A TCP_ERROR is when the ProxySG makes a request to a Web Site and either does not get a reply back or the connection is terminated by the upstream device.
The following is an example case where a Client attempts to go to the www.bluecoat.com site.
The Client opens a web browser and types in www.bluecoat.com. We can see the creation of the TCP connection between he Client PC and the ProxySG.
Client to ProxySG Connection
No. Time Source Destination Protocol Src Port Dest Port
121 27.879000 Client IP Proxy IP TCP 65377 8080 65377 > http-alt [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2 SACK_PERM=1
122 27.880000 Proxy IP Client IP TCP 8080 65377 http-alt > 65377 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=0 SACK_PERM=1
123 27.880000 Client IP Proxy IP TCP 65377 8080 65377 > http-alt [ACK] Seq=1 Ack=1 Win=65700 Len=0
125 27.880999 Client IP Proxy IP HTTP 65377 8080 GET http://www.bluecoat.com/ HTTP/1.1
140 27.944999 Proxy IP Client IP TCP 8080 65377 http-alt > 65377 [ACK] Seq=1 Ack=824 Win=65535 Len=0
Once the ProxySG has the name of the web site it performs a DNS lookup to get the real IP. The ProxySG now attempts to start a new TCP connection to the Web Site using the real IP and port 80.
Most of the time the Web site would send a reply and once the TCP connection is established the ProxySG would send the URL Request.
In the example below we can see the ProxySG does not get a response back; so it sends a new SYN until the ProxySG decided the site is not going to response.
ProxySG to Web Site connection :
131 27.886999 Proxy IP Destination IP TCP 20106 80 20106 > 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=0 SACK_PERM=1 TSV=506739715 TSER=0
150 30.845999 Proxy IP Destination IP TCP 20106 80 20106 > 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=0 SACK_PERM=1 TSV=506742675 TSER=0
151 34.046000 Proxy IP Destination IP TCP 20106 80 20106 > 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=0 SACK_PERM=1 TSV=506745875 TSER=0
158 37.245999 Proxy IP Destination IP TCP 20106 80 20106 > 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1
179 40.446000 Proxy IP Destination IP TCP 20106 80 20106 > 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1
205 43.647000 Proxy IP Destination IP TCP 20106 80 20106 > 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1
244 49.846999 Proxy IP Destination IP TCP 20106 80 20106 > 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1
289 62.047999 Proxy IP Destination IP TCP 20106 80 20106 > 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1
384 86.249999 Proxy IP Destination IP TCP 20106 80 20106 > 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1
At this port the ProxySG must respond to the Client Request so we send back an exception page (see below).
Client to ProxySG Connection:
433 102.853999 Proxy IP Client IP HTTP 8080 65377 HTTP/1.1 503 Service Unavailable (text/html)
434 102.854999 Client IP Proxy IP TCP 65377 8080 65377 > http-alt [FIN, ACK] Seq=824 Ack=936 Win=64764 Len=0
435 102.854999 Proxy IP Client IP TCP 8080 65377 http-alt > 65377 [ACK] Seq=936 Ack=825 Win=65535 Len=0
436 102.868000 Proxy IP Client IP TCP 8080 65377 http-alt > 65377 [FIN, ACK] Seq=936 Ack=825 Win=65535 Len=0
437 102.868999 Client IP Proxy IP TCP 65377 8080 65377 > http-alt [ACK] Seq=825 Ack=937 Win=64764 Len=0
The exception page is given because the ProxySG must report back that a problem occurred. In this "example case" the outbound port 80 (http) was blocked on the firewall but, however depending on the customers environment there may be other issues.
Troubleshooting.