SGOS behaviour and compatibility
In all versions of SGOS 5.x higher than or equal to 5.4.5.1 and 5.5.4.1, and in all versions of SGOS 6.x higher than 6.1.2.1, a ProxySG will set the window scale option to "6" on all SYN packets, only if both the following are true:
RFC1323 is enabled, and
TCP window size is set higher than the default of 65535
Otherwise, the ProxySG will set a window-scale of "0" (if RFC1323 is enabled, but TCP window-size is default or smaller), or send no window-scale option at all (if RFC1323 is disabled).
Compatibility issues were more likely to arise in earlier versions of SGOS that supported RFC1323 than those listed, where it was necessary to disable the feature entirely to achieve default behaviour of window-scale being set to "0" for SYN packets. The reason for these issues are already described above. You (or someone upstream) might have a router or firewall not providing full
RFC 1323 compatibility; hence the bad performance. If you take a PCAP (TCP-Dump) on the interface of a system, you might see a SYN packet that looks like this:
1 2010-04-14 13:42:29.003000 192.168.15.17 10.128.3.10 TCP 50704 > http [SYN] Seq=0 Win=102400 Len=0 MSS=1460 WS=6 TSV=14897848 TSER=0
The option "
WS=6" means the system has
RFC 1323 enabled and provides a scale factor of "6". In a scenario where this was causing a problem, the source system would be seen to send a SYN packet with the option WS=6, but the option would be received as WS=0 at the far end of the connection. In this case, there would be a number of possible solutions. Either disable window scaling on the ProxySG, or set a default TCP window-size, or identify and replace the incompatible system.
RFC1323 configuration affects both the client (client to proxy) and server (proxy to OCS) side connection
Is it possible to disable RFC 1323 for a single connection on the ProxySG?
No it is not possible to disable RFC 1323 for just one website. The setting is a global setting and would impact all connections to and from the proxy.
How can RFC 1323 be disabled on the ProxySG?
To disable RFC 1323 on the ProxySG, you need to login to the ProxySG via serial console or via SSH session.
ProxySG>enable
Enable Password:
ProxySG#config t
Enter configuration commands, one per line. End with CTRL-Z.
ProxySG#(config)show tcp-ip
RFC-1323 support: enabled
TCP Newreno support: enabled
IP forwarding: enabled
ICMP bcast echo response: disabled
ICMP timestamp echo response: disabled
Path MTU Discovery: disabled
TCP silly-window avoidance: enabled
Routing algorithm: weighted-round-robin
TCP 2MSL timeout: 120 seconds
TCP window size: 2031585 bytes
TCP Loss Recovery Mode: normal
Bypass connection keep-alive: disabled
Fast retransmit: enabled
Fast TCP FIN_WAIT_2 recycle: disabled
SCPS link bandwidth: (not configured)
SCPS interface: (not configured)
SCPS link rtt: (not configured)
SCPS processing: Disabled
ProxySG#(config)tcp-ip rfc-1323 disable
ok
ProxySG#(config)exit
ProxySG#
How can RFC 1323 be re-enabled on the ProxySG?
ProxySG>enable
Enable Password:
ProxySG#config t
Enter configuration commands, one per line. End with CTRL-Z.
ProxySG#(config)show tcp-ip
RFC-1323 support: disabled
TCP Newreno support: enabled
IP forwarding: enabled
ICMP bcast echo response: disabled
ICMP timestamp echo response: disabled
Path MTU Discovery: disabled
TCP silly-window avoidance: enabled
Routing algorithm: weighted-round-robin
TCP 2MSL timeout: 120 seconds
TCP window size: 2031585 bytes
TCP Loss Recovery Mode: normal
Bypass connection keep-alive: disabled
Fast retransmit: enabled
Fast TCP FIN_WAIT_2 recycle: disabled
SCPS link bandwidth: (not configured)
SCPS interface: (not configured)
SCPS link rtt: (not configured)
SCPS processing: Disabled
ProxySG#(config)tcp-ip rfc-1323 enable
ok
ProxySG#(config)exit
ProxySG#
Note: A reboot of the ProxySG is required for RFC1323 configuration to take effect.