Novell BorderManager 3.6
Troubleshooting Proxy Errors
(a) Default route on the server (do this in TCPCON).
(b) If you can ping by address but not by name, then check the DNS configuration in INETCFG, and the RESOLV.CFG file.
2- Can you go to the browser and browse to a site by IP address instead of the name?
(a) If you can browse by name, then it is a DNS issue.
3- Always test more than one client, it always could be a client issue.
With this error there are two things to look for. The rest of the error will state that you are forbidden by access rules or you are not logged in.
1- If the error states that you are not logged in then you need to turn off the proxy authentication in NWADMIN. Then test. Does it work?
(a) If it works, authentication has not been correctly configured. This should always work. Remember to always test proxy in the most general setup first.
(b) If they are running SSON - Refer to TID 3598432 to find out how to run the CLNTRUST. If they run this does the 403 errors go away? They should.
(c) There are issues with the 403 forbidden, not logged in error message with the CLNTRUST timing out. The suggestion here is to try the CLNTRUST from the BorderManager server. That means mapping a drive to the BM server and running it from there, not another server.
2- The other error you get with 403 is because the access control rules are blocking you.
(a) Again turn off the access control rules in NWADMIN by un-checking the enforce access control rules checkbox in the BorderManager Setup screen. If you disable rules it should work. Remember to always run the proxy in the most simplest manner first, before complicating the issue with access control rules.
(b) If the user is getting a 403 forbidden error because of Access control rules then you need to check the rules. The default rule that BorderManager sets up is to deny everything. If you have not added new rules to the list then obviously it will be a 403 forbidden because all access is denied.
(c) A good way of troubleshooting these rules, is to go through them one by one and explain what each one does. Did you find a rule that allowed the user out? If not, then again, the 403 forbidden rule is obvious.
(d) If you have gotten to the point that everything checks out and you are still seeing the 403 Forbidden error there may be corruption in the schema. The only way to address this is to run a utility called BM3RMV3 which is a DS utility written to remove all BorderManager attributes because of corruption. After running this utility you will have to reconfigure all settings in BorderManager Setup.
NOTE - IF you have disabled both the access control rules and proxy authentication then the 403 errors will disappear, you then have to determine which of the two (access control rules or authentication) is giving them the 403 forbidden errors and resolve that issue.
**** 504 Unreachable or timeouts ....
This error is given because the proxy server is not getting the request back to the client.
1- The first thing to check here is packet size issues. Do the following on the server from the system console screen.
a- SET USE SPECIFIED MTU = ON - This command forces the BM server to use a specified packet size. There are always problems with devices negotiating a packet size. This does
away with that algorithm and forces a set size.
b- SET MAXIMUM INTERFACE MTU = 576 - 576 is there by default and is the smallest value. If this works you can increase this value for a better performance.
c- SET ALWAYS ALLOW IP FRAGMENTATION = ON - This allows large packets to be fragmented.
**** Refer to KB 2911035 for these commands and more
Note that if these help you have to put them in the NCF files so that after a reboot they are still there.
2- Other things to try are the same as above. Try browsing from more than one workstation, try putting a client on the same segment as the BM server and see if that makes a difference. It could be an internal router.
a- Try loading ping on the server. Can you ping with packets larger than 1500? 1600? 1800? Where does it fail? If you cannot at least ping at 1500 you have a problem there and that should explain this error on the browser.
3- Try using NAT instead of the proxy on the workstation. Is this a problem with all packets going through the server or does it happen only with proxy? This helps explain to the customer also that proxy is not the problem, but routing issues are involved and packet size issues.
a- Enable Nat in dynamic mode on the server on the public
b- Make sure that the browser is then configured to use a direct connection instead of the manual proxy configuration
c- Make sure the client has a default route pointing to the BM server or NAT will not work.
d- The client now has to do its own DNS lookups so either
configure a DNS server for this test on the workstation, or only
browse by IP addresses for the test.
**** Other things to note with the proxy
1- If you are getting these errors on the browser you know that proxy is working otherwise you would see the Netscape or the IE error pages instead. If you are seeing the browsers error pages instead of the proxy error pages the proxy is not working. Do the following to troubleshoot these errors
a- Try pinging from the client to the private ip address of the BM server. Are you successful? If not you have found the problem, the routing is not setup correctly.
b- Is the proxy loaded on the server? Do a modules on proxy is it loaded?
c- Go into TCPCON to Protocol Information and see if under TCP that the proxy is listening on the specified port (8080 by default). You can also look at the Novell BorderManager Proxy console. Under configured services the proxy should be bound and listening on all the addresses.
d- It never hurts to check the filters and make sure that they
are not blocking you. Do an unload ipflt on the server and
**** Cannot get to secure sites through the proxy or ftp sites.
1- You need to make sure that the browser configuration is setup for not only HTTP, but also for SSL and FTP. Note that the configuration of both of those is the same, both to the private ip address to port 8080. If those are not configured then the client will not be able to go to any ftp or secure site.
2- If also could be that the access control rules are blocking
you. Go in and disable the enforce access rules check box, update
the server and then retest. If it works then we need to add
additional rules to the list.
a- Allow - Port - 443 - Any source - Any destination
b- You could change the rules they are using for http proxy to port 80 to access type of URL instead. Then it does not care if it is ftp or a secure site, it allows all ports. Refer to TID: 2949552
**** Cannot get to certain sites, or the sites are corrupted.
1- The first thing to do here is to test the sites yourself. Can you get to those sites yourself? If not then it could be the origin web server, or that our proxy has problems accessing that site. (Bug)
a- If you can duplicate the issue, try configuring NAT as noted in an example above and then try it again, do you get the same results or different results? This will tell you if it is a proxy issue or not.
b- Try clearing the cache on the server. Unload proxy and then reload proxy with the -cc option for clear cache and then retest. Sometime cache gets corrupted.
c- The other issue would be patches. Most of the known issues have been addressed in patches.
1- BM 3.0 the latest to date is the BM3PC7.EXE patch for proxy. Also note that BM3SP1 is available.
2- BM 2.1 the latest patch for proxy is the BMP113.EXE They need to also have N51SP6A, the latest TCP/IP patch and BMSP2D which is the BorderManager support pack..
Formerly known as TID# 10019250