search cancel

Certain users cannot browse Websites with WSS Agent when connecting to GAEAD1

book

Article ID: 242946

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Users accessing internet via WSS using WSS Agent.

Most users working fine, but occasionally users cannot browse any sites via WSS despite tunnel being up - browser indicates connection errors to all Websites with no sites working.

When problem occurs, it often goes away when a user simply RECONNECTs their WSS Agent tunnels.

Workstation PCAPs shows TCP SYN requests going into WSS tunnel, but no responses ever received

Environment

WSS Agent

Cause

Routing issues within WSS when users assigned certain NATed IP addresses

Specific to GAEAD1 data center

 

Resolution

Changed Proxy routing table and disabled return to sender to fix.

Additional Information

PCAPs (one specific session highlighted) on the WSS Proxy showed inbound TCP SYN requests with the corresponding ACK SYN responses that never appeared to get to the agent

 

Looking at the next hop device after the proxy, we could see the missing ACK SYNs. Turns out from the Proxy PCAP that they were sent out the wrong interface due to routing issues, and hence never reached next hop to agent, and hence agent.

Attachments