ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Session counter exhaustion due to bad ICAP server

book

Article ID: 161403

calendar_today

Updated On:

Products

Web Gateway

Issue/Introduction

Under stress condition, some end users may experience https connection rejected when requesting web pages through SWG in proxy mode.

 

Cause

When ICAP connection to DLP server is unstable, DLP server seems to send a lot of TCP RST packets back on the socket that was already closed. The ssl proxy component of SWG receives these TCP RST packets as socket errors and sets the socket state to ERROR state. In this situation, the ssl proxy of SWG is setting the socket for the ICAP server session into ERROR state and SWG has a protection with ICAP server sessions during delete cycle. SWG does not delete ICAP server sessions if the state is not SESSION_CLOSE. This causes all ICAP server sessions to be in hold state, although they are reused the counters are not freed up, causing it to reach the maximum session.

Resolution

SWG looks for SESSION_ERROR state while cleaning up ICAP server sessions beginning in SWG 5.2.2. Please schedule a maintenance cycle to upgrade to SWG 5.2.2 as soon as possible. If you are not able to upgrade immediately, please open a Remote Assistance case and contact Support. Support can confirm the issue and apply a hotfix.

To examine the cause of the original instability of the connection between the DLP server and SWG, please contact support for the DLP server.


Applies To

SWG 5.2.0 or 5.2.1 in PROXY or INLINE+PROXY mode.