User is unable to access a secure Website using SSL when going through a ProxySG.


Article ID: 167090


Updated On:


ProxySG Software - SGOS


In some cases, when a user accesses a Web server (OCS) using SSL via the proxy, the user is logged out of the server almost immediately after logging in. The message on screen reads ""You have logged out from your session, log in again to continue. "

The ability to access non-secure content (or HTTP access) is not hindered.

There are couple reasons that cause the the HTTPS access to fail:

1. The proxy has multiple (more than 1) default gateways(GW).

2. The proxy has multiple (more than 1) default gateways(GW). All the GWs are in the same group and have the same weight to allow for failover and load balancing. In such a case the proxy does load balancing with round robin method, and the request may goes through any GW with varying source IP address for the request. While this behavior is acceptable for an  HTTP request, for an HTTPS request the connection request fails. This behaviour is seen because the OCS tracks the SSL session and source IP in the request. In the event that the SSL session switches between multiple IP addresses, the OCS will close the connection or log the user out to prevent a security breach.


This issue might occur on ProxySG appliances running SGOS version 5.x.  To resolve this issue, you must upgrade to version SGOS 6.x (6.1 or above), which includes the new tcp_ip load balance feature.

Use the following CLI command on the ProxySG, This command instructs the  routing algorithm to use the source IP, destination IP or both as a hash value on the outbound route.
#(config) tcp-ip routing-algorithm hashing [both | destination-address | source-address]

For example, you can set this option to use the source IP address when the ProxySG appliance needs to connect to a secure Web server and the Web server requires the source IP address to remain unchanged during the lifetime of the secure session. Similarly, you can enable this hash based routing option for other services that use cookies to maintain a "session" across multiple connections.

The default setting for the tcp-ip routing-algorithm option is weighted-round-robin and is is appropriate for all deployments (except where noted as in the examples above):

#(config) tcp-ip routing-algorithm weighted-round-robin

For details on the TCP IP Load Balance feature refer to the online manual at: