SG send HTTP request to old IP address of forwarding hosts even though SG receive new IP address for the forwarding hosts from DNS server

Article Id: 166910
Status: Published
Updated On: 13-05-2017 10:03
Legacy Id: TECH242672
Products:
ProxySG Software - SGOS
Issue/Introduction:

Here is the syntax for forwarding host

 

fwd_host <alias> <host-name> [http[=<port>]] [https[=<port>]][ftp[=<port>]] [mms[=<port>]] [rtsp[=<port>]] [tcp=<port>][telnet[=<port>]] [ssl-verify-server=[yes|no]] [server|proxy]

 <host_name> The name of the host domain, such www.bluecoat.com, or its IP address

 

So if you configure forwarding host as the host domain like following.

  fwd_host test_com wwww.test.com http=80 ssl-verify-server=no server

 

Here is the sample Packet capture trace:

 

No. Time    Source           Destination      S.Port D.Port Protocol Info

 1   3.30    [SG-IP address]  [DNS Server IP]  50533  53     DNS      Standard query A wwww.test.com

 2   3.30    [DNS Server IP]  [SG-IP address]  53     50533  DNS      Standard query response A AA.AAAA.AAA.AA1 A AA.AAAA.AAA.AA2

        Domain Name System (response)

          Answers  wwww.test.com: type A, class IN, addr AA.AAAA.AAA.AA1, Time to live: "1 hour"

                   wwww.test.com: type A, class IN, addr AA.AAAA.AAA.AA2, Time to live: "1 hour"

 

 3   29.67   [Client IP Add]  [SG-IP address]  1426   8080   HTTP     GET http://wwww.test.com/health-check.test HTTP/1.0

 4   29.87   [SG-IP address]  AA.AAAA.AAA.AA2  57279  80     HTTP     GET /health-check.test HTTP/1.1

 5   178.43  [SG-IP address]  [DNS Server IP]  54052  53     DNS      Standard query A wwww.test.com

 6   178.43  [DNS Server IP]  [SG-IP address]  53     54052  DNS      Standard query response A BB.BBB.BBB.BBB1 A BB.BBB.BBB.BB2

 7   195.26  [Client IP Add]  [SG-IP address]  1455   8080   HTTP     GET http://wwww.test.com/health-check.test HTTP/1.0

 8   195.45  [SG-IP address]  AA.AAAA.AAA.AA2  56693  80     HTTP     GET /health-check.test HTTP/1.1

 

DNS server reply AA.AAAA.AAA.AA1 and  AA.AAAA.AAA.AA2 address for wwww.test.com. Then SG access to the OCN by AA.AAAA.AAA.AA2.

150 seconds later (Frame#5, 6), SG receive the new IP addresses for wwww.test.com but SG still send request to old IP address (Frame#7, 8).

 

When the DNS server returns a result with a high TTL ("1 hour" in Frame#2), the SG correctly assumes that it can cache that result for the duration of the TTL. 

Although the SG does do another query of the name (like Frame#5, 6 in above sample), it seems as though this doesn't update the stored values that other health checks because it is still within the TTL of the first result.

In this case, clear DNS cache or rebooting SG does not help

Resolution:

Overriding the maximum TTL value on the proxy for health checks will make the health checks query the DNS server more frequently.

You can change this value

 - Bluecoat SG Management Console > Configuration > Health Checks > Background DNS.

      Check "Maximum time to live for DNS results" and fill in a value in seconds.

 - CLI using: (config)#background-dns-updates maximum-ttl <seconds>

 

Related info: KB3906