Troubleshooting tips for Network Agent

Topic 50184 / Updated: 29-Apr-2011

Applies To:

Websense Web Filter, Web Security, Web Security Gateway, and Web Security Gateway Anywhere Versions 7.5, 7.6

Network Agent cannot contact Filtering Service

When Filtering Service has been uninstalled and reinstalled, the Network Agent does not automatically update the internal identifier (UID) for Filtering Service.

To re-establish connection to Filtering Service:

1.	Open TRITON - Web Security and select the Settings tab of the left navigation pane.

2.	Expand the Network Agent section, and then select a Network Agent IP address.

3.	Select the Filtering Service IP address from the drop-down list.

4.	Click OK to cache your changes, and then click Save All.

Network Agent fails to start with stealth mode NIC

On Linux systems that include a network card configured in stealth mode, there are 2 potential issues that may prevent Network Agent from starting:

A stealth mode NIC may inadvertently be selected for communication (blocking) in the Websense software installer. Use TRITON - Web Security to select a different blocking NIC.

If Network Agent is bound to a NIC configured for stealth mode, and then the NIC IP address is removed from the Linux configuration file (/etc/sysconfig/network-scripts/ifcfg-<adapter name>), Network Agent will not start.

To reconnect Network Agent to the NIC, restore the IP address in the configuration file.

Spanning or mirroring is configured incorrectly

If Network Agent connect to a switch, it must be able to see all traffic for the network or segment that it monitors. This means that it must connect to the span, mirror, or monitor port (though the term varies by manufacturer, the function is the same).

The span port mirrors all the traffic that leaves the network segment, so traffic is simultaneously sent to the monitoring port to which Network Agent is connected.

Monitor (span, mirror) only the port going to the firewall or router, not the entire network.

Router or firewall traffic is being monitored in the wrong direction

Monitor (span, mirror) the traffic going to the firewall or router. On Cisco switches, this means you need to specify Tx. On HP and 3Com switches, you need to specify Egress.

To log bytes sent and received, set both Tx and Rx (Cisco) or both Egress and Ingress (HP, 3Com).

Mono-directional spanning (mirroring)

Websense, Inc., strongly recommends using a switch that supports bidirectional spanning. If such a switch is used, Network Agent can function successfully with a single network card performing both monitoring and blocking.

If the switch does not support bidirectional spanning, Network Agent must use separate NICs for monitoring and blocking.

Teamed NICs

Teamed NICs share the load under one common identity, with multiple adapters load-balancing under a single IP address. This is also known as link aggregation or trunking.

If you have implemented NIC teaming, but don't see load balancing working as expected, the problem may be resolved by configuring your switch disable flowcontrol send. To do this, use the command set port flowcontrol send off for both the port-channel and channel member ports.

An anti-spoofing mechanism has been used in the switch

Because Network Agent uses spoofing to block requests, the anti-spoofing mechanism in the switch must be disabled. If this is not possible, use Content Gateway (the Web Security Gateway proxy) or a third-party integration product (Web Security and Web Filter).

Can a network tap be used with Network Agent?

Yes. A tap can be used with the Network Agent machine. Network Agent must be able to see the traffic in both directions.

Some Network Agent configuration details are lost after appliance upgrade to v7.6

After upgrading a Websense V-Series appliance in filtering only mode to version 7.6, log on to TRITON - Web Security and perform the following steps to verify your Network Agent settings:

1.	Go to the Settings > Network Agent > Local Settings page for the Network Agent instance on the appliance.

The Local Settings page is displayed when you select a Network Agent IP address from the Settings > Network Agent submenu. and update the Filtering Service Definition.

The Network Agent IP address is the IP address of the C interface on the filtering only appliance.

2.	Verify the following settings:

The Filtering Service IP address. This is usually the IP address of the C interface.

The value of the If Filtering Service is unavailable drop-down list. Will be either Permit or Block.

3.	Scroll to the bottom of the page and click Advanced Network Agent Settings to review the advanced options.

Verify the HTTP traffic settings for this Network Agent instance.

If there are ports that Network Agent should not monitor, mark the Configure this Network Agent instance to ignore traffic… check box, and then list the ports that Network Agent should not monitor. Use commas to separate the port entries.

4.	Click OK to cache your changes, and then click Save All to implement them.

5.	Click the NIC-2 link in the Network Interface Cards table to access the NIC Configuration page for this Network Agent instance.

Make sure that the check boxes in the Integrations section have the correct logging and filtering settings.

Verify that the Protocol Management settings have the correct filtering and bandwidth measurement settings.

6.	Click OK to cache your changes, and then click Save All to implement them.