High client worker due to Google Talk SSL tunnels
search cancel

High client worker due to Google Talk SSL tunnels

book

Article ID: 165787

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

We found that if the proxy configuration is using tcp-tunnel for Google Talk connections, the ProxySG appliance encountered a high client worker issue reaching the maximum capacity of the box.

edit "GoogleTalk" ;mode
add all 10.1.0.0/16 443 intercept
add all 172.16.0.0/16 443 intercept
add all 200.80.0.0/16 443 intercept
add all 70.10.0.0/16 443 intercept
attribute use-adn disable
attribute adn-optimize disable
exit 

Another method to identify this issue is by examining the TCP connections table through https://<proxy-ip>:8082/TCP/Connections, and seeing if the top connections (tunnels) are in Google Talk IP ranges. For example:

    283      72.14.203.104:443
    264      72.14.203.147:443
    263      74.125.71.139:443
    243      72.14.203.99:443
    241      74.125.71.100:443
    238      72.14.203.106:443
    225      74.125.71.113:443
    224      72.14.203.103:443
    219      74.125.71.138:443
    211      74.125.71.19:443
    209      72.14.203.105:443
    207      74.125.71.132:443
    205      74.125.71.101:443
    202      74.125.71.83:443
    201      74.125.71.102:443
    197      74.125.71.18:443
    164      74.125.71.120:443
    163      74.125.71.17:443
    136      72.14.203.102:443
    127      72.14.203.101:443
    121      72.14.203.139:443
    119      72.14.203.100:443
    107      72.14.203.113:443
    100      72.14.203.120:443
     95      72.14.203.138:443

     91      72.14.203.132:443
 

 

Resolution

To resolve the issue:

For SGOS 6.7.x or for SGOS 7.3.6.1 and earlier:

Reduce the TCP-keepalive-timeout  value from 7200 to 120 seconds:

#(config)tcp-ip tcp-keepalive-timeout 120 

For SGOS 7.3.7.1 and later:

#(config)tcp-ip tcp-keepalive-idle 120 

This will help the ProxySG detect the tunnel status, which may had been closed by the server already and therefore the ProxySG can close it as well.