Troubleshooting the network error: "(tcp_error) - A communication error occurred. "Operation timed out"
To troubleshoot the "Network (tcp_error) - A communication error occurred. "Operation timed out"" error messages, a proxy policy trace and PCAP (packet capture) for the failed web request would need to be collected and investigated. An example output can be reviewed in continuation:
From the above capture, we can determine that the client machine request failed, via frames 1421 & 1422, to return valid or correct authentication credentials to the Edge SWG (formerly ProxySG), hence the FIN, ACK seen in frame 1422. This behavior changes in the subsequent frames that follow. See the snippet below.
From the capture above, we see that the TCP sessions eventually completed successfully and the CONNECT request to the Edge SWG (formerly ProxySG) can be seen in frame 1494 and the TLS communication begins with the "Client Hello" in frame 1497. However, the Edge SWG (formerly ProxySG) appliance does not receive a "Server Hello" from the X.43.205.2 destination host. Investigating the possible cause of the lack of response from the OCS (X.43.205.2), for the TLS communication to happen resulted in the following finding:
The above unending TCP Retransmissions provide valid proof of the lack of "Network (tcp_error)" communication errors previously received when access to the same URL was tested from our lab environment, with SSL Interception and authentication enabled in policy (see snippet below).
The TCP retransmission mechanism ensures that data is reliably sent from end to end. If retransmissions are detected in a TCP connection, it is logical to assume that packet loss has occurred on the network somewhere between client and server. In this case, the Edge SWG (formerly ProxySG) appliance is the client, while the OCS is the server.
To resolve this web access challenge, we recommend to have your network/firewall team investigate and allow access to the X.43.205.2 destination host and that should be tested from the firewall and from within the Edge SWG (formerly ProxySG) appliance, using the "traceroute" CLI command. For this, you may need to allow ICMP on the firewall, for the appliance, temporarily. Once the retransmission is resolved and the OCS can send the Server Hello, we expect that this access would be restored.
TCP retransmissions usually indicate that a network conflict (packet loss for example) is being experienced.
The way it works:
Possible causes of retransmissions include but are not limited to: