Solutions

What to expect from Blue Coat Triage when having ProxySG issues with a particular website

Solutions ID:    KB4354
Version:    8.0
Status:    Published
Published date:    03/18/2014
Updated:    03/19/2014
 

Problem Description

My web site does not respond when going through the proxy
My web site does not work when going through the proxy
My web site intermittently works or exhibits unusual behaviour
My web site is sometimes blocked.  Why?
Media does not respond or is slow
The proxy's cache is serving old objects
I am not sure if I am having authentication issues
 

Resolution


 

Caution

The content of this KB article is meant to help troubleshoot URL issues, but is by no means to be considered as a fix or a permanent solution. In addition, we may require policy traces and Packet Captures to help determine the root cause of a problem. This technique disables features, and should only be considered if the data gathered doesn't allow the problem to be clearly identified.

Anyone using this technique should strongly follow these guidelines

  • The source IP address should be limited to the workstation doing the testing

  • The destination of ALL rules should be limited to the problematic URL

  • If adding all the rules helped workaround the issue, rules should then be disabled (commented out) one by one so that only the necessary rule(s) are left in place. Leaving too many rules active might turn off functionality required by other rules in the policy


 

When troubleshooting site slowness, the key is to find out what specific piece of the proxy's services may be causing issues with your particular site.  To assist in troubleshooting, below is some sample CPL code that can be used to disable many features and services.  (If you are unsure how to add CPL to your ProxySG, please see KB3495.)  Please identify a single workstation in which you can use for testing purposes.  Make sure the problem exists on that test workstation prior to using the CPL code below.


;======= tracing Disable conditions ==== Begin ==
; Disclaimer: Some of these options will disable authentication and virus scanning. Make sure this is only applies to one machine to minimize the risk.

<ssl-intercept> ; Policy trace for SSL interception transactions

Condition=TestIP trace.destination(function_disabled_ssl) trace.request(yes) trace.rules(all)

<proxy> ; Policy trace for  Web Access transactions
Condition=TestIP trace.destination(function_disabled_access) trace.request(yes) trace.rules(all)

<proxy>
Condition=TestIP http.client.persistence(no) http.server.persistence(no) bypass_cache(yes) authenticate(no)   detect_protocol(none) http.request.version(1.0) http.response.version(1.0) server_url.dns_lookup (ipv4-only)

 <cache>
Condition=TestIP pipeline(no) cache(no) request.icap_service( no )  response.icap_service( no )

<SSL>
condition=TestIP client.certificate.validate(no) server.certificate.validate(no)

<ssl-intercept>
Condition=TestIP ssl.forward_proxy(no)

<Forward>
Condition=TestIP server_url.dns_lookup (ipv4-only)

define condition TestIP
; put the testing machine IP instead of <ip.address.of.test_workstation>
client.address=<ip.address.of.test_workstation>
end

;== Global features from the CLI  == To use only with help of Bluecoat support engineer. This might affect the overall performance of the proxy.
;#(config)tcp-ip rfc-1323 disable    ; This disables RFC 1323.  Please see FAQ1006 or KB3754 for additional details.
; detect_protocol(none) should do the following three commands and more
;#(config)streaming quicktime http-handoff disable
;#(config)streaming real-media http-handoff disable
;#(config)streaming windows-media http-handoff disable
;== purging
;#(config ssl)clear-certificate-cache
;#clear-cache dns-cache    ;  See KB1653 for additional details.
; Use url.domain and request.header.Referer.url.domain to tighten the security at the end
;======= tracing Disable conditions ==== End =====


FAQ:

Q1:  Will this affect all my infrastructure?
A1:  No, This will oly affect the traffic for the test machine (referred to as <ip.address.of.test_workstation>). Global options are commented out by default.

Q2:  Will this stop Authentication and virus scanning?
A2:  Yes, this has security implication but this test is temporary and affects only one machine.

Q3:  Can I do this on production environment?
A3:  Yes, it does not affect the overall performance of the proxy and does not lock admin accounts.

Q4:  What exactly will this code do?
A4:  This is a temporary test to isolate the problem. It disables features that could affect the flow of traffic like authentication, http persistance, pipelining, and so forth.  For more details please search for the code in the equivalent CPL guide.

Q5:  How will this solve my problem?
A5:  This temporary test's objective is to isolate the problem. It may or may not solve the issue but it will help you in defining the problem domain.

Q6:  I do not want this to apply to all sites I go to.  Can we do this?
A6:  Yes.  Once the troubleshooting has completed and the issue has been isolated, then CPL code that will affect only the few sites can be implemented.

Q7:  Are we sure the code is effective?
A7:  It depends.  We need to make sure by looking at the policy traces that it overrides VPM policy decision.  If the VPM runs after the Local policy then the code might not be as effective as it should.
 


If the sample CPL code solves the issue then start re-enabling some of the disabled features to try and narrow down the issue. For example, instead of:

<proxy>
Condition=TestIP http.client.persistence(no) http.server.persistence(no) bypass_cache(yes) authenticate(no)   detect_protocol(none) http.request.version(1.0) http.response.version(1.0) server_url.dns_lookup (ipv4-only)

Comment part of the code so it looks like this:

<proxy>
Condition=TestIP http.client.persistence(no) http.server.persistence(no) bypass_cache(yes) authenticate(no)  
; detect_protocol(none) http.request.version(1.0) http.response.version(1.0) server_url.dns_lookup (ipv4-only)


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question