Cisco Cisco Web Security Appliance S670 故障排查指南

Why does Internet access or access to certain websites fail with Error: Notification codes:
NO_MORE_FORWARDS?

Symptoms: Notification codes: NO_MORE_FORWARDS when trying to browse via the proxy

Environment: Cisco Web Security Appliance (WSA)

"NO_MORE_FORWARDS" error message indicates that there is a loop going on and the proxy is refusing to
forward the request any more. This is typically a loop between the WSA appliance and a firewall / layer 4
switch.

Example:

Client <−> Switch <−> Firewall <−> Internet
                        |
                      WSA

In this scenario, the firewall has been configured to redirect all traffic destined for an outside network on port
80 to the WSA. This is a popular transparent style of proxy deployment.

The firewall has not been setup with an exception rule to send traffic originating from the WSA to the
outside.

This causes everything the WSA sends to be sent back to itself. After multiple attempts, the socket is closed
and this error message is sent back to the client.

To resolve this, you need to create an access list on the ASA (or router / switch if it is acting as the WCCP
router) that denies the IP address of the WSA appliance from WCCP redirection, but permits redirection of all
other traffic. This access list can be applied to the wccp web−cache statement.

Example:

access−list wccp_redirect extended deny ip host <WSA_IP_addrees> any
access−list wccp_redirect extended permit ip any any
!
wccp <service−ID> redirect−list wccp_redirect
!
wccp interface <Interface−name> <service−ID> redirect in

!
wr mem

Updated: Aug 12, 2014

Document ID: 118269