search cancel

Advanced Secure Gateway does not forward any traffic (blocking but no RST / FIN/ACK are seen)

book

Article ID: 175450

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG

Issue/Introduction

You are sending traffic to the ASG however you receive no response of any kind.  More specifically you send a SYN but no SYN/ACK is received.  Normally this would indicate a firewall issue, however not in this case.  When you take a packet capture on the ASG you can see the client traffic hitting the proxy's intercepted port (proving firewall does not block it); Proxy ASG receives SYN but does not send SYN/ACK on an intercepted port.  The pattern you will see will resemble this:

Cause

Since this is an ASG it has 2 components within it, Proxy SG and CAS.  At some point you had a failing health check on the internal CAS service and decided to manually disable the health check.  In sysinfo the following can be found:

Content analysis services

  cas.bluecoat-local-response
    Disabled: Healthy      Last health was: Unknown      UP
    Last status: Success.
    Successes (total): 0      (last): Never      (consecutive): 0
    Failures  (total): 0      (last): Never      (consecutive): 0      (external): 0
    Last response time: 0 ms      Average response time: 0 ms
    Minimum response time: 0 ms      Maximum response time: 0 ms

 

Resolution

When the health check is manually disabled, what ends up happening is the ASG interprets that as the CAS module is offline / did not boot / error happened in its operation and as a safety feature will fail all of the attempts to connect through the proxy.  You need to set the health check back to Enabled to fix this issue and you will see SYN packets receive a SYN/ACK.

Attachments