Web Site Pages Load Slow when RFC1323 is Enabled on the ProxySG

book

Article ID: 166935

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Some web pages load slowly or a blank page loads when going through a ProxySG configured with RFC 1323 support enabled.
 

Resolution

Performance issues can occur when RFC 1323 is enabled on the ProxySG but not all devices on the network support this standard.  Because RFC 1323 is not universally supported (or may not be enabled), there may be instances where performance actually suffers to some sites or URLs because RFC 1323 is enabled on the proxy and not remotely.  The end result can be slow performance or blank pages.

WORKAROUNDS:

There are a couple of ways to work around the issue.  They are as follows:

Solution #1: 

If you are in a transparent deployment, you can bypass the site that is giving you problems.  When sites are bypassed, the high performance TCP extensions on the proxy are not used.  (NOTE:  If in an explicit environment, you cannot bypass the proxy using the static bypass list.  If using a PAC file, then make an exception in your PAC file if needed.)  Please do the following to bypass a site.

a.)  Determine the IP address or IP address range of the site that is giving the problem.
b.)  Go into the Management Console (https://<ip.address.of.proxysg>:8082/) on the ProxySG.  Click on the Configuration tab > Services > Proxy Services > Static Bypass List tab.
c.)  Click on the New button.  For Server address, click on the radio button next to "Server host or subnet" and enter the IP address and accompanying subnet.  Click on the OK button to save your changes.  Next, click on Apply.
d.)  Test and make sure bypassing the site resolves the issue.  If not, make validation of the IP addresses that are in your exception list.  If problems continue, try Solution #2 below.

Advantages of using solution #1:  This allows the proxy to use RFC 1323 for all sites except for those that are bypassed.

Disadvantages of using solution #1:  IP addresses may change over time.  New sites may showup that may also need to be bypassed.  The bypassed sites will not be recorded in the access logs.  Policy will not be applied to bypassed sites.

 

Solution #2:

Try to disable RFC 1323 support globally on the ProxySG.  At this writing, it is not possible to disable RFC 1323 support on a per IP or URL basis, so when RFC 1323 is disabled, it is disabled globally on the ProxySG.  Here are the steps necessary to disable RFC 1323:

a.)  SSH or connect to the serial console of the proxy.
b.)  Run the following commands from the command line interface:

ProxySG>enable
Enable Password:
ProxySG#config t
Enter configuration commands, one per line.  End with CTRL-Z.
ProxySG#(config)show tcp-ip
   RFC-1323 support:             enabled
  TCP Newreno support:          enabled
  IP forwarding:                enabled
  ICMP bcast echo response:     disabled
  ICMP timestamp echo response: disabled
  Path MTU Discovery:           disabled
  TCP silly-window avoidance:   enabled
  Routing algorithm:            weighted-round-robin
  TCP 2MSL timeout:             120 seconds
  TCP window size:              2031585 bytes
  TCP Loss Recovery Mode:       normal
  Bypass connection keep-alive: disabled
  Fast retransmit:              enabled
  Fast TCP FIN_WAIT_2 recycle:  disabled
  SCPS link bandwidth:          (not configured)
  SCPS interface:               (not configured)
  SCPS link rtt:                (not configured)
  SCPS processing:              Disabled

ProxySG#(config)tcp-ip rfc-1323 disable
  ok
ProxySG#(config)exit
ProxySG#

c.)  Test and make sure the problem is resolved when RFC 1323 is disabled.  NOTE:  If disabling RFC 1323 does not help, then please re-enable it to receive the performance benefits from having it enabled.

Advantages of using solution #2:  It is quick and easy to implement.  It may prevent future compatibility issues with other sites that are incompatible with RFC 1323.

Disadvantages of using solution #2:  This is an all or nothing solution.  Any performance increases that can be obtained by using RFC 1323 with sites that support the TCP enhancement will not be available.

To re-enable RFC 1323 support, please do the following:

ProxySG>enable
Enable Password:
ProxySG#config t
Enter configuration commands, one per line.  End with CTRL-Z.
ProxySG#(config)show tcp-ip
   RFC-1323 support:            disabled
  TCP Newreno support:          enabled
  IP forwarding:                enabled
  ICMP bcast echo response:     disabled
  ICMP timestamp echo response: disabled
  Path MTU Discovery:           disabled
  TCP silly-window avoidance:   enabled
  Routing algorithm:            weighted-round-robin
  TCP 2MSL timeout:             120 seconds
  TCP window size:              2031585 bytes
  TCP Loss Recovery Mode:       normal
  Bypass connection keep-alive: disabled
  Fast retransmit:              enabled
  Fast TCP FIN_WAIT_2 recycle:  disabled
  SCPS link bandwidth:          (not configured)
  SCPS interface:               (not configured)
  SCPS link rtt:                (not configured)
  SCPS processing:              Disabled

ProxySG#(config)tcp-ip rfc-1323 enable
  ok
ProxySG#(config)exit
ProxySG#