Guide
TrainingSupportCommunity

Review test results

Suggest Edits

After a CIDR test is complete, check the results to verify which CIDR ranges have issues connecting to your origin. All successful attempts on the Results tab indicate that your origin firewall uses correct ACL entries.

  1. Go to > WEB & DATA CENTER SECURITY > Security Configurations > Site Shield.

  2. Click the name of your map.

  3. Next to the Current addresses or Proposed addresses header, click the context menu , and click CIDR Testing.

  4. On the Site Shield origin ACL Test page, click the Results tab.

  5. Click next to a test run date to expand the results section.

On the Results tab, you can view the number of origins under the test profile and the number of CIDRs tested against. The CIDRs test can result in:
Successes – when your origin and Site Shield addresses can communicate without any problems.
– Complete failures – when the origin and Site Shield servers cannot connect.
Partial failures – most commonly caused by adding wrong CIDR entries in the origin firewall ACLs, for example, 104.109.250.0/24 instead of 104.109.250.0/23.
No active servers – No Akamai servers are currently available for this CIDR.

  1. To check further details, click next to an origin name to expand the section.

If you get any other results than Successes, see the following section:

– No active servers can appear either when your Site Shield map is out of date or an Akamai region is undergoing maintenance.
If the same CIDR blocks regularly return a status of No active servers across multiple tests, and you have one or more pending Site Shield map updates, you should first complete the process of updating your firewalls and acknowledging the pending CIDR changes. In subsequent test runs, you will see this message return to normal. See Firewall updates and address change acknowledgment.

If your map is up to date, you don’t need to perform any actions. As this result may also appear if a specific CIDR/IP address range is under maintenance or is currently unavailable to serve the request, you can try rerunning the test later.

Complete failures can appear because of:
– Issues with your origin server
To fix it, ensure that the test criteria you configured match the origin. For example, when your test profile accepts only 2XX status codes as a success, and your origin generates 3XX responses, update the test profile to include 3XX response codes.
– A mismatch between Site Shield map addresses and your origins’ firewall ACLs.
To fix it, compare the address lists and update the ACLs as needed.

Partial failures may indicate that some of your origin firewall ACL entries don’t match the actual Site Shield map CIDR ranges.
To fix it, compare the address lists and update the ACLs as needed.

📘

CIDR test selects only a few IP addresses within a CIDR range to initiate the connection test to the origin.

Tip: You can download the test results in the CSV file, and it may be easier to analyze them with sorting and filtering. Look for repeated patterns.
For example, if there is an origin server that is failing in all the tests, check the firewall setup of this specific origin as it’s probably out-of-date.
In another scenario, if you see one CIDR failing to communicate with all of your origin servers, it’s possible that its particular address is missing from all the origin ACLs and you need to update all of them.

Updated over 1 year ago