; see
.
•
ISE-related CLI commands
iseconfig
and
isedata
, particularly
isedata
to confirm security group
tag (SGT) download. See
for additional information.
•
The Web Tracking and Policy Trace functions can be used to debug policy match issues; for
example, a user that should be allowed is blocked, and vice versa. See
example, a user that should be allowed is blocked, and vice versa. See
for additional information.
•
•
For checking certificate status, you can use the
openssl
Online Certificate Status Protocol (
ocsp
)
utility, available from