When a client (workstation or load balancer) reuses a source port within the default 2MSL value (default is 2 minutes), the proxy will reject the connection.
SG follows RFC 1122 when handling connection from a reused source port. Section 126.96.36.199 in the RFC says:
When a connection is closed actively, it MUST linger in
TIME-WAIT state for a time 2xMSL (Maximum Segment Lifetime).
However, it MAY accept a new SYN from the remote TCP to
reopen the connection directly from TIME-WAIT state, if it:
(1) assigns its initial sequence number for the new
connection to be larger than the largest sequence
number it used on the previous connection incarnation,
(2) returns to TIME-WAIT state if the SYN turns out to be
an old duplicate.
SG will drop the connection if it doesn't meet condition (1). To reduce the chance of a connection being dropped we can reduce the TCP 2MSL value in SG. The default TCP 2MSL value is 120 seconds. The value can be viewed in TCP-IP settings output:
RFC-1323 support: enabled
TCP Newreno support: disabled
IP forwarding: disabled
ICMP bcast echo response: disabled
ICMP timestamp echo response: disabled
Path MTU Discovery: disabled
TCP 2MSL timeout: 120 seconds
TCP window size: 65535 bytes
TCP Loss Recovery Mode: normal
Bypass connection keep-alive: disabled
Fast retransmit: enabled
The TCP 2MSL value can be changed with this command:
#(config)tcp-ip tcp-2msl ?
#(config)tcp-ip tcp-2msl 30
The above set the TCP 2MSL value to 30 seconds. This means a connection will always be accepted after the previous incarnation has been closed for over 30 seconds regardless of what the initial sequence number is. If a client reused the source port faster than 30 seconds the connection can still be dropped if it doesn't meet condition (1) above.
It is not recommended to set this value below 10 seconds or the possibility of creating an unstable condition (TCP ACK storm) could happen if two connections with the same client has the same source and destination port.