Why is the ProxySG dropping bypassed traffic received via Policy Based Routing?

FAQ ID:    FAQ2052
Version:    2.0
Status:    Published
Published date:    04/03/2012
Updated:    09/16/2013


When packets reach the proxy via Policy Base Routing (PBR) in transparent mode, the destination IP address of the packets are that of the intended server but the destination MAC address is that of the receiving proxy. By default the ProxySG will drop these packets if it is not set to intercept the particular traffic. For example, if you have PBR sending traffic to a proxy that is configured to intercept HTTP traffic and bypass FTP traffic, by default the ProxySG will drop all FTP packets. To allow the ProxySG to simply forward this bypassed traffic on to the next hop, you must enable a feature called "IP Forwarding".

For more information on IP Forwarding and how to enable it, see KB1270.

Note: This scenario is not only true for a PBR deployment but also applies to anytime the destination IP address of the traffic is not the proxy's but the destination MAC address is the proxy's, such as with WCCP using L2 forwarding and default-gateway which are other forms of transparent proxy deployment modes.

Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.

Your response will be used to improve our document content.

Ask a Question