cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 10
Report Inappropriate Content
Message 1 of 10

Cannot Connect Response even though in Global Whitelist - MWG 7.0.2

Jump to solution

Hi,

I' running Web Gateway 7.0.2

I have put *.rois.com in global whitelist but I still get a "Cannot Connect" - The Proxy received an invalid response, is there anything else I can do ?

Here is the URL, it works perfectly bypassing the proxy, it just displays an image if anybody wants to try it

http://ri2.rois.com/pDtmn*-0EaaUvmEk4awVOd821wFIcmp47Yi*D8n-AUZSp/CTIB/RI2APICHART?RIC=ALBK.I&TIME=1...

Any help much appreciated

Dec

1 Solution

Accepted Solutions
Highlighted
Level 10
Report Inappropriate Content
Message 4 of 10

Re: Cannot Connect Response even though in Global Whitelist - MWG 7.0.2

Jump to solution

Ok so what we have here is a non-rfc compliant response from the host therefore the Web Gateway gives a 502 Bad Gateway Error.

In HTTP 1.1 all headers must be ended with a carriage return and a line feed \r \n

If you take a look at the screen shot packet #936 the HTTP response from the host kinda looks mangled.

If you look up the RFC for HTTP 1.1 response you can tell in they are missing the first carriage return \r at the first line then the Content-Type header has two line feeds \n \n.

I have tried this on Web Gateway 7.0.2.2 and it works. You may want to upgrade on a test environment before deploying to production but I am positive this will work.

on 1/14/11 7:40:02 PM CST

View solution in original post

9 Replies
Highlighted
Level 10
Report Inappropriate Content
Message 2 of 10

Re: Cannot Connect Response even though in Global Whitelist - MWG 7.0.2

Jump to solution

Unfortunately I don't have time to test myself but if you can run a tcpdump on the appliance whilst replicating this would help determine the cause.

In the GUI at Troubleshooting > Packet tracing run with the following command line parameters:

-s 0 -i any

Please post the capture here and one of us can review it.

Make sure to tell us what IP address are used for the client and MWG.

Highlighted
Level 10
Report Inappropriate Content
Message 3 of 10

Re: Cannot Connect Response even though in Global Whitelist - MWG 7.0.2

Jump to solution

Here is a network trace, the second trace is another example

Client IP is 192.168.143.5

MGW IP is 172.16.119.249

Thanks,

Dec

Message was edited by: dcaffrey on 13/01/11 23:24:38 GMT
Highlighted
Level 10
Report Inappropriate Content
Message 4 of 10

Re: Cannot Connect Response even though in Global Whitelist - MWG 7.0.2

Jump to solution

Ok so what we have here is a non-rfc compliant response from the host therefore the Web Gateway gives a 502 Bad Gateway Error.

In HTTP 1.1 all headers must be ended with a carriage return and a line feed \r \n

If you take a look at the screen shot packet #936 the HTTP response from the host kinda looks mangled.

If you look up the RFC for HTTP 1.1 response you can tell in they are missing the first carriage return \r at the first line then the Content-Type header has two line feeds \n \n.

I have tried this on Web Gateway 7.0.2.2 and it works. You may want to upgrade on a test environment before deploying to production but I am positive this will work.

on 1/14/11 7:40:02 PM CST

View solution in original post

Highlighted

Re: Cannot Connect Response even though in Global Whitelist - MWG 7.0.2

Jump to solution

I have several sites that exhibit the same problem and a couple have been found to be related to non-rfc compliance.   My discovery came when I tested by running a particular website through the 6.8 rev and it worked fine.

Is McAfee going to make allowances in the 7.0 rev for scenarios such as this???  The need for standards compliance is understood, but while its nice to know our WG is up to par, it seems a little bold to think that everyone/everything on the Internet is going to follow the same model.  Furthermore, it causes quite a bit of headache to have to call into support/development for these situations since there's really nothing that even the most experienced WG admin can do.

I'm running 7.0.2.2 and just had another non-rfc issue yesterday.

Steve

Message was edited by: importminded on 1/18/11 7:45:27 AM CST
Highlighted
Level 10
Report Inappropriate Content
Message 6 of 10

Re: Cannot Connect Response even though in Global Whitelist - MWG 7.0.2

Jump to solution

Steve-

How do you know the issue you experience was a non RFC compliance HTTP response?

The error message 'Bad Gateway - Cannot Connect to Host' is a generic HTTP response and can be caused by many issues.

If you feel that 7.0.2.2 did not resolve this particular issue please open a case with support.

Cheers-

Highlighted
Level 10
Report Inappropriate Content
Message 7 of 10

Re: Cannot Connect Response even though in Global Whitelist - MWG 7.0.2

Jump to solution

Hi,

Thanks for looking at this, I also logged it with support and got the same recommendation to upgrade to 7.0.2.2, did both nodes over the weekend and so far it looks good

Dec

Highlighted

Re: Cannot Connect Response even though in Global Whitelist - MWG 7.0.2

Jump to solution

This definately sounds like the issue I am having, where exactly do I make these changes. I've already upgraded to 7.0.2.2 and still get the Bad Gateway messages.

I'm kinda a noob, so I need baby step instructions! Thanks!

Highlighted
Level 12
Report Inappropriate Content
Message 9 of 10

Re: Cannot Connect Response even though in Global Whitelist - MWG 7.0.2

Jump to solution

Make sure your Global White list is on top of all your Rule Sets.

Also put a * after the url in the whitelist.   *.rois.com*

Highlighted
Level 10
Report Inappropriate Content
Message 10 of 10

Re: Cannot Connect Response even though in Global Whitelist - MWG 7.0.2

Jump to solution

Changed whitelist to *.rois.com*, still doesn't work, anybody any other ideas ?

Thanks,

Dec

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community