This is because Content Cache is enabled in IWSVA. When using Content Cache, the outgoing HTTP request will add a "via" header that the web server does not support, and therefore it sends back the "Forbidden" message.
- Run a packet capture from IWSVA. To do this, go to Administration > Support > Network Packet Capturing tab > Select the correct network interface > Start Capturing > Reproduce the issue > Stop Capturing then download the packet capture.
-
Enter the following in the Filter:
ip.src == XXXXX
Where XXXXX is the IP address of IWSVA.
- Look for the GET request from IWSVA to the website in question.
- Right click the entry and select Follow TCP stream.
-
In the "Follow TCP stream" window, look for an entry containing the word "via"
For example:
Click image to enlarge
If you find the "via" entry and Content Cache is enabled (HTTP > Configuration > Content Cache), make the following changes:
- SSH to IWSVA.
-
Do a backup of the following configuration file:
cp /usr/iwss/ats/etc/trafficserver/records.config /usr/iwss/ats/etc/trafficserver/records.config.bak
-
Edit the original configuration file and set the value of the string below to 0:
vim /usr/iwss/ats/etc/trafficserver/records.config
CONFIG proxy.config.http.insert_request_via_str INT 0 (Default value is 1) - Save and exit.
-
On the IWSVA web console, clear the content cache by going to HTTP > Configuration > Content Cache > Clear cache.
Clearing a large cache may take a significant amount of time.