Solved

Websense url-server shows as down

Posted on 2009-07-13
10
1,671 Views
Last Modified: 2012-08-14
When i do a sh url-server stat, it shows as the server/service as down. We have this setup the same way in over 20 locations, but i only run into this situation on a couple locations. I can reload the pix or asa and the service comes back up. I stays running for a few days, then stops again. What causes this? Is there a way to start it back up with reloading the pix/asa?
0
Comment
Question by:Neil2526
  • 5
  • 4
10 Comments
 
LVL 13

Expert Comment

by:3nerds
ID: 24853922
what does your "url-server" cofig line look like.

3nerds
0
 
LVL 14

Expert Comment

by:Ehab Salem
ID: 24856704
When it shows that Websense server is down, is it really down? If so, you need to check physical availabnle RAM on the WS Policy server and the EIM Server.
0
 

Author Comment

by:Neil2526
ID: 24860177
url-server (inside) vendor websense host 10.0.0.24 timeout 15 protocol UDP version 4

filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable


The websense server is not down, but for some reason on the asa or pix it says it is. If i reload it, all is ok and shows up.
I want to know what causes this, and is there a way on the asa/pix that i can restart this without reloading it?
thanks
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24860461
Couple of thoughts here.

First to get it back up without rebooting try:

no url-server (inside) vendor websense host 10.0.0.24 timeout 15 protocol UDP version 4

and then put it back:

url-server (inside) vendor websense host 10.0.0.24 timeout 15 protocol UDP version 4

Secondly

I would consider switching your current line to this:

url-server (inside) vendor websense host 10.0.0.24 timeout 30 protocol TCP version 4

As TCP is the preferred protocol straight from the websense documents and the legnthing of the time out may help as it appears the server is not responding or you are seeing a delay on your network causing it to drop.

Taken from here: Page 223

http://eproductivity.org/SupportPortal/documents/v631/WSInstall_Cisco.pdf

Good Luck,

3nerds
0
 

Author Comment

by:Neil2526
ID: 24860728
Tried your suggestion of taking out the websense command and putting it back in, with no luck on the restarting of the websense on the pix/asa. See out put below:
Server Statistics:
--------------------
10.0.0.24                         DOWN
  Vendor                          websense
  Port                            15868
  Requests total/allowed/denied   0/0/0
  Server timeouts/retries         0/0
  Responses received              0
  Response time average 60s/300s  0/0

I will try changing to tcp and lengthing the timeout and see what happens
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 13

Expert Comment

by:3nerds
ID: 24860776
From the asa can you ping the websense server?

3nerds
0
 

Author Comment

by:Neil2526
ID: 24860917
I can ping the websense server(located here at corporate) from the remote server located behing the asa, but not from the asa directly(icmp not turned on?)
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24861160
but not from the asa directly(icmp not turned on?) ---> I assume you websense server is connected off your inside interface, as such ping should not be blocked unless the websense server has a firewall turned on. But if you can ping the websense server remotely then you should be able to from the asa. I would start my digging from here as the asa must be able to directly talk to the websense server or this problem will never go away.


Regards,

3nerds
0
 

Author Comment

by:Neil2526
ID: 24862723
sorry, i can ping(ping inside 10.0.0.24). I can change the statement from UDP to TCP but i afraid of the impact on the vpn traffic back and forth to the websense server and asa slowing down or connection.
0
 
LVL 13

Accepted Solution

by:
3nerds earned 500 total points
ID: 24863393
Not sure I can answer that for you I can only tell you I have customers with vpn connected sites using tcp in the statement but only you can make that choice. I don't see exactly how changing that would affect it but stranger things have happened.

3nerds
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now