What TCP source ports are used by the ProxySG and how do I manage them?

book

Article ID: 167384

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

By default, the ProxySG appliance uses a randomly assigned source port in a range between 49152 and 65535 for outgoing connections. This is the ephemeral port range suggested by Internet Assigned Numbers Authority (IANA). On a busy appliance, this small range of TCP ports can result in the ProxySG reusing source ports at quick rate, which can cause issues with other devices such as firewalls or intrusion-detection applications. Those devices, upon seeing multiple requests with the same source and destination ports within a short window of time may flag the connection as invalid.

The exception to this is when Reflect Client IP is enabled. In that case, the appliance will use the source port from the client request + 17407 (wrapping at port 65535 back to a starting port of 1024) as it contacts the OCS; even if that port is lower than the configured range of ephemeral ports. This is by design, and is necessary to mirror the details in the client connection to the origin server.

Resolution

You can resolve this issue by either increasing the range of source ports the appliance uses, or by disabling the automatic randomization used to assign source ports to outbound traffic.

Configure the Source Port Range
tcp-ip inet-lowport <value between 1024 and 49152>

Example:
SG300#(config) tcp-ip inet-lowport 16384

This will increase the range of available source ports from the default of 16K  to the difference between 65,535 (max ports available) and this lowport specification. So, if you use 16,384 as the lowport value, then there are 48K ports in the new range.

Disable Source Port Randomization
tcp-ip tcp-randomize-port <enable|disable>

Example:
SG300#(config) tcp-ip tcp-randomize-port disable

Disables the randomization algorithm and reverts to the behavior where the ProxySG will  choose source ports sequentially and therefore a source port is only re-used after it reaches 65535 and then goes back to the lowest port again.

NOTE: You may notice when doing a show tcp-ip, inet-lowport and tcp-randomize-port are not visible in the CLI, these commands are called hidden commands

For example they both are present in the CLI if you try typing "SG#(config) tcp-ip inet-lowport 16384" it will come back with "ok"

  1. If you toggle over to the sysinfo by using the URL https://<Proxy_IP>:8082/sysinfo in a browser 
  2. Search for tcp-ip
  3. If you do not see the commands it means the SG is using the default 49152 value for inet-lowport 49152 and/or tcp-ip tcp-randomize-port enable. Otherwise that line will show up there as well.