The SOCKS accesslog's s-action contains many FAILED log.
search cancel

The SOCKS accesslog's s-action contains many FAILED log.

book

Article ID: 213779

calendar_today

Updated On:

Products

ProxySG Software - SGOS Advanced Secure Gateway Software - ASG

Issue/Introduction

ProxySG is intercepting SOCKS protocol and SOCKS traffic is no problem.
But the SOCKS's accesslog is indicating many FAILED log in s-action fields per 5 seconds.

  • Intercepting SOCKS protocol by ProxySG
  • Modify and enabling gather accesslog for the SOCKS traffic
  • Running health check to ProxySG's SOCKS port from load balancer (The c-ip's IP address)

The load balancer's health check of tcp 3 way hand shake is no problem.
Why ProxySG treat as FAILED the load balancer's health check traffic?

Environment

Release : SGOS6.7.x.x

Component : accesslog

Cause

ProxySG not classify normal SOCKS traffic and health check traffic.
The health check traffic is finished when the tcp 3 way hand shake successfully finish but ProxySG wait next SOCKS traffic so ProxySG thought that traffic unexpectedly finish.

Resolution

ProxySG is able to disable to write specific traffic for accesslog by policy in web access layer.

===========VPM CPL==================================
define condition __PROTO_1
socks=yes
end condition __PROTO_1

;; Tab: [Web Access Layer (1)]
client.address=XXX.XXX.XXX.XXX/32 condition=__PROTO_1 access_log(no) ; Rule 1
===========VPM CPL==================================
The XXX.XXX.XXX.XXX is load balancer IP address.

Powered by Wolken Software