Neil2526
asked on
Websense url-server shows as down
When i do a sh url-server stat, it shows as the server/service as down. We have this setup the same way in over 20 locations, but i only run into this situation on a couple locations. I can reload the pix or asa and the service comes back up. I stays running for a few days, then stops again. What causes this? Is there a way to start it back up with reloading the pix/asa?
When it shows that Websense server is down, is it really down? If so, you need to check physical availabnle RAM on the WS Policy server and the EIM Server.
ASKER
url-server (inside) vendor websense host 10.0.0.24 timeout 15 protocol UDP version 4
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
The websense server is not down, but for some reason on the asa or pix it says it is. If i reload it, all is ok and shows up.
I want to know what causes this, and is there a way on the asa/pix that i can restart this without reloading it?
thanks
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
The websense server is not down, but for some reason on the asa or pix it says it is. If i reload it, all is ok and shows up.
I want to know what causes this, and is there a way on the asa/pix that i can restart this without reloading it?
thanks
Couple of thoughts here.
First to get it back up without rebooting try:
no url-server (inside) vendor websense host 10.0.0.24 timeout 15 protocol UDP version 4
and then put it back:
url-server (inside) vendor websense host 10.0.0.24 timeout 15 protocol UDP version 4
Secondly
I would consider switching your current line to this:
url-server (inside) vendor websense host 10.0.0.24 timeout 30 protocol TCP version 4
As TCP is the preferred protocol straight from the websense documents and the legnthing of the time out may help as it appears the server is not responding or you are seeing a delay on your network causing it to drop.
Taken from here: Page 223
http://eproductivity.org/SupportPortal/documents/v631/WSInstall_Cisco.pdf
Good Luck,
3nerds
First to get it back up without rebooting try:
no url-server (inside) vendor websense host 10.0.0.24 timeout 15 protocol UDP version 4
and then put it back:
url-server (inside) vendor websense host 10.0.0.24 timeout 15 protocol UDP version 4
Secondly
I would consider switching your current line to this:
url-server (inside) vendor websense host 10.0.0.24 timeout 30 protocol TCP version 4
As TCP is the preferred protocol straight from the websense documents and the legnthing of the time out may help as it appears the server is not responding or you are seeing a delay on your network causing it to drop.
Taken from here: Page 223
http://eproductivity.org/SupportPortal/documents/v631/WSInstall_Cisco.pdf
Good Luck,
3nerds
ASKER
Tried your suggestion of taking out the websense command and putting it back in, with no luck on the restarting of the websense on the pix/asa. See out put below:
Server Statistics:
--------------------
10.0.0.24 DOWN
Vendor websense
Port 15868
Requests total/allowed/denied 0/0/0
Server timeouts/retries 0/0
Responses received 0
Response time average 60s/300s 0/0
I will try changing to tcp and lengthing the timeout and see what happens
Server Statistics:
--------------------
10.0.0.24 DOWN
Vendor websense
Port 15868
Requests total/allowed/denied 0/0/0
Server timeouts/retries 0/0
Responses received 0
Response time average 60s/300s 0/0
I will try changing to tcp and lengthing the timeout and see what happens
From the asa can you ping the websense server?
3nerds
3nerds
ASKER
I can ping the websense server(located here at corporate) from the remote server located behing the asa, but not from the asa directly(icmp not turned on?)
but not from the asa directly(icmp not turned on?) ---> I assume you websense server is connected off your inside interface, as such ping should not be blocked unless the websense server has a firewall turned on. But if you can ping the websense server remotely then you should be able to from the asa. I would start my digging from here as the asa must be able to directly talk to the websense server or this problem will never go away.
Regards,
3nerds
Regards,
3nerds
ASKER
sorry, i can ping(ping inside 10.0.0.24). I can change the statement from UDP to TCP but i afraid of the impact on the vpn traffic back and forth to the websense server and asa slowing down or connection.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
3nerds