Proxy TechBrief – Basic Troubleshooting Procedures SG

ProxySG TechBrief – Basic Troubleshooting Procedures
Introduction
This document is designed to help you through basic troubleshooting procedures when
attempting to access the management console for the Blue Coat ProxySG. If, after following
these steps, a security administrator is not successful, then a trouble ticket can be opened with
Blue Coat Technical Support to assist with problem resolution. Contact procedures are discussed
at the end of this TechBrief.
Possible Network Connection Problem
If you suspect a problem with the Blue Coat ProxySG, you can test its operation and connection
by using the command line interface (CLI). For example, you can use the ping and traceroute
commands to test the network connection.
•
From Client PC
-Ping the Default Gateway
-Ping interface of ProxySG
-Ping a host name (i.e. www.yahoo.com <http://www.yahoo.com>) to test for DNS
functionality
•
From the ProxySG
-Ping interface of the ProxySG
-Ping Default Gateway
-Ping a host name (i.e. www.yahoo.com <http://www.yahoo.com>) to test for DNS
functionality
Web Interface is Not Accessible
When you use a Web browser to connect to the ProxySG’s Web management
port, you should see the Management Console appear as shown here.
1
Technical Brief
If there is a problem browsing to the
Management Console, follow these steps to help identify the problem:
1. Verify that you have typed the correct IP address and port (the default port is 8082) i.e.
https://xxx.xxx.x.xx:8082 (NOTICE, the Blue Coat Management Console uses HTTPS)
on the ProxySG. The only way that you can verify the IP address that the appliance is
using without the Web interface is to connect using the serial console (see the
TechBrief “Getting Started” ) and display the network configuration as shown here:
192.168.0.11 - Blue Coat SG110>enable
Enable Password:
192.168.0.11 - Blue Coat SG110#sh config
interface 0 ;mode
ip-address 192.168.0.11
subnet-mask 255.255.255.0
exit
!
bridge ; mode
exit
!
ip-default-gateway 192.168.0.1 1 100
dns clear server
dns server 198.77.116.8
dns clear resolving
2. Verify that your workstation is configured and working properly by connecting to
other Web sites (such as www.bluecoat.com ). If your browser is configured to use the
ProxySG as the proxy server (explicit proxy) and there is an internal problem with the
appliance, this test might fail. Verify without using the Blue Coat appliance that access
to a Web site is possible.
3. If you are accessing a ProxySG located on a remote network (any segment
other than the segment where your workstation is attached),verify that other servers
on that network are accessible.
4. Try Pinging the IP address to verify that the appliance is accessible from the
workstation. If the appliance does not respond to the ping, verify that it is
operational as described earlier.
Client HTML Requests Fail
When a request for a Web document fails, it indicates one of the following is occurring:
•
•
•
•
The Web browser is not properly configured to use the ProxySG
The ProxySG cannot access the requested document
The ProxySG is not properly configured
The ProxySG is not functioning
To isolate client HTML requests failing, perform the following steps:
1. If the ProxySG is used to access the Internet, and the appliance has
been working properly, the most likely cause of failed requests is the route between
the appliance and the Internet or intranet. Before you spend time troubleshooting the
Security Appliance, verify that your connection to the Internet by using the ping and
traceroute commands from the CLI.
2
Technical Brief
2. The ProxySG can be configured to deny access to address groups. If the
appliance is configured for forwarding or filtering, verify that the requested
address does not match a denied subnet and mask.
3. If your network is not configured for transparency, check the Web browser to see if it
is using a PAC file for auto-configuration. If the Web browser is configured to use a
PAC file, verify that the address of the PAC file is correct, and that the file is
accessible.
If you are not using transparency, the Web browser must be configured for the
ProxySG’s IP address and port under on the browser under Tools
Internet OptionsConnections
LAN Settings
4. If the correct IP address and port for the proxy server is specified in the Web browser,
try pinging the IP address to verify that the ProxySG is accessible from the workstation.
If it does not respond to the ping, verify that it is operational as described earlier. Also
verify that you can ping other nodes on the network. If you can ping the ProxySG, try
pinging the workstation from the appliance’s command line interface.
5. Verify that the ProxySG ’s default gateway address and DNS address is correct, try
pinging each address from the CLI to verify that the servers are running. Be sure to
ping the gateway and DNS server from the same network segment where the
appliance is connected.
6. If the default gateway is accessible, the problem most likely lies outside the local
network. To verify that the problem is not associated with the ProxySG, you
must configure your workstation for the same gateway address as the appliance, and
configure the Web browser not to use a proxy server for HTTP requests.
Initiating a Service Request
If the above procedures still do not solve the problem, then a Service Request with Blue Coat
Technical Support can be initiated.
The following information is required for all issues sent to Blue Coat Technical Support.
1. Contact Information
a. Company name
b. Name
c. Phone number
d. Email address
2.
3.
4.
5.
6.
Serial Number Model Issue Date and time(s) of issue History of issue http://x.x.x.x:8082/SYSInfo
Primary Information Sources
SYSInfo: https://x.x.x.x:8082/SYSInfo
This file is a verbose listing of statistics from most of the SW and HW systems. This file is
required for all Support issues. Most of the statistics in this file are reset after a reboot.
3
Technical Brief
Event Log: https://x.x.x.x:8082/Eventlog/statistics
This file contains messages generated by SW or HW events encountered by the device. This file
remains after a reboot. A disk re-init can clear this file.
PCAP: https://x.x.x.x:8082/PCAP/Statistics (start, stop, download)
The Blue Coat has an onboard packet capture utility known as PCAP. The CLI can be used to
create filters for this.
Access Logs: Access logs allow for analysis of Quality of Service, content retrieved, and other
troubleshooting. This
file remains after a reboot. A disk re-init can clear this file. It is recommended that “squid-log”
format be used. The Access Logs are configured under the GUI interface…
Management- Access Logs
Core Image: http://x.x.x.x:8081/CM/Core_image
Copyright ©2003 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to
any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information
contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. Blue Coat is
a registered trademark of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their
respective owners.
Contact Blue Coat Systems • 1.866.30BCOAT • 408.220.2200 Direct • 408.220.2250 Fax • www.bluecoat.com
4
Technical Brief