ProxySG & Advanced Secure Gateway

Hello,

After setting up ISG device I noticed (very late unfortunately) that CAS application is not compatible with vlan trunking meaning we had to dedicate 1 interface at least for the CAS application only....In my case for testing purpose I setup only one interface. here the current configuration :

LAG5 (interface 2:0 2:1 2:2) - for proxy application

2:3 - for CAS application

Thing is, it was written in the documentation that interface sharing was possible between application but if I am not wrong there was nothing mentionned about CAS application not being compatible with vlan trunking.

Next issue is that ICAP service work whenever it wants to.... I checked CPU / memory/ interface discard on both ISG and application no success .. And the service itself on CAS device seems to be working. Moreover during those issue, at network level both machine can see each other and ping each other. Next thing I did was to power off both application and restart ISG just in case. Nothing change....

What I did next is that I tried to share interface 2:3 with the proxy application (as they have both an IP in same subnet) which does no seem to work (both machine cannot see each other at all).

I was wondering if other people did face this issue ?

Any idea in this kind of infrastructure what could be the root cause of this issue ? Proxy is in 7.4.2.1 and CAS 3.1.7.0. (ISG 2.3.7.1). I already opened a case for that but no progress at all (opened since 1 month)....

Thanks in advance for your help

Furil

Yep we discovered that too about VLAN trunking and had to give our CASs their own interface.  It sucks and i agree that the documentation is misleading but it does mean that CAS then works.

What is the ICAP issue?  Are you getting users being blocked with ICAP errors?  ICAP threads maxed out?  CAS CPU through the roof?  Which AV engine(s) are you using?  Are you ICAP scanning everything or do you have a bypass list?

Hello,

After analysis this is even worse .... the thing about CAS and proxy could ping each other, it is only if ping is initiated from CAS, 1st packet take around 1000ms then the response time is normal. When issue happen again and ping is initialized from proxy it says "host is down"... According to pcap when proxy would like to update its arp table the CAS never reply (you see the request on CAS interface) but if it is the contrary then issue is solved... This issue has been escalated to engineering team.

Apparently static arp is possible on the ISG but not sure if it can on application level I will check that later. Still this is only a workaround here.

Regarding your dedicated interface for CAS, do you have your CAS in the same subnet than your proxy application or completely different ?

for me, LAG5 (for proxy application : vlan 10 internal, vlan 20 external 

2:3 (CAS), vlan 20

As interface sharing was possible, I even tried to move vlan 20 from LAG5 to 2:3 and create a new dedicated vlan for external connection on proxy side, but the connection does totally no longer work. I wanted to keep inter-application connection inside the ISG but seems like I will have to try set it on a totally separated subnet...

I will check again the release note for proxy application OS.

Anyway thanks for the quick feedback :)

Hello,

Just to let you know to solve the issue, I dedicated a physical interface for communication between both proxy and CAS (both proxy and CAS use the same shared interface). Please note that the interface on proxy application must not be tagged with a vlan, the IP should be directly set to the reserved interface. If for whatever reason you do no manage to set it up via the WebUI do not hesitate to do it via CLI.

Furil