search cancel

Users running WSS agent unable to connect to WebexEx meeting

book

Article ID: 228429

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

WSS agent used to access internet via WSS

WSS agent users in Office are unable to connect to Webex meetings. As soon as they click Join Meeting button, they see infinite "connecting" message.

All Webex traffic is bypassed from WSS, and is technically not going into WSS

Joining meeting from home network on same laptop works fine

Uninstalling WSSA from one of the impacted machine allowed office users to work fine - users would egress to internet via on-prem proxies using that route and not same path as non proxy traffic!

 

Cause

Internal Cisco router configured with MTU that caused large packets coming into WSS agent host from Webex servers to be dropped

Environment

Users not egressing to internet directly for traffic from WSS Agents - GRE connection over Cisco router from local office to internet egress point

Non agent traffic sent to local proxy that egresses directly to internet

Egressing directly has no issues

Resolution

Reduce IP MTU size of local Cisco router 

Office site uses GRE to backhauls traffic to corporate data center before egressing out to internet via WSS. With the advertised MTU size, large payloads coming back from the Webex server would be blocked by an intermediate router and not make it to the WSS agent host. These large payloads included SSL cert information, which in turns caused the SSL handshake to fail. To address the issue, we dropped the MTU from 1476 to 1400. This means that the TCP MSS sent out with TCP SYN requests was smaller, which Webex used to reduce size of payload and bypass any MTU issues with intermediate routers.

interface Tunnel2
description WAN Internet VPN from BLA to SYD
ip unnumbered Loopback1
ip mtu 1476   <<< Reduce to 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0.10
tunnel destination 111.111.111.111

Additional Information

As you can see in the captures below, the working case (Guest wifi link going through onprem proxy) shows client proposed 1460 of MSS in TCP SYN, and the the server side sends back payloads that we can accept taking the network pth 

In the non-working case, taking a different network path, we also advertise an MSS of 1460 in the TCP SYN but you can see that we keep re-requesting TCP segments from the server side.

Reducing the advertised MSS means that the server will send smaller payloads back to the client, and no intermediate devices end up blocking these packets.  

 

// Working PCAPs from WSS agent workstation

// Non working machine

Attachments