About Troubleshooting Next-hop Proxy Issues
Reviewing the settings for next-hop proxies can help solve issues with connection delays or unavailability.
Next-hop proxy issues are indicated by alerts on the dashboard. Settings for next-hop proxies can be reviewed to troubleshoot these issues and also to ensure that next-hop proxies have appropriately been configured to enable cloud lookups for URL filtering and regular updates of other filtering information.
Next-hop proxy alerts
Alerts on the dashboard indicating next-hop proxy issues look like this.
- Next hop proxy 10.44.44.44 has been marked as down for 10 seconds
This alert appears if, after trying to connect to a next-hop proxy, Web Gateway detects that the next-hop proxy is down and 10 seconds are configured as the waiting time until the next retry.
The waiting time begins after the configured number of retries, which are performed immediately, have been completed unsuccessfully. - Connection to next hop proxy 10.44.44.44 failed
This alert appears, if after trying to connect to a next-hop proxy, Web Gateway detects that the next-hop proxy is down and no waiting time (0 seconds) is configured. After unsuccessfully completing the configured number of retries, Web Gateway immediately performs the next retry.
Connection retry settings for next-hop proxies
If you notice slowness on next-hop proxy connections, we recommend reviewing the connection retry settings, which are part of the Next Hop Proxy settings.
The settings include the number of retries Web Gateway performs after a failed connection attempt, and the waiting time before performing the next retry after the configured number of retries has been completed unsuccessfully.
We recommend configuring a low number of retries, for example, 3, and no waiting time at all.
Configuring the settings in this way does not prevent the alerts from appearing, but avoids unnecessary delay with connection retries.
Avoiding delay is also important, as sometimes a next-hop proxy can erroneously be marked as down on Web Gateway, which would make waiting until the next retry even less appropriate.
Next-hop proxies for URL filtering
Slowness or failure in URL filtering can also be related to the next-hop proxy configuration.
The settings for URL filtering are by default configured to let categorizations of URLs be looked up on a cloud server of the Skyhigh Security Global Threat Intelligence system if no category for a given URL can be found in the local database on a Web Gateway appliance.
Next-hop proxies can be configured for connecting to these servers as part of the URL Filter settings. If no next-hop proxies are configured or if the configuration settings are faulty, attempts to perform cloud lookups can fail or be slow.
Next-hop proxies for updates
You can also use next-hop proxies for connecting to the update servers, which provide regular updates for anti-malware filtering, URL filtering, and other activities. Next-hop proxies for updates are configured as part of the Central Management settings.