"Unknown" content in SYN packet causes some websites to refuse connections to ADN enabled web-gateway proxies.


Article ID: 167068


Updated On:


ProxySG Software - SGOS


Some websites (observed for eg with www.pisiffik.gl and some French government sites) will ignore SYN packets sent by a proxy, which result in the end user receiving a TCP_ERROR exception message, even though other websites are not affected.  A packet capture shows a series of SYN packets sent by the proxy which get no response, exactly as if the site was down.

However, if the client bypasses the proxy, all works ok and online testing sites confirm that the site is up.

Finally, if you disable ADN entirely, access resumes.



A packet capture shows that in each SYN packet for http port 80, the proxy adds a small amount of unknown data (see attached image), around 15-20 bytes.  This is the ADN serial number needed to allow an ADN tunnel to be established with any other peers.  This is added in a transparent open ADN network since the proxy does not at this stage know what ADN peers the traffic will reach.  Some web servers therefore assume this is malware and ignore the incoming connection.

The solution is to seperate the services the proxy uses - on the one hand use a service listener on a port reserved for the ADN traffic, allowing you to disable ADN for the standard port 80 web gateway traffic, which will in turn avoid this content being added.

If for example, you have a port 80 adn enabled listener for your adn traffic, you can change your adn config so it uses another port.  This should allow you to disable adn on the port 80 listener.  Any other solution would require a separate proxy dedicated to internet facing traffic.

To summarize:

1- switch all internal http traffic to a new port, eg 8080:  create a new service “Explicit HTTP port 8080”  on both core and edge proxies, and enable ADN for this service.

2- modify client browser settings to use the new "internal" port - in this case 8080

2- disable ADN for the http service using port 80 on the internet gateway (typically the Core ADN peer) proxy