TCP_ERROR - Why do I get this when I use a ProxySG.

book

Article ID: 167723

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

 

A TCP_ERROR is when the ProxySG makes a request to a Web Site and either does not get a reply back or the connection is terminated by the upstream device.

The following is an example case where a Client attempts to go to the www.bluecoat.com site.

 

The Client opens a web browser and types in www.bluecoat.com. We can see the creation of the TCP connection between he Client PC and the ProxySG.


Client to ProxySG Connection

No. Time        Source       Destination     Protocol Src Port    Dest Port
121 27.879000   10.91.1.55   10.91.7.20      TCP      65377       8080    65377 > http-alt [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2 SACK_PERM=1
122 27.880000   10.91.7.20   10.91.1.55      TCP      8080        65377   http-alt > 65377 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=0 SACK_PERM=1
123 27.880000   10.91.1.55   10.91.7.20      TCP      65377       8080    65377 > http-alt [ACK] Seq=1 Ack=1 Win=65700 Len=0
125 27.880999   10.91.1.55   10.91.7.20      HTTP     65377       8080    GET http://www.bluecoat.com/ HTTP/1.1
140 27.944999   10.91.7.20   10.91.1.55      TCP      8080        65377   http-alt > 65377 [ACK] Seq=1 Ack=824 Win=65535 Len=0


Once the ProxySG has the name of the web site it performs a DNS lookup to get the real IP. The ProxySG now attempts to start a new TCP connection to the Web Site using the real IP and port 80.

Most of the time the Web site would send a reply and once the TCP connection is established the ProxySG would send the URL Request.

In the example below we can see the ProxySG does not get a response back; so it sends a new SYN until the ProxySG decided the site is not going to response.


ProxySG to Web Site connection :

131 27.886999   10.91.7.20   216.52.23.29    TCP      20106       80      20106 > 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=0 SACK_PERM=1 TSV=506739715 TSER=0
150 30.845999   10.91.7.20   216.52.23.29    TCP      20106       80      20106 > 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=0 SACK_PERM=1 TSV=506742675 TSER=0
151 34.046000   10.91.7.20   216.52.23.29    TCP      20106       80      20106 > 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=0 SACK_PERM=1 TSV=506745875 TSER=0
158 37.245999   10.91.7.20   216.52.23.29    TCP      20106       80      20106 > 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1
179 40.446000   10.91.7.20   216.52.23.29    TCP      20106       80      20106 > 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1
205 43.647000   10.91.7.20   216.52.23.29    TCP      20106       80      20106 > 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1
244 49.846999   10.91.7.20   216.52.23.29    TCP      20106       80      20106 > 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1
289 62.047999   10.91.7.20   216.52.23.29    TCP      20106       80      20106 > 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1
384 86.249999   10.91.7.20   216.52.23.29    TCP      20106       80      20106 > 80 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1

 

At this port the ProxySG must respond to the Client Request so we send back an exception page (see below).

Client to ProxySG Connection:

433 102.853999  10.91.7.20   10.91.1.55      HTTP     8080        65377   HTTP/1.1 503 Service Unavailable  (text/html)

434 102.854999  10.91.1.55   10.91.7.20      TCP      65377       8080    65377 > http-alt [FIN, ACK] Seq=824 Ack=936 Win=64764 Len=0
435 102.854999  10.91.7.20   10.91.1.55      TCP      8080        65377   http-alt > 65377 [ACK] Seq=936 Ack=825 Win=65535 Len=0
436 102.868000  10.91.7.20   10.91.1.55      TCP      8080        65377   http-alt > 65377 [FIN, ACK] Seq=936 Ack=825 Win=65535 Len=0
437 102.868999  10.91.1.55   10.91.7.20      TCP      65377       8080    65377 > http-alt [ACK] Seq=825 Ack=937 Win=64764 Len=0

 

Resolution

The exception page is given because the ProxySG must report back that a problem occurred. In this "example case" the outbound port 80 (http) was blocked on the firewall but, however depending on the customers environment there may be other issues.

 

 

 

Troubleshooting.

  1. First find out why the ProxySG is returning the "TCP ERROR" page. This can be done by getting a PCAP on the ProxySG to see the request.
  2. If you see the above example then you need to move on to the upstream devices like Firewalls / Gateways and get packet captures from these to see if these are getting a response and not sending it back to the ProxySG

 

Attachments