Proxy refusing connections with a RST-ACK after pointing at it in the browser

book

Article ID: 171135

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ASG-S200 ASG-S400 ASG-S500 SG-300 Symantec WebFilter (formerly Blue Coat WebFilter - BCWF) SG-600 Intelligence Services SG-510 SG-810 SG-9000 SG-900 SG-S500 SG-S400 Secure Web Gateway Virtual Appliance SG-S200 ProxySG Software - SGOS SWG VA-100

Issue/Introduction

The purpose of this article is to look at the most common reason why the proxy might reject (reset a connection) right after receiving an SYN packet from client machines that have the proxy configured in their browsers.

When this occurs, in a packet capture we can see the proxy sends a packet with the RST and ACK flags on (RST-ACK).

Resolution

  • In Explicit environments, as the destination IP of all TCP connections will be the proxy’s IP, the proxy must be listening in the port that was specified in the browser settings. Otherwise, the proxy will reset the connection. This can be changed in Configuration > Services > Proxy Services > Explicit HTTP.
  • If the Service is set to “Bypass”, it will block all incoming connections, acting as a closed port in a firewall.
  • Changing the service to “Intercept” will open the port so explicit connections can be interpreted by the proxy.