HTTPS requests may fail or be delayed for 30 seconds when using ProxySG

book

Article ID: 169685

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

HTTPS requests which match policy to disable protocol detection through a ProxySG running SGOS 6.5.9.14 through 6.5.10.3 may fail or be delayed for 30 seconds.

Cause

The impacted SGOS versions contain an issue in how protocol detection is processed.  Bug 248876 tracks this issue.

Environment

The following requirements must be present to experience this issue:

  1. SGOS 6.5.9.14, 6.5.9.15, 6.5.10.1, or 6.5.10.3 installed on ProxySG
  2. The HTTPS request must match a policy rule the contains the 'Disable SSL Detection' object action or a detect_protocol CPL action that includes specific protocols but does not include 'sip'.  Examples: detect_protocol[ssl,https,sips](no) or detect_protocol[ssl,https](no)
  3. Client browser is Internet Explorer 11 (or older) or Chrome with its SSL max configuration set to default or TLS1.2.

The issue will not occur if any of the following is true:

  1. Advanced Secure Gateway (ASG) is being used.
  2. SGOS 6.6.x.x or 6.7.x.x is installed on the ProxySG.
  3. The HTTPS requests match CPL rules that disable protocol detection for all protocols such as detect_protocol(no) or detect_protocol(none).
  4. Clients using FireFox.

Resolution

The fix for bug 248876 is available in SGOS release 6.5.10.4 (released on June 29, 2017).

The following work around to this issue is available if the proxy cannot be upgraded:

  • If the ProxySG is configured with policy using the 'Disable SSL Detection' action within the Visual Policy Manager (VPM) this policy will need to be migrated to a CPL layer within VPM and changed to detect_protocol[ssl,https,sips,sip](no).
  • If the ProxySG is configured with CPL policy in a CPL layer within VPM or in a local policy file or in a central policy file that uses detect_protocol[ssl,https,sips](no) or detect_protocol[ssl,https](no) these will need to change to detect_protocol[ssl,https,sips,sip](no).