Cannot access external websites when ADN is enabled in ProxySG

book

Article ID: 168245

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Users cannot access some external websites when ADN is enabled. Even though this feature is used between devices siting across a WAN link, packets sent to external websites can also be affected.

Cause

The issue is due to the use of "Options" field in the TCP header. Refer to the following example of an ADN enabled packet capture:
 
User-added image

The size of the "Options" section is showing a high value of 36 bytes. This is due to the addition of ADN information by using this field. A normal TCP packet will have a size up to 20 bytes for "Options".

This issue doesn't happen for all websites; very few are known to have this issue. The root cause can be due to server incompatibility or a security device blocking modified TCP packets in case of a potential security threat.

Resolution

Configure the ProxySG appliance to bypass the ADN for such websites so that this extra information is not added. Install the following policy:

<forward>
server_url.domain=<website domain> adn.server(no)


Some affected sites at the time of writing this article:

https://login.poems.com.sg
https://support.property.saiglobal.com

Attachments