Proxy TechBrief – Basic Troubleshooting Procedures SG
Transcription
Proxy TechBrief – Basic Troubleshooting Procedures SG
ProxySG TechBrief – Basic Troubleshooting Procedures Introduction This document is designed to help you through basic troubleshooting procedures when attempting to access the management console for the Blue Coat ProxySG. If, after following these steps, a security administrator is not successful, then a trouble ticket can be opened with Blue Coat Technical Support to assist with problem resolution. Contact procedures are discussed at the end of this TechBrief. Possible Network Connection Problem If you suspect a problem with the Blue Coat ProxySG, you can test its operation and connection by using the command line interface (CLI). For example, you can use the ping and traceroute commands to test the network connection. • From Client PC -Ping the Default Gateway -Ping interface of ProxySG -Ping a host name (i.e. www.yahoo.com <http://www.yahoo.com>) to test for DNS functionality • From the ProxySG -Ping interface of the ProxySG -Ping Default Gateway -Ping a host name (i.e. www.yahoo.com <http://www.yahoo.com>) to test for DNS functionality Web Interface is Not Accessible When you use a Web browser to connect to the ProxySG’s Web management port, you should see the Management Console appear as shown here. 1 Technical Brief If there is a problem browsing to the Management Console, follow these steps to help identify the problem: 1. Verify that you have typed the correct IP address and port (the default port is 8082) i.e. https://xxx.xxx.x.xx:8082 (NOTICE, the Blue Coat Management Console uses HTTPS) on the ProxySG. The only way that you can verify the IP address that the appliance is using without the Web interface is to connect using the serial console (see the TechBrief “Getting Started” ) and display the network configuration as shown here: 192.168.0.11 - Blue Coat SG110>enable Enable Password: 192.168.0.11 - Blue Coat SG110#sh config interface 0 ;mode ip-address 192.168.0.11 subnet-mask 255.255.255.0 exit ! bridge ; mode exit ! ip-default-gateway 192.168.0.1 1 100 dns clear server dns server 198.77.116.8 dns clear resolving 2. Verify that your workstation is configured and working properly by connecting to other Web sites (such as www.bluecoat.com ). If your browser is configured to use the ProxySG as the proxy server (explicit proxy) and there is an internal problem with the appliance, this test might fail. Verify without using the Blue Coat appliance that access to a Web site is possible. 3. If you are accessing a ProxySG located on a remote network (any segment other than the segment where your workstation is attached),verify that other servers on that network are accessible. 4. Try Pinging the IP address to verify that the appliance is accessible from the workstation. If the appliance does not respond to the ping, verify that it is operational as described earlier. Client HTML Requests Fail When a request for a Web document fails, it indicates one of the following is occurring: • • • • The Web browser is not properly configured to use the ProxySG The ProxySG cannot access the requested document The ProxySG is not properly configured The ProxySG is not functioning To isolate client HTML requests failing, perform the following steps: 1. If the ProxySG is used to access the Internet, and the appliance has been working properly, the most likely cause of failed requests is the route between the appliance and the Internet or intranet. Before you spend time troubleshooting the Security Appliance, verify that your connection to the Internet by using the ping and traceroute commands from the CLI. 2 Technical Brief 2. The ProxySG can be configured to deny access to address groups. If the appliance is configured for forwarding or filtering, verify that the requested address does not match a denied subnet and mask. 3. If your network is not configured for transparency, check the Web browser to see if it is using a PAC file for auto-configuration. If the Web browser is configured to use a PAC file, verify that the address of the PAC file is correct, and that the file is accessible. If you are not using transparency, the Web browser must be configured for the ProxySG’s IP address and port under on the browser under Tools Internet OptionsConnections LAN Settings 4. If the correct IP address and port for the proxy server is specified in the Web browser, try pinging the IP address to verify that the ProxySG is accessible from the workstation. If it does not respond to the ping, verify that it is operational as described earlier. Also verify that you can ping other nodes on the network. If you can ping the ProxySG, try pinging the workstation from the appliance’s command line interface. 5. Verify that the ProxySG ’s default gateway address and DNS address is correct, try pinging each address from the CLI to verify that the servers are running. Be sure to ping the gateway and DNS server from the same network segment where the appliance is connected. 6. If the default gateway is accessible, the problem most likely lies outside the local network. To verify that the problem is not associated with the ProxySG, you must configure your workstation for the same gateway address as the appliance, and configure the Web browser not to use a proxy server for HTTP requests. Initiating a Service Request If the above procedures still do not solve the problem, then a Service Request with Blue Coat Technical Support can be initiated. The following information is required for all issues sent to Blue Coat Technical Support. 1. Contact Information a. Company name b. Name c. Phone number d. Email address 2. 3. 4. 5. 6. Serial Number Model Issue Date and time(s) of issue History of issue http://x.x.x.x:8082/SYSInfo Primary Information Sources SYSInfo: https://x.x.x.x:8082/SYSInfo This file is a verbose listing of statistics from most of the SW and HW systems. This file is required for all Support issues. Most of the statistics in this file are reset after a reboot. 3 Technical Brief Event Log: https://x.x.x.x:8082/Eventlog/statistics This file contains messages generated by SW or HW events encountered by the device. This file remains after a reboot. A disk re-init can clear this file. PCAP: https://x.x.x.x:8082/PCAP/Statistics (start, stop, download) The Blue Coat has an onboard packet capture utility known as PCAP. The CLI can be used to create filters for this. Access Logs: Access logs allow for analysis of Quality of Service, content retrieved, and other troubleshooting. This file remains after a reboot. A disk re-init can clear this file. It is recommended that “squid-log” format be used. The Access Logs are configured under the GUI interface… Management- Access Logs Core Image: http://x.x.x.x:8081/CM/Core_image Copyright ©2003 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. Blue Coat is a registered trademark of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Contact Blue Coat Systems • 1.866.30BCOAT • 408.220.2200 Direct • 408.220.2250 Fax • www.bluecoat.com 4 Technical Brief