Internal Error: Missing Template ERR_CONNECT_FAIL

DCBOE-Admin
Just browsing

Internal Error: Missing Template ERR_CONNECT_FAIL

This morning I received a call from an admin notifying me that our Outlook client was not connecting to our email host.  Also, we could not access email web portal of email.domainname/owa.  The browser was coming back with internal error: Missing template err_connect_fail.  We had tried everything including tracert, ping, capturing packets and such.  The strange thing was that some could connect out of 35.

 

So, I google it and found this link.

 

The strange think is from an external source everything worked outside of our network.  So, I disabled the setting under the content filtering section as instructed by the link above and waited 5-10 minutes once MX84 rebooted and all was working fine.  Has anyone else received this error?  I want to rule this out to make sure this is what caused it. 

 

Thanks,

 

DCBOE-Admin

9 REPLIES 9
AlexP
Meraki Employee
Meraki Employee

This is a known issue on MX 12.24 with web search filtering - it's fixed in any current MX 13.X build

AlexP,

 

Thank you. I'll look and see what our current build is and schedule the firmware upgrade. 

 

Thanks...

JC1
Conversationalist

I had the Unauthorized error on MX 12.24 and after upgrading to MX 13.23, I ended up with this "INTERNAL ERROR: Missing Template ERR_CONNECT_FAIL" error message. Removing all content filtering and reboot does not fix the issue. Not sure what else can be done. Traffic from outside of the network managed to get to the destination, but traffic from behind the MX100 receives this error. Obvious it is something to do with the setup of the MX100. Anyone has other suggestions?

ccnewmeraki
Getting noticed

There seem to be a number of different issues that cause "INTERNAL ERROR: Missing Template ERR_CONNECT_FAIL"" to be displayed, as noticed, it's generated by the the MX when you have "web caching" turned on.

The meraki "web caching" feature is just a squid transparent proxy server, the actual error just means that squid can't find the template error file to display (Meraki should have configured a branded HTML file to display for each situation), but ERR_CONNECT_FAIL is just the equivalent of "Page cannot be displayed" in a web browser.

In some situations, this error is just replacing a browser "Page cannot be displayed" error!

Check the URL actually works on a device or mobile that is not on your LAN before blaming the meraki! Sometimes our IT guys jump too quick to assume something is wrong because they know this error is generated by meraki and as they have a user complaining at them, they forget to check the obvious!

We also found externally hosted IIS sites where we are using NTLM authentication, the MX is breaking the authentication process. We haven't managed to get this resolved. At some point i'll call meraki support and get them to do a packet capture and look into it. As a workaround you can change the sites to use "basic authentication" in IIS, or just enable SSL which the MX can't intercept.

Also worth noting that in newer releases (MX 13.x and 14.x), the use of squid is largely gone; it's only for HTTP Content Caching at this point. Reason being is that for things like web search filtering, almost everyone only supports searches over SSL now, and thus we cannot rely on the old method of rewriting searches to include safe-search parameters in them.

JC1
Conversationalist

Thank you everyone for the help. We figured out once the HTTP Content Caching is disabled, it worked. Since we have fibre connection, HTTP Content Caching is somewhat unnecessary.

 

We had the exact problem and your suggestion solved the issue.

Are there any plans to implement SSL proxying? A number of features the MX advertises are virtually useless without that these days. Especially "URL logging", which can't even see the URLs of most websites, and is only going to become more useless as more and more sites move to SSL.

On competing products Websense you have to deploy a SSL certificate via group policy so that the browser trusts their appliance. Meraki could make SSL proxying incredibly deploy, by setting up the certificate through the Systems Manager agent.

Sara_Oseas
Conversationalist

Is this document refer to this issue?

 

Regards

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels