Cisco Cisco Web Security Appliance S190 사용자 가이드
A-10
AsyncOS 10.0 for Cisco Web Security Appliances User Guide
Appendix A Troubleshooting
Identity Services Engine Problems
•
If the connection is tunneled and HTTPS decryption is not enabled, this feature will not work for
requests going to HTTPS sites.
requests going to HTTPS sites.
•
According to RFC 2616, a browser may provide the option of browsing openly or anonymously,
which would respectively enable/disable the inclusion of Referer and From information in the HTTP
header. The WSA exceptions feature is completely dependent on the Referer header being present,
and disabling them will cause this feature not to work.
which would respectively enable/disable the inclusion of Referer and From information in the HTTP
header. The WSA exceptions feature is completely dependent on the Referer header being present,
and disabling them will cause this feature not to work.
•
According to RFC 2616, clients should not include a Referer header field in a (non-secure) HTTP
request if the referring page was transferred with a secure protocol. So, any request from an
HTTPS-based site to an HTTP-based site may not have the Referer header, causing this feature to
not work as expected.
request if the referring page was transferred with a secure protocol. So, any request from an
HTTPS-based site to an HTTP-based site may not have the Referer header, causing this feature to
not work as expected.
•
When a Decryption policy is set up such that when a custom category matches the Decryption policy
and the action is set to Drop, any incoming request for that category will be dropped, and no
bypassing will be done.
and the action is set to Drop, any incoming request for that category will be dropped, and no
bypassing will be done.
Alert: Problem with Security Certificate
Typically, the root certificate information you generate or upload in the appliance is not listed as a trusted
root certificate authority in client applications. By default in most web browsers, when users send
HTTPS requests, they will see a warning message from the client application informing them that there
is a problem with the website’s security certificate. Usually, the error message says that the website’s
security certificate was not issued by a trusted certificate authority or the website was certified by an
unknown authority. Some other client applications do not show this warning message to users nor allow
users to accept the unrecognized certificate.
root certificate authority in client applications. By default in most web browsers, when users send
HTTPS requests, they will see a warning message from the client application informing them that there
is a problem with the website’s security certificate. Usually, the error message says that the website’s
security certificate was not issued by a trusted certificate authority or the website was certified by an
unknown authority. Some other client applications do not show this warning message to users nor allow
users to accept the unrecognized certificate.
Note
Mozilla Firefox browsers: The certificate you upload must contain
“basicConstraints=CA:TRUE” to work with Mozilla Firefox browsers. This constraint allows
Firefox to recognize the root certificate as a trusted root authority.
“basicConstraints=CA:TRUE” to work with Mozilla Firefox browsers. This constraint allows
Firefox to recognize the root certificate as a trusted root authority.
Identity Services Engine Problems
•
•
•
Tools for Troubleshooting ISE Issues
The following can be useful when troubleshooting ISE-related issues:
•
The ISE test utility, used to test the connection to the ISE server, provides valuable
connection-related information. This is the Start Test option on the Identity Services Engine page;
see
connection-related information. This is the Start Test option on the Identity Services Engine page;
see
•
ISE and Proxy Logs; see
.
•
ISE-related CLI commands
iseconfig
and
isedata
, particularly
isedata
to confirm security group
tag (SGT) download. See
for additional information.