Proxy refusing connections with a RST-ACK after pointing at it in the browser
Article ID: 171135
Updated On:
Products
Advanced Secure Gateway Software - ASG
ASG-S200
ASG-S400
ASG-S500
SG-300
Symantec WebFilter (formerly Blue Coat WebFilter - BCWF)
SG-600
Intelligence Services
SG-510
SG-810
SG-9000
SG-900
SG-S500
SG-S400
Secure Web Gateway Virtual Appliance
SG-S200
ProxySG Software - SGOS
SWG VA-100
Issue/Introduction
The purpose of this article is to look at the most common reason why the proxy might reject (reset a connection) right after receiving an SYN packet from client machines that have the proxy configured in their browsers.
When this occurs, in a packet capture we can see the proxy sends a packet with the RST and ACK flags on (RST-ACK).
Resolution
- In Explicit environments, as the destination IP of all TCP connections will be the proxy’s IP, the proxy must be listening in the port that was specified in the browser settings. Otherwise, the proxy will reset the connection. This can be changed in Configuration > Services > Proxy Services > Explicit HTTP.
- If the Service is set to “Bypass”, it will block all incoming connections, acting as a closed port in a firewall.
- Changing the service to “Intercept” will open the port so explicit connections can be interpreted by the proxy.
Feedback
Yes
No
Powered by
