Environment: Proxy forwarding to Cloud SWG (formerly WSS)
Symptom: Increased latency to websites
Symptom: Page timeouts occur
Symptom: The forwarding proxy's health checks will periodically timeout and fail
Symptom: It seems to occur more frequently when there is more load on the local proxies. When the load is low (early morning, late evening/night, or weekends and holidays), then no issues are reported.
Symptom: There aren't any performance degradation announcements found on the Cloud SWG Status page for the data center you are connecting to.
The pool of TCP connections is exhausted because the ProxySG appliance is forwarding traffic to a single destination (Cloud SWG) rather than dispersing traffic to multiple public-content providers. Additionally, the pool of connections might also be exhausted by:
This article provides instructions on how to detect and resolve this situation.
To determine if all connections are being consumed, view the statistic for the ProxySG appliance that increases when the appliance was unable to find a source port:
To increase the number of available connections, do the following until the TCP2.214 statistic remains static, and the latency and timeout issues are resolved:
If the issues persist, contact Symantec support for further investigation.
By default, the maximum number of source ports is 16,384. To ensure enough unique connections are available, use the following CLI command to increase the number of ports to the maximum possible for the appliance:
#(config) tcp-ip inet-lowport 16384
Note: The inet-lowport can be set as low as 1024. Setting the port lower than a listening port on the proxy can had adverse effects to regular proxy operations.
For further information, see the KB article: https://knowledge.broadcom.com/external/article?articleId=167384
To reduce the amount of time a TCP connection is in the TIME_WAIT state, use the following CLI command:
#(config) tcp-ip tcp-2msl 30
Reducing the TCP TIME_WAIT state value ensures that the ProxySG source ports become reusable more quickly.
To configure additional egress IP addresses from your appliance to Cloud SWG:
#(config interface <interface_number>) ip-address <ip-address> <subnet-mask>
Use this option if you want to avoid adding public IP addresses to your ProxySG appliance.
To obtain additional IP addresses for Cloud SWG, contact your Symantec point of contact for assistance. When you have the additional IP addresses, do the following:
To set up forwarding hosts:
Create forwarding groups for each Cloud SWG port you configured a forward host for. For example, if you created forwarding hosts for ports 8080 and 8443, then you will create two forwarding groups, one for each port.
To create a forwarding group:
To edit the health check for your forwarding group:
Using either the CPL or the VPM, configure policy to reference the appropriate forwarding group names. For information on proxy forwarding policy, see: https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/web-security-service/help/conn-matrix/conn-about-proxyforward/conn-fwdpolicy.html
Verify that your ProxySG appliance balances traffic equally among the Cloud SWG IP addresses.
To verify if load balancing is functioning: