PCAPs taken to troubleshoot slow performance through ProxySG show an upstream firewall blocking numerous requests

book

Article ID: 169275

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

This article provides an example of slow performance in accessing sites. In this scenario, checking PCAPs and firewall indicate a high number of requests being blocked by the upstream firewall. This could be due to factors such as:
  • The ProxySG appliance reused the source port too soon
  • The ProxySG appliance leveraged the existing session for requests to the same destination
As a caching device and performance optimization, the appliance tries to leverage persistent connections, which might create challenge with an upstream firewall.The firewall might not allow the appliance to reuse the existing session, or it might reuse the source port  too soon, resulting in blocked connections.
 
In some situations, you might notice a high number of out-of-state packets received from the appliance being blocked by the firewall. This may not be clearly seen from the appliance, as effective firewall configuration should block the request instead of denying it; thus. there should be no response from the firewall on the proxy request.

From the ProxySG appliance, you can only see retransmission of SYN requests upstream. For details, see Firewall is reporting a lot of out of state packets.

To work around this challenge, Blue Coat recommends that you expand the TCP source port in use and disable randomization.
For details, you can refer to the articles What TCP source ports are used by the ProxySG and how do I manage them?

Certain security devices can be very strict, not allowing the ProxySG appliance to leverage persistent upstream connections. You might consider disabling persistent connections to further evaluate the behavior. You can disable persistent connections globally or for a specific URL. For details, see How do I disable HTTP persistence on the ProxySG?

Disabling persistent connections should be considered if no other option to fix the slowness issue towards any particular site. 
However this might spike out HTTP server usage since ProxySG may need to reinitiate new connections to the upstream for every similar request coming from clients.
At this stage, it may degrade the functionality of the ProxySG as the caching and performance optimization.

 

Resolution

Workaround

Modify the timeout value for the persistent connection. For details, see Upstream Firewall dropping connections from the ProxySG.