VPN error - SmartDefense

[packnet]

NGX HFA3, VPN with an ASA. Simple HTTP request, key install looks good. I get good log entries for the encrypted connection to a remote web server over http, but it is followed within about a minute by this error:

reason: WSE0010005 can't connect to server 'xxx.xxxxxx.com'
resource: http://xxx.xxxxxx.com

I've obfuscated the URL in the info from the log entry above.

I've not contacted the peer yet to check their logs, but I'm frustrated that I can't seem to search on that WSE entry. I have no http security server definitions, or resources defined in this policy. The error is listed by the SmartDefense daemon, but I'm still not entirely sure what function may be picking that up. For all I know, their server is down and that's just the response that comes back.

[ldgunnink]

I'm not sure if you are still having this problem, but I recently saw this as well. I set up an IPSO cluster with 2 IP265s, and after the cluster came up, the users saw that some web sites were accessible, and some were not. The logs showed the error you mentioned, but I also saw much of the traffic being accepted, even though the sites were not accessible.

Long story short, we eventually determined that that problem was caused by the Smart Defense rule (under Web Intelligence in R60) "ASCII only response headers." Even though we only had this rule set to monitor, it still blocked the http connections. After we completely disabled this Smart Defense rule and pushed the policy, the problem disappeared. I hope this helps.

Loren