PDF(4.8 KB) View with Adobe Reader on a variety of devices
Updated:August 12, 2014
Why does Internet access or access to certain websites fail with Error: Notification codes: NO_MORE_FORWARDS?
Symptoms: Notification codes: NO_MORE_FORWARDS when trying to browse via the proxy
Environment: Cisco Web Security Appliance (WSA)
"NO_MORE_FORWARDS" error message indicates that there is a loop going on and the proxy is refusing to forward the request any more. This is typically a loop between the WSA appliance and a firewall / layer 4 switch.
Client <-> Switch <-> Firewall <-> Internet | WSA
In this scenario, the firewall has been configured to redirect all traffic destined for an outside network on port 80 to the WSA. This is a popular transparent style of proxy deployment.
The firewall has not been setup with an exception rule to send traffic originating from the WSA to the outside.
This causes everything the WSA sends to be sent back to itself. After multiple attempts, the socket is closed and this error message is sent back to the client.
To resolve this, you need to create an access list on the ASA (or router / switch if it is acting as the WCCP router) that denies the IP address of the WSA appliance from WCCP redirection, but permits redirection of all other traffic. This access list can be applied to the wccp web-cache statement.
access-list wccp_redirect extended deny ip host <WSA_IP_addrees> any access-list wccp_redirect extended permit ip any any ! wccp <service-ID> redirect-list wccp_redirect ! wccp interface <Interface-name><service-ID> redirect in