Upstream Firewall dropping connections from the ProxySG/ASG

book

Article ID: 167093

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Symptoms:

- Experience intermittent slowness when accessing websites

- From the packet capture, seeing multiple TCP retransmissions from the ProxySG/ASG, but no response from upstream until the proxy server switches to another source TCP port

Root Cause:

The main reason is because the upstream firewall somehow dislikes the persistent connection from the proxy server, which dropped packets silently.

Resolution

- To compliment on firewall behavior, we have to adjust the persistent timeout depending on the threshold that the firewall will start dropping the packet.

- To adjust the persistent timeout, connect using serial console/telnet/SSH via CLI command:

ProxySG>
ProxySG>enable
Enable Password:
ProxySG#conf t


Enter configuration commands, one per line.  End with CTRL-Z.

ProxySG#(config)http persistent-timeout server <seconds>
ProxySG#(config)http persistent-timeout client <seconds>

By default,  persistent connection timeouts:-
  Server:                   900 seconds
  Client:                    360 seconds

The recommended persistent timeout value to overcome problem above is 120 seconds. However, it is still subject to firewall behavior.