HTTPS requests may fail or be delayed for 30 seconds when using ProxySG


Article ID: 169685


Updated On:


ProxySG Software - SGOS


HTTPS requests which match policy to disable protocol detection through a ProxySG running SGOS through may fail or be delayed for 30 seconds.


The impacted SGOS versions contain an issue in how protocol detection is processed.  Bug 248876 tracks this issue.


The following requirements must be present to experience this issue:

  1. SGOS,,, or installed on ProxySG
  2. The HTTPS request must match a policy rule the contains the 'Disable SSL Detection' object action or a detect_protocol CPL action that includes specific protocols but does not include 'sip'.  Examples: detect_protocol[ssl,https,sips](no) or detect_protocol[ssl,https](no)
  3. Client browser is Internet Explorer 11 (or older) or Chrome with its SSL max configuration set to default or TLS1.2.

The issue will not occur if any of the following is true:

  1. Advanced Secure Gateway (ASG) is being used.
  2. SGOS 6.6.x.x or 6.7.x.x is installed on the ProxySG.
  3. The HTTPS requests match CPL rules that disable protocol detection for all protocols such as detect_protocol(no) or detect_protocol(none).
  4. Clients using FireFox.


The fix for bug 248876 is available in SGOS release (released on June 29, 2017).

The following work around to this issue is available if the proxy cannot be upgraded:

  • If the ProxySG is configured with policy using the 'Disable SSL Detection' action within the Visual Policy Manager (VPM) this policy will need to be migrated to a CPL layer within VPM and changed to detect_protocol[ssl,https,sips,sip](no).
  • If the ProxySG is configured with CPL policy in a CPL layer within VPM or in a local policy file or in a central policy file that uses detect_protocol[ssl,https,sips](no) or detect_protocol[ssl,https](no) these will need to change to detect_protocol[ssl,https,sips,sip](no).