cancel
Showing results for 
Search instead for 
Did you mean: 
rukmalf
Level 9

16000 ICAP client filter error- No ICAP server Available

Jump to solution

Hi,

We have a DLP setup where we use a webgateway for the sole purpose of forwarding traffic to the NDLP via ICAP. The Webgateway is in transparent mode. This setup has been working for sometime and recently the users complained that they get an error saying "rule engine error - 16000 ICAP client filter error- No ICAP server Available". So I added a rule to stop the ruleset when any error ids for icap comes.

Next I tested using a PC and had a tcpdump on the webgateway with the filter -npi any -s0 host 10.2.163.6 or port 1344

the test pc is 10.2.163.6 and the mwg and ndlp have 10.2.160.55 and 10.2.160.56 ips respectively.

sites such as google.com, yahoo.com cannot be accessed (get the icap error). but i can access pastebin.com and a few more sites. but if I try to post something on pastebin then i get the icap error.

from what I see is the webgateway doesn't seem to forward any content to the NDLP.

I would appreciate if anyone could help me to figure out what is going on since this started happening all of a sudden.

I have attached the pcap and the screenshots of the rule base.

1.PNG2.PNG3.PNG

Thankx in advance.

Regards

Rukmal

Message was edited by: rukmalf on 9/10/13 11:37:42 PM CDT
0 Kudos
1 Solution

Accepted Solutions
rukmalf
Level 9

Re: 16000 ICAP client filter error- No ICAP server Available

Jump to solution

Looks like the issue was due to exceeding the connection limit. pretty strange because the issue is still there even if only one clients traffic is forwarded to the NDLP.

anyway the TAC guy told to remove the "Respect max concurrent connectionlimit" tick and things seems to work after that.

Regards,

Rukmal

10 Replies
Regis
Level 12

Re: 16000 ICAP client filter error- No ICAP server Available

Jump to solution

Are your DLP prevents perchance also doing email inspection simultaneously?  

0 Kudos
eelsasser
Level 15

Re: 16000 ICAP client filter error- No ICAP server Available

Jump to solution

They can, but best practice os to seperate mail to a different appliacne so as not to overload one or the other.

This is one case where outbound email usually takes on more load than outbound web.

0 Kudos
eelsasser
Level 15

Re: 16000 ICAP client filter error- No ICAP server Available

Jump to solution

...and depending on your network architecture, email may not follow the same networking paths as web does and subnets are logically isolated where the email gateway or the web gateway may not be ablet o route to the Prevent appliance simultaneously.

(Usually the case in larger enterprises with strict lan segmentation.)

0 Kudos
Regis
Level 12

Re: 16000 ICAP client filter error- No ICAP server Available

Jump to solution

Actually, it's not only best practice right now, it's the only way it'll work.

What I'm hinting at is that DLP Prevent can't do both simultaneously due to  a  bug that's being worked on.    

https://kc.mcafee.com/corporate/index?page=content&id=KB76303&cat=CORP_PRODUCTS&actp=LIST

Not sure if it's related to the OP's issue, but on the off chance it is...

on 9/13/13 11:18:51 AM CDT
0 Kudos
rukmalf
Level 9

Re: 16000 ICAP client filter error- No ICAP server Available

Jump to solution

Hi,

Nope we don't inspect SMTP since we were told at the start that inspecting both will result in traffic drop.

anyways any ideas what has gone wrong?

Regards.

Rukmal

rukmalf
Level 9

Re: 16000 ICAP client filter error- No ICAP server Available

Jump to solution

Looks like the issue was due to exceeding the connection limit. pretty strange because the issue is still there even if only one clients traffic is forwarded to the NDLP.

anyway the TAC guy told to remove the "Respect max concurrent connectionlimit" tick and things seems to work after that.

Regards,

Rukmal

shprot
Level 7

Re: 16000 ICAP client filter error- No ICAP server Available

Jump to solution

Hello,

I have similar problem, and the question is that, what MWG do with request when connection-limit to DLP (through icap) is exceeded ?

Will this request be forwarded or will be blocked with 16000 error number ?

regards,

shprot

0 Kudos
rukmalf
Level 9

Re: 16000 ICAP client filter error- No ICAP server Available

Jump to solution

Hi,

Seems like nothing is forwarded to the DLP (if you put a pcap you would see that). and it goes ahead and blocks the request from the error handler. the code is in the 16000 range. they further state that it would be fixed in 7.4.

in case you are more interested in continous traffic flow rather than the DLP best is to make it fail open using something like shown below.

4.PNG

Regards,

Rukmal

Regis
Level 12

Re: 16000 ICAP client filter error- No ICAP server Available

Jump to solution

rukmalf wrote:

Looks like the issue was due to exceeding the connection limit. pretty strange because the issue is still there even if only one clients traffic is forwarded to the NDLP.

anyway the TAC guy told to remove the "Respect max concurrent connectionlimit" tick and things seems to work after that.

Regards,

Rukmal

For clarification's sake to other viewers of this thread,  this is found on the web gateway appliance in policy, wherever you call your Reqmod method, and by is in a list called ReqMod ICAP Servers  or the like.   Right next to where you specify your icap://  URI  to point to the NDLP box. 

Thanks for sharing this info rukmalf.   I'll give it a whirl.

0 Kudos