Under stress condition, some end users may experience https connection rejected when requesting web pages through SWG in proxy mode.

When ICAP connection to DLP server is unstable, DLP server seems to send a lot of TCP RST packets back on the socket that was already closed. The ssl proxy component of SWG receives these TCP RST packets as socket errors and sets the socket state to ERROR state. In this situation, the ssl proxy of SWG is setting the socket for the ICAP server session into ERROR state and SWG has a protection with ICAP server sessions during delete cycle. SWG does not delete ICAP server sessions if the state is not SESSION_CLOSE. This causes all ICAP server sessions to be in hold state, although they are reused the counters are not freed up, causing it to reach the maximum session.

SWG looks for SESSION_ERROR state while cleaning up ICAP server sessions beginning in SWG 5.2.2. Please schedule a maintenance cycle to upgrade to SWG 5.2.2 as soon as possible. If you are not able to upgrade immediately, please open a Remote Assistance case and contact Support. Support can confirm the issue and apply a hotfix.

To examine the cause of the original instability of the connection between the DLP server and SWG, please contact support for the DLP server.

Applies To

SWG 5.2.0 or 5.2.1 in PROXY or INLINE+PROXY mode.