Unable to access some data on a website
search cancel

Unable to access some data on a website

book

Article ID: 231817

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users at one location are unable to view all details from Application - instead of seeing a page full of information, they have a message on the main page that no data was available to display:

 

 

Environment

IPSEC access method

Cisco Viptela IPSEC router

Resolution

IPSEC users cannot send TCP segments above a certain size due to Cisco Viptela MTU size being set to high. Reducing the MTU to 1480 on IPSEC interface allowed the request through.

Additional Information

IPsec router related information: https://community.cisco.com/t5/network-security/mtu-problem-with-ipsec-tunnel/m-p/633026

HAR file showed that most of the requests were responded to without issues, but POST requests to a REST endpoint did not appear to be successful. The status returned indicated a connection reset message, which would imply the connection initially completed but encountered an issue that caused it to reset.

Using the info from the HAR file above, we took a PCAP on the same host and focused on requests to the problem domain. A number of sessions to this domain showed up the same pattern - the TCP connection would complete without issues, and data would be exchanged. Then the client (10.250.50.75) would transmit data with a certain payload and would never get an ACK from the upstream server (13.77.45.34) for these payloads. The upstream server would re-requests the missing TCP segments, which the client would try and resend, but again no ACK would come back and the client would eventually reset the connection. 

A corresponding PCAP on the WSS side showed that the missing segments were never reaching WSS - looking at the IP identifier in the packet below, we see that WSS got the reset (small TCP segment) by seeing the IP identifier of 37562. The previous TCP segment received from the client had an IP identifier of 37552 i.e. we were missing the IP packets with IP identifier 37553 to 37561). Interestingly, all the missing TCP segments had a length of 1384. The Viptela firewall was not sending these larger TCP segments into WSS.

Attachments

Powered by Wolken Software