Latency and connection timeouts in reverse proxy deployments
search cancel

Latency and connection timeouts in reverse proxy deployments

book

Article ID: 438082

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy

Issue/Introduction

You experience significant connectivity issues when connecting to applications through an Edge SWG (ProxySG) acting as a reverse proxy. Symptoms include:

  • Connection timeouts
  • Severe latency during the TLS handshake
  • A delay of 4–7 seconds observed immediately following the 'change cipher spec' message

Environment

  • Product: Edge SWG (ProxySG)
  • Version: Version prior to SGOS 7.3.15.1
  • Deployment: Reverse Proxy

Cause

The issue is caused by a software defect (SG-34115) in the SSL client session cache architecture. Under high-volume traffic, the cache reaches its maximum limit. Under this condition the session management process enters costly CPU loops due to long search chains, leading to extreme latency.

Resolution

Upgrade to SGOS 7.3.15.1 or later. These versions include architectural enhancements to the reverse proxy session cache that increase its size and speed, specifically addressing the performance bottlenecks.


Workaround

If you cannot upgrade immediately, you can mitigate the latency by manually disabling the session cache using the following CLI command:

#(config ssl) disable-session-cache-clientmap

 

Additional Information

You can monitor the cache status using the SSLGEN9.1 (cache fullness) and SSLGEN9.8 (session reuse) statistics.

Disabling ciientmap can be reverted with:

#(config ssl)enable-session-cache-clientmap

If needing to confirm if the session-cache-clientmap status, use the advanced url: /registry/show 

When Disabled:                    

    config:secure_services:disable-clientmap-sesscache bool = true

When Enabled:

    config:secure_services:disable-clientmap-sesscache bool = false

Powered by Wolken Software