SG send HTTP request to old IP address of forwarding hosts even though SG receive new IP address for the forwarding hosts from DNS server


Article ID: 166910


Updated On:


ProxySG Software - SGOS


Here is the syntax for forwarding host


fwd_host <alias> <host-name> [http[=<port>]] [https[=<port>]][ftp[=<port>]] [mms[=<port>]] [rtsp[=<port>]] [tcp=<port>][telnet[=<port>]] [ssl-verify-server=[yes|no]] [server|proxy]

 <host_name> The name of the host domain, such, or its IP address


So if you configure forwarding host as the host domain like following.

  fwd_host test_com http=80 ssl-verify-server=no server


Here is the sample Packet capture trace:


No. Time    Source           Destination      S.Port D.Port Protocol Info

 1   3.30    [SG-IP address]  [DNS Server IP]  50533  53     DNS      Standard query A

 2   3.30    [DNS Server IP]  [SG-IP address]  53     50533  DNS      Standard query response A AA.AAAA.AAA.AA1 A AA.AAAA.AAA.AA2

        Domain Name System (response)

          Answers type A, class IN, addr AA.AAAA.AAA.AA1, Time to live: "1 hour"

          type A, class IN, addr AA.AAAA.AAA.AA2, Time to live: "1 hour"


 3   29.67   [Client IP Add]  [SG-IP address]  1426   8080   HTTP     GET HTTP/1.0

 4   29.87   [SG-IP address]  AA.AAAA.AAA.AA2  57279  80     HTTP     GET /health-check.test HTTP/1.1

 5   178.43  [SG-IP address]  [DNS Server IP]  54052  53     DNS      Standard query A

 6   178.43  [DNS Server IP]  [SG-IP address]  53     54052  DNS      Standard query response A BB.BBB.BBB.BBB1 A BB.BBB.BBB.BB2

 7   195.26  [Client IP Add]  [SG-IP address]  1455   8080   HTTP     GET HTTP/1.0

 8   195.45  [SG-IP address]  AA.AAAA.AAA.AA2  56693  80     HTTP     GET /health-check.test HTTP/1.1


DNS server reply AA.AAAA.AAA.AA1 and  AA.AAAA.AAA.AA2 address for Then SG access to the OCN by AA.AAAA.AAA.AA2.

150 seconds later (Frame#5, 6), SG receive the new IP addresses for but SG still send request to old IP address (Frame#7, 8).


When the DNS server returns a result with a high TTL ("1 hour" in Frame#2), the SG correctly assumes that it can cache that result for the duration of the TTL. 

Although the SG does do another query of the name (like Frame#5, 6 in above sample), it seems as though this doesn't update the stored values that other health checks because it is still within the TTL of the first result.

In this case, clear DNS cache or rebooting SG does not help


Overriding the maximum TTL value on the proxy for health checks will make the health checks query the DNS server more frequently.

You can change this value

 - Bluecoat SG Management Console > Configuration > Health Checks > Background DNS.

      Check "Maximum time to live for DNS results" and fill in a value in seconds.

 - CLI using: (config)#background-dns-updates maximum-ttl <seconds>


Related info: KB3906