ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Troubleshooting Network (tcp_error) - A communication error occurred. "Operation timed out"

book

Article ID: 227602

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy

Issue/Introduction

Troubleshooting Network (tcp_error) - A communication error occurred. "Operation timed out" 

Resolution

To troubleshoot the "Network (tcp_error) - A communication error occurred. "Operation timed out"" error, the policy trace debug and PCAP, for the failed web request wwould be collected and investigated. See the outputs in the snippet below.

From the above capture, we saw that the client machine failed, in frames 1421 & 1422, to return a valid or correct authentication credentials to the ProxySG, hence the FIN, ACK seen in frame 1422. However, this changes in the later frames. See the snippet below.

From the capture in the snippet above, we see that the TCP sessions eventually completed, successfully, and the CONNECT request to the ProxySG can be seen in frame 1494 and the TLS communication begins with the "Client Hello" in frame 1497. However, the ProxySG appliance does not receive a "Server Hello" from the 185.43.205.2 destination host. Investigating the possible cause of the lack of response from the OCS (185.43.205.2), for the TLS communication to happen, we found the below.

The above, unending, TCP Retransmissions provides a valid proof of the lack of "Network (tcp_error)" communication error received, when access to the same URL was tested from our lab environment, with SSL Interception and authentication enabled in policy. See snippet below.

TCP Retransmission

The TCP retransmission mechanism ensures that data is reliably sent from end to end. If retransmissions are detected in a TCP connection, it is logical to assume that packet loss has occurred on the network somewhere between client and server. In this case, the ProxySG appliance is the client, while the OCS is the server.

To resolve this web access challenge, we recommend to have your network/firewall team investigate and allow access to the 185.43.205.2 destination host and that should be tested from the firewall and from within the ProxySG appliance, using the "traceroute" CLI command. For this, you may need to allow ICMP on the firewall, for the appliance, temporarily. Once the retransmission is resolved and the OCS can send the Server Hello, we expect that this access would be restored.