Capture PCAP with intermittent TCP errors (503) browsing web sites.

book

Article ID: 170532

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

TCP 503 errors were intermittently occurring on the browsers.

Error went away once page is being refreshed.
 

TCP 503 Error

Resolution

As it would be difficult to capture an intermittent issue, following steps below would help in capturing the issue in PCAP.

  1. Start PCAP with maximum PCAP buffer (see Setting rolling packet capture with increased size limit on ProxySG)
  2. Install the following CPL. This would automatically stop the PCAP when TCP error is seen by the proxy. (Refer to Add CPL to a local policy file on the ProxySG to install local policy)
    •  exception.id=tcp_error diagnostic.stop(pcap)
  3. You can then download the PCAP to troubleshoot the issue further. Best if you can correlate with the end user on which site, date, time and the symptom of the issue to better figure out the issue.​

Note: you may add additional criteria to the above CPL to match only a certain traffic (Narrowing down the traffic is recommended as PCAP will be stopped if any user accidentally typed in a wrong address.
e.g
-This would stop PCAP if tcp_error is seen from the 10.30.147.76 IP address

 <exception>
 client.address=10.30.147.76 exception.id=tcp_error diagnostic.stop(pcap)

or


-This would stop PCAP if tcp_error is seen coming from the 10.30.147.0/24 subnet

 <exception>
 client.address=10.30.147.0/24 exception.id=tcp_error diagnostic.stop(pcap)