Users are experiencing connection timeouts via SGOS appliance. ERR_TIMED_OUT is returned in the browser for a request or page takes very long to start loading. The page may load fine on the consequent load attempt.

The same page loads fine accessing directly without SGOS appliance in the network path. 

SGOS policy trace indicates high server host categorization time for the request:

unknown ssl://example.com:443/
  DNS lookup was unrestricted
user: unauthenticated
authentication status='not_attempted' authorization status='not_attempted'
user: authenticated=false authorized=true relative username=''
supplier.ip: 
supplier.country: None
supplier.failures: -
verdict: ALLOW (intercept https)
  url.category: none@Policy;none@IWF;unavailable@Local;Government/Legal@Blue Coat
    category groups: Non-Productive@Blue Coat;Society/Government@Blue Coat
    total categorization time: 0
    static categorization time: 0
  server.certficate.hostname.category: none@Policy;none@Blue Coat;none@IWF;unavailable@Local
    category groups: none
    total categorization time: 19832
    static categorization time: 19832

• SGOS appliance running any software release
• DNS lookup is unrestricted on proxy
• Transaction is not TCP tunneled
• Destination website presents certificate with multiple SAN DNS entries

SGOS appliances attempts to determine server host categories based on certificate records. That includes CN and SAN entries. SGOS appliance will attempts DNS resolution of SAN entries from the certificate. If one of SAN entries doesn't have a valid DNS record (DNS error returned) or DNS server doesn't respond to the DNS query SGOS will re-try DNS resolution unless maximum number of retries is reached or response is received. This behavior may lead to delay sometimes bigger than TCP socket timeout. 

To confirm this issue a packet capture needs to be collected in the SGOS appliance with the following filter while re-producing the issue:

ip host <CLIENT_IP> or ip host <OCS_IP> or port 53

In the Wireshark filter collected pcap for downstream and upstream TCP streams along with the DNS protocol. For instance the following filter, replace <IP_ID> and <DOWN_ID> with TCP stream ids for downstream and upstream traffic:

tcp.stream in {<UP_ID>,<DOWN_ID>} or dns

And look for DNS resolution attempts after SERVER HELLO and CERTIFICATE packets in TLS handshake from OCS. 

To resolve the issue SAN DNS entry that fails to resolve must be added to the restricted DNS list in the SGOS policy.

In VPM:

Under Configuration -> DNS Lookup Restrictions set Listed restriction option and add DNS hostname to the list. Apply changes.

In CPL:

restrict dns
        www.example.com
end