6 Replies Latest reply on Nov 12, 2013 4:30 PM by ronaksf

    Web Gateway ICAP Bad response 400 error (7.3.1)

      Has anyone integrated Web Gateway 7.3.1 with a DLP product?

       

      We have configured the Web Gateway to communicate via ICAP with the (2) Two Symantec DLP Web Prevent.

       

      The situation seems to be that McAfee does not like the "400" error that is being sent back to it from Symantec DLP.

       

      [2013-10-21 12:11:15.390 -05:00] [ICAPClientFilterPlugin] [ICAPBadResponse] ICAP server 10.1.179.174 from service '157' sent a bad response: '400'

      [2013-10-21 12:11:15.424 -05:00] [ICAPClientFilterPlugin] [ICAPBadResponse] ICAP server 10.1.179.174 from service '157' sent a bad response: '400'

      [2013-10-21 12:11:15.530 -05:00] [ICAPClientFilterPlugin] [ICAPBadResponse] ICAP server 10.1.179.175 from service '157' sent a bad response: '400'

      [2013-10-21 12:11:15.566 -05:00] [ICAPClientFilterPlugin] [ICAPBadResponse] ICAP server 10.1.179.175 from service '157' sent a bad response: '400'

      [2013-10-21 12:11:15.667 -05:00] [ICAPClientFilterPlugin] [ICAPBadResponse] ICAP server 10.1.179.175 from service '157' sent a bad response: '400'

      [2013-10-21 12:11:15.706 -05:00] [ICAPClientFilterPlugin] [ICAPBadResponse] ICAP server 10.1.179.175 from service '157' sent a bad response: '400'

      [2013-10-21 12:11:15.737 -05:00] [ ERRORS LOG FLOOD - START    ] 6 times within the last 937ms [4B14F37416E598D3][>>> [ICAPClientFilterPlugin] [ICAPBadResponse] ICAP server 10.1.179.174 from service '157' sent a bad response: '400' <<<]

      [2013-10-21 12:11:17.581 -05:00] [ICAPClientFilterPlugin] [ICAPBadResponse] ICAP server 10.1.179.175 from service '157' sent a bad response: '400'

      [2013-10-21 12:11:17.777 -05:00] [ICAPClientFilterPlugin] [ICAPBadResponse] ICAP server 10.1.179.175 from service '157' sent a bad response: '400'

      [2013-10-21 12:11:17.778 -05:00] [ ERRORS LOG FLOOD - RELEASED ] 3 times within the last 252ms

       

      As a result it looks like McAfee does not like all of the errors and eventually stops talking to one of the DLP servers.

       

      In addition it looks like "400" is a VALID response for ICAP..

      Based on RFC compliance, 400 is a valid responsecode for ICAP (http://tools.ietf.org/html/rfc3507#section-4.3.3) for a badrequest.

       

      This is how the Symantec DLP server is configured.. (We have set the COnnection Numbers high, cause there is no place to configure this on the Web Gateway.)

      Untitled.png

       

      Here is also the output from the DLP Servers..

       

       

       

      sec-pals01% telnet dlpXXXXX-XXXX.XX.XXXsrv.com 1344

      Trying 10.2.XXx.XXX...

      Connected to dlpXXXXX-XXXX.XX.XXXsrv.com.

      Escape character is '^]'.

      OPTIONS icap://127.0.0.1:1344/reqmod

      ICAP/1.0 400 Bad request

      Connection: close

       

      Connection to dlpXXXXX-XXXX.XX.XXXsrv.com closed by foreign host.

       

      sec-pals01% telnet dlpXXXXX-XXXX.XX.XXXsrv.com 1344

      Trying 10.2.XXx.XXX...

      Connected to dlpXXXXX-XXXX.XX.XXXsrv.com.

      Escape character is '^]'.

      OPTIONS icap://10.2.xxx.xxx:1344/reqmod

      ICAP/1.0 400 Bad request

      Connection: close

       

      Connection to dlpXXXXX-XXXX.XX.XXXsrv.com closed by foreign host.

       

       

      Anyone know what is causing this?

        • 1. Re: Web Gateway ICAP Bad response 400 error (7.3.1)
          btlyric

          We've been using MWG with McAfee's DLP Prevent devices for a while now.

           

          400 is a valid response code. One that says: I don't understand what you sent me.

           

          It is unsurprising that MWG doesn't like the repeated 400 response code -- after all, if you try to talk to someone and all they say back to you is "I don't understand," you're eventually going to stop trying to talk to them.

           

          There are a few possibilities that I can think of just offhand:

           

          1) MWG is sending a malformed request to the Symantec DLP system

           

          2) The Symantec DLP system isn't properly handling a correctly formed request from MWG

           

          3) Some combination of the two

           

          4) Something I haven't thought of

           

          Since it's the Symantec device that's throwing the Bad Request error, they may be your best bet for initial contact -- they should be able to tell you why their DLP device is rejecting the REQMOD.

          • 2. Re: Web Gateway ICAP Bad response 400 error (7.3.1)

            Try your telnet test again, but this time use the line:

             

            OPTIONS icap://10.X.X.X:1344/REQMOD ICAP/1.0

             

            The real server IP address should be there (i think) instead of 127.0.0.1, and i believe the REQMOD is case sensitive on the symantec.

             

            Message was edited by: eelsasser on 11/9/13 12:23:17 PM EST
            • 3. Re: Web Gateway ICAP Bad response 400 error (7.3.1)

              Thanks for the replies..

               

              Though from the Symantec Side.. which is where I started diagnosing the issue has errors, that McAfee is not sending all of the right info.

               

              Note, additional information when reviewing the logs, we foundthat the ICAP request did not contain the reqmod or respmod details - here's anexample:

              Oct 29,2013 3:56:54 PM com.vontu.icap.IcapConnection readIcapHeaders
              FINER: ICAP-rhdr: REQMOD icap://10.1.179.174:1344 ICAP/1.0

              Oct 29, 2013 3:56:54 PM com.vontu.icap.IcapConnection performUriServiceCheck
              FINER: Service definition not as per spec. Treating as REQMOD

               

              So I am wondering if in the McAfee congifuration that I need to specify NOT just the Ip address but also the REQMOD... icap://10.1.179.174:1344/REQMOD

               

              Can someone send me a screen shot of how to configure the McAfee side of the Gateway. Since there is NOTHING to configure on the Symantec side, other than the port and number of connections.

               


              • 4. Re: Web Gateway ICAP Bad response 400 error (7.3.1)

                Yes. You absolutely have to send /REQMOD

                 

                Capture.png

                • 5. Re: Web Gateway ICAP Bad response 400 error (7.3.1)

                  This is what I thought...

                   

                  Can you show me the configuration screen that is on..

                   

                  Or at least what steps to get to that setting, step by step.. for a client of mine has set this up. I believe it was setup incorrectly. We have not been able to find an instructioin guide on this.

                   

                  Also is this the same config on Gateway 7.3.1, for I am not seeing the Connection limit check box.

                  • 6. Re: Web Gateway ICAP Bad response 400 error (7.3.1)

                    Plain and Simple. if you DO NOT have the /REQMOD in the setting on the McAfee side, Symantec DLP will not like it and McAfee will not know what the connection limit is.

                     

                    As a result McAfee will take one of the servers out of the pool, if you have more than 1 defined per proxy.