When refreshing cache or pre-fetching requests for users, (pipelining) the ProxySG fails to make use of a forward host configuration if certain triggers are in use in policy. For example proxy.port, client.address and service.name. As long as there are no triggers which would apply to only requests with a client (such as client.address), forwarding rules should apply equally to both regular and clientless (refresh/pipeline) requests..  In a Proxy chain deployment, this can lead to these clientless connections being sent to the default gateway rather than the upstream forward host.  This causes these clientless connections to fail, as the upstream parent proxy is required to reach the Internet

Monitoring a packet capture while this issue occurs, you will see many packets sourced at the ProxySG IP address in syn_sent state, but with no reply.

Policy tracing will only show this issue when used in a <cache> layer (or web content layer in visual policy) as it's related to requests generated by the Proxy's cache engine.


 

To ensure that the ProxySG uses the upstream parent proxy to reach the Internet for these clientless connections, there are several options available.

1) Create a default sequence in the forwarding section of the Management Console.

•In the Configuration tab, go to Forwarding > Default Sequence.
•Find your preferred forward host in the list on the left, move it to the Selected Aliases list on the right

•Click Apply.




2) Use policy to forward clientless connections to the appropriate Forwarding host.

Add the below rule to the local or central policy files, or in a CPL layer in the Visual Policy Manager:

<Forward>
       has_client=no forward.fail_open(no) forward(upstream)

*Replace (upstream) with the name of the forward host.


3) Redesign your forwarding policy and remove source triggers like proxy.port, client.address, service.name.