cancel
Showing results for 
Search instead for 
Did you mean: 
ronaksf
Level 7

Web Gateway ICAP Bad response 400 error (7.3.1)

Jump to solution

Has anyone integrated Web Gateway 7.3.1 with a DLP product?

We have configured the Web Gateway to communicate via ICAP with the (2) Two Symantec DLP Web Prevent.

The situation seems to be that McAfee does not like the "400" error that is being sent back to it from Symantec DLP.

[2013-10-21 12:11:15.390 -05:00] [ICAPClientFilterPlugin] [ICAPBadResponse] ICAP server 10.1.179.174 from service '157' sent a bad response: '400'

[2013-10-21 12:11:15.424 -05:00] [ICAPClientFilterPlugin] [ICAPBadResponse] ICAP server 10.1.179.174 from service '157' sent a bad response: '400'

[2013-10-21 12:11:15.530 -05:00] [ICAPClientFilterPlugin] [ICAPBadResponse] ICAP server 10.1.179.175 from service '157' sent a bad response: '400'

[2013-10-21 12:11:15.566 -05:00] [ICAPClientFilterPlugin] [ICAPBadResponse] ICAP server 10.1.179.175 from service '157' sent a bad response: '400'

[2013-10-21 12:11:15.667 -05:00] [ICAPClientFilterPlugin] [ICAPBadResponse] ICAP server 10.1.179.175 from service '157' sent a bad response: '400'

[2013-10-21 12:11:15.706 -05:00] [ICAPClientFilterPlugin] [ICAPBadResponse] ICAP server 10.1.179.175 from service '157' sent a bad response: '400'

[2013-10-21 12:11:15.737 -05:00] [ ERRORS LOG FLOOD - START    ] 6 times within the last 937ms [4B14F37416E598D3][>>> [ICAPClientFilterPlugin] [ICAPBadResponse] ICAP server 10.1.179.174 from service '157' sent a bad response: '400' <<<]

[2013-10-21 12:11:17.581 -05:00] [ICAPClientFilterPlugin] [ICAPBadResponse] ICAP server 10.1.179.175 from service '157' sent a bad response: '400'

[2013-10-21 12:11:17.777 -05:00] [ICAPClientFilterPlugin] [ICAPBadResponse] ICAP server 10.1.179.175 from service '157' sent a bad response: '400'

[2013-10-21 12:11:17.778 -05:00] [ ERRORS LOG FLOOD - RELEASED ] 3 times within the last 252ms

As a result it looks like McAfee does not like all of the errors and eventually stops talking to one of the DLP servers.

In addition it looks like "400" is a VALID response for ICAP..

Based on RFC compliance, 400 is a valid responsecode for ICAP (http://tools.ietf.org/html/rfc3507#section-4.3.3) for a badrequest.

This is how the Symantec DLP server is configured.. (We have set the COnnection Numbers high, cause there is no place to configure this on the Web Gateway.)

Untitled.png

Here is also the output from the DLP Servers..

sec-pals01% telnet dlpXXXXX-XXXX.XX.XXXsrv.com 1344

Trying 10.2.XXx.XXX...

Connected to dlpXXXXX-XXXX.XX.XXXsrv.com.

Escape character is '^]'.

OPTIONS icap://127.0.0.1:1344/reqmod

ICAP/1.0 400 Bad request

Connection: close

Connection to dlpXXXXX-XXXX.XX.XXXsrv.com closed by foreign host.

sec-pals01% telnet dlpXXXXX-XXXX.XX.XXXsrv.com 1344

Trying 10.2.XXx.XXX...

Connected to dlpXXXXX-XXXX.XX.XXXsrv.com.

Escape character is '^]'.

OPTIONS icap://10.2.xxx.xxx:1344/reqmod

ICAP/1.0 400 Bad request

Connection: close

Connection to dlpXXXXX-XXXX.XX.XXXsrv.com closed by foreign host.

Anyone know what is causing this?

0 Kudos
1 Solution

Accepted Solutions
eelsasser
Level 15

Re: Web Gateway ICAP Bad response 400 error (7.3.1)

Jump to solution

Yes. You absolutely have to send /REQMOD

Capture.png

0 Kudos
6 Replies
btlyric
Level 12

Re: Web Gateway ICAP Bad response 400 error (7.3.1)

Jump to solution

We've been using MWG with McAfee's DLP Prevent devices for a while now.

400 is a valid response code. One that says: I don't understand what you sent me.

It is unsurprising that MWG doesn't like the repeated 400 response code -- after all, if you try to talk to someone and all they say back to you is "I don't understand," you're eventually going to stop trying to talk to them.

There are a few possibilities that I can think of just offhand:

1) MWG is sending a malformed request to the Symantec DLP system

2) The Symantec DLP system isn't properly handling a correctly formed request from MWG

3) Some combination of the two

4) Something I haven't thought of

Since it's the Symantec device that's throwing the Bad Request error, they may be your best bet for initial contact -- they should be able to tell you why their DLP device is rejecting the REQMOD.

0 Kudos
eelsasser
Level 15

Re: Web Gateway ICAP Bad response 400 error (7.3.1)

Jump to solution

Try your telnet test again, but this time use the line:

OPTIONS icap://10.X.X.X:1344/REQMOD ICAP/1.0

The real server IP address should be there (i think) instead of 127.0.0.1, and i believe the REQMOD is case sensitive on the symantec.

Message was edited by: eelsasser on 11/9/13 12:23:17 PM EST
0 Kudos
ronaksf
Level 7

Re: Web Gateway ICAP Bad response 400 error (7.3.1)

Jump to solution

Thanks for the replies..

Though from the Symantec Side.. which is where I started diagnosing the issue has errors, that McAfee is not sending all of the right info.

Note, additional information when reviewing the logs, we foundthat the ICAP request did not contain the reqmod or respmod details - here's anexample:

Oct 29,2013 3:56:54 PM com.vontu.icap.IcapConnection readIcapHeaders
FINER: ICAP-rhdr: REQMOD icap://10.1.179.174:1344 ICAP/1.0

Oct 29, 2013 3:56:54 PM com.vontu.icap.IcapConnection performUriServiceCheck
FINER: Service definition not as per spec. Treating as REQMOD

So I am wondering if in the McAfee congifuration that I need to specify NOT just the Ip address but also the REQMOD... icap://10.1.179.174:1344/REQMOD

Can someone send me a screen shot of how to configure the McAfee side of the Gateway. Since there is NOTHING to configure on the Symantec side, other than the port and number of connections.


0 Kudos
eelsasser
Level 15

Re: Web Gateway ICAP Bad response 400 error (7.3.1)

Jump to solution

Yes. You absolutely have to send /REQMOD

Capture.png

0 Kudos
ronaksf
Level 7

Re: Web Gateway ICAP Bad response 400 error (7.3.1)

Jump to solution

This is what I thought...

Can you show me the configuration screen that is on..

Or at least what steps to get to that setting, step by step.. for a client of mine has set this up. I believe it was setup incorrectly. We have not been able to find an instructioin guide on this.

Also is this the same config on Gateway 7.3.1, for I am not seeing the Connection limit check box.

0 Kudos
ronaksf
Level 7

Re: Web Gateway ICAP Bad response 400 error (7.3.1)

Jump to solution

Plain and Simple. if you DO NOT have the /REQMOD in the setting on the McAfee side, Symantec DLP will not like it and McAfee will not know what the connection limit is.

As a result McAfee will take one of the servers out of the pool, if you have more than 1 defined per proxy.

0 Kudos