PDF(4.8 KB) View with Adobe Reader on a variety of devices
Updated:August 12, 2014
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Why does Internet access or access to certain websites fail with Error: Notification codes: NO_MORE_FORWARDS?
Symptoms: Notification codes: NO_MORE_FORWARDS when trying to browse via the proxy
Environment: Cisco Web Security Appliance (WSA)
"NO_MORE_FORWARDS" error message indicates that there is a loop going on and the proxy is refusing to forward the request any more. This is typically a loop between the WSA appliance and a firewall / layer 4 switch.
Client <-> Switch <-> Firewall <-> Internet | WSA
In this scenario, the firewall has been configured to redirect all traffic destined for an outside network on port 80 to the WSA. This is a popular transparent style of proxy deployment.
The firewall has not been setup with an exception rule to send traffic originating from the WSA to the outside.
This causes everything the WSA sends to be sent back to itself. After multiple attempts, the socket is closed and this error message is sent back to the client.
To resolve this, you need to create an access list on the ASA (or router / switch if it is acting as the WCCP router) that denies the IP address of the WSA appliance from WCCP redirection, but permits redirection of all other traffic. This access list can be applied to the wccp web-cache statement.
access-list wccp_redirect extended deny ip host <WSA_IP_addrees> any access-list wccp_redirect extended permit ip any any ! wccp <service-ID> redirect-list wccp_redirect ! wccp interface <Interface-name><service-ID> redirect in