Upstream Firewall dropping connections from the ProxySG/ASG


Article ID: 167093


Updated On:


Advanced Secure Gateway Software - ASG ProxySG Software - SGOS



- Experience intermittent slowness when accessing websites

- From the packet capture, seeing multiple TCP retransmissions from the ProxySG/ASG, but no response from upstream until the proxy server switches to another source TCP port

Root Cause:

The main reason is because the upstream firewall somehow dislikes the persistent connection from the proxy server, which dropped packets silently.


- To compliment on firewall behavior, we have to adjust the persistent timeout depending on the threshold that the firewall will start dropping the packet.

- To adjust the persistent timeout, connect using serial console/telnet/SSH via CLI command:

Enable Password:
ProxySG#conf t

Enter configuration commands, one per line.  End with CTRL-Z.

ProxySG#(config)http persistent-timeout server <seconds>
ProxySG#(config)http persistent-timeout client <seconds>

By default,  persistent connection timeouts:-
  Server:                   900 seconds
  Client:                    360 seconds

The recommended persistent timeout value to overcome problem above is 120 seconds. However, it is still subject to firewall behavior.