"Window Scaling" (RFC 1323) impacts on the ProxySG

Article Id: 167353
Status: Published
Updated On: 02-10-2019 02:22
Legacy Id: TECH243199
Products:
Advanced Secure Gateway Software - ASG , ProxySG Software - SGOS
Issue/Introduction:

What is "Window Scaling" (RFC-1323)?

The RWIN (TCP Receive Window) value in the initial TCP specifications was limited to 2^16 (or 65535, if you start with 0). With today's fast connections, this value has proven inadequate, however the 20-byte TCP header did not have spare room for larger numbers. RFC 1323 defines some "TCP Options" to overcome limitations to the original specs. Those TCP Options are in addition to the 20-byte TCP header.

One of the most notable TCP Options is window scaling. It introduces a scale factor, by which the original RWIN value should be multiplied, in order to get the full receive window.
 
For example, to achieve 256960 RWIN value, TCP headers actually contain 64240 and scale factor of 4 (64240*4=256960). Any nodes that do not understand TCP Options (as defined in RFC 1323) would ignore them, and simply use the un-scaled RWIN value.
 
 
 

Resolution:

SGOS behaviour and compatibility
In all versions of SGOS 5.x higher than or equal to 5.4.5.1 and 5.5.4.1, and in all versions of SGOS 6.x higher than 6.1.2.1, a ProxySG will set the window scale option to "6" on all SYN packets, only if both the following are true:
RFC1323 is enabled, and
TCP window size is set higher than the default of 65535
 
Otherwise, the ProxySG will set a window-scale of  "0" (if RFC1323 is enabled, but TCP window-size is default or smaller), or send no window-scale option at all (if RFC1323 is disabled).
 
Compatibility issues were more likely to arise in earlier versions of SGOS that supported RFC1323 than those listed, where it was necessary to disable the feature entirely to achieve default behaviour of window-scale being set to "0" for SYN packets. The reason for these issues are already  described above. You (or someone upstream) might have a router or firewall not providing full RFC 1323 compatibility; hence the bad performance. If you take a PCAP (TCP-Dump) on the interface of a system, you might see a SYN packet that looks like this:
 
1              2010-04-14 13:42:29.003000         192.168.15.17         10.128.3.10         TCP        50704 > http [SYN] Seq=0 Win=102400 Len=0 MSS=1460 WS=6 TSV=14897848 TSER=0
 
The option "WS=6" means the system has RFC 1323 enabled and provides a scale factor of "6".  In a scenario where this was causing a problem, the source system would be seen to send a SYN packet with the option WS=6, but the option would be received as WS=0 at the far end of the connection. In this case, there would be a number of possible solutions. Either disable window scaling on the ProxySG, or set a default TCP window-size, or identify and replace the incompatible system.

RFC1323 configuration affects both the client (client to proxy) and server (proxy to OCS) side connection
 
Is it possible to disable RFC 1323 for a single connection on the ProxySG?
 
No it is not possible to disable RFC 1323 for just one website. The setting is a global setting and would impact all connections to and from the proxy.
 
How can RFC 1323 be disabled on the ProxySG?
 
To disable RFC 1323 on the ProxySG, you need to login to the ProxySG via serial console or via SSH session.
 
ProxySG>enable
Enable Password:
ProxySG#config t
Enter configuration commands, one per line.  End with CTRL-Z.
ProxySG#(config)show tcp-ip
  RFC-1323 support:             enabled
  TCP Newreno support:          enabled
  IP forwarding:                enabled
  ICMP bcast echo response:     disabled
  ICMP timestamp echo response: disabled
  Path MTU Discovery:           disabled
  TCP silly-window avoidance:   enabled
  Routing algorithm:            weighted-round-robin
  TCP 2MSL timeout:             120 seconds
  TCP window size:              2031585 bytes
  TCP Loss Recovery Mode:       normal
  Bypass connection keep-alive: disabled
  Fast retransmit:              enabled
  Fast TCP FIN_WAIT_2 recycle:  disabled
  SCPS link bandwidth:          (not configured)
  SCPS interface:               (not configured)
  SCPS link rtt:                (not configured)
  SCPS processing:              Disabled

ProxySG#(config)tcp-ip rfc-1323 disable
  ok
ProxySG#(config)exit
ProxySG#
 
How can RFC 1323 be re-enabled on the ProxySG?
 
ProxySG>enable
Enable Password:
ProxySG#config t
Enter configuration commands, one per line.  End with CTRL-Z.
ProxySG#(config)show tcp-ip
  RFC-1323 support:             disabled
  TCP Newreno support:          enabled
  IP forwarding:                enabled
  ICMP bcast echo response:     disabled
  ICMP timestamp echo response: disabled
  Path MTU Discovery:           disabled
  TCP silly-window avoidance:   enabled
  Routing algorithm:            weighted-round-robin
  TCP 2MSL timeout:             120 seconds
  TCP window size:              2031585 bytes
  TCP Loss Recovery Mode:       normal
  Bypass connection keep-alive: disabled
  Fast retransmit:              enabled
  Fast TCP FIN_WAIT_2 recycle:  disabled
  SCPS link bandwidth:          (not configured)
  SCPS interface:               (not configured)
  SCPS link rtt:                (not configured)
  SCPS processing:              Disabled

ProxySG#(config)tcp-ip rfc-1323 enable
  ok
ProxySG#(config)exit
ProxySG#

Note: A reboot of the ProxySG is required for RFC1323 configuration to take effect.