cancel
Showing results for 
Search instead for 
Did you mean: 
rafasere
Level 7

fin,ack from proxy

Hi

I am having a problem with a client's proxy

he is using web gateway 7.4.2.2.0,

we are running an app in a PC, which establishes a secure connection to our server and inserts information to that server, over internet, going through the proxy.

I see recurrent alarms that say service down, and then service up. regularly.

when I run wireshark on the PC, I see that TCP+TLS connections are open ok, then some keepalikve packets come and go, and then, I see a packet from the proxy that has  FIN,ACK flags set, then the app answers ACK, and answers again RST, ACK, to the  proxy.

proxy: FIN,ACK   seq=591  ack=817

app: ACK       seq=817   ack=592

app: RST,ACK  seq=817   ack=592

then, the app starts the regular SYN-ACK sequence to re-establish the channel, and the cycle runs periodically (down and up)

Does anyone has an idea what could be happening?

I also see the same pattern for a regular HTTP connection (not a TLS)

thanks

I can attach filtered and unfiltered captures

0 Kudos
10 Replies
asabban
Level 17

Re: fin,ack from proxy

How much time elapses between establishing the connection and MWG sending the Fin,Ack? Probably this is a timeout that steps in when no application data is passed through.

Best,

Andre

0 Kudos
rafasere
Level 7

Re: fin,ack from proxy

hi

I dont know, exactly, let me check, but when there is no data sent at the app level, I see keep alive messages going. Let me see and I'll be back.

thanks

0 Kudos
rafasere
Level 7

Re: fin,ack from proxy

asabban

here's the conversation (filtered only packets in the conv), I hope it helps, thanks

Displaying capture.jpg

0 Kudos
asabban
Level 17

Re: fin,ack from proxy

Hello,

the link/image  throws a 403 so we cannot see it.

Best,

Andre

0 Kudos
rafasere
Level 7

Re: fin,ack from proxy

here it goes again, I hope you can see it

thanks again

captura2.jpg

0 Kudos
asabban
Level 17

Re: fin,ack from proxy

Hello,

in frame 602/603 the last pieces of application data are exchanged. Then in frame 2533 MWG closes the connection. If you look at the time you will notice that there are 2 minutes where no data was exchanged. I am pretty sure this is a timeout MWG runs into. Please note that the keep-alives you see are TCP keep alives which keep the TCP connection up and running. Nevertheless no application data is exchanged between client and server, which means MWG sees an "idle" HTTP(s) session, which is eliminated by the proxy.

What is the reason there is no data exchanged?

If this is plain HTTPS, e.g. you are transferring HTTP through the tunnel (GET/POST requests) you may want to close the connection after you received the last object and open a new connection when another object is fetched. If there is some kind of proprietary data flowing through MWG to proxy non-HTTP traffic you may need to send keep alives on application layer in order to keep the session up and running (note that keeping connections open longer than necessary is not a good idea for a proxy, from a performance perspective).

From what I can see MWG behaves as expected. Maybe you can provide some more insight into what you are trying to achieve so we could better understand and make a suggestion to solve the problem.

Best,

Andre

0 Kudos
rafasere
Level 7

Re: fin,ack from proxy

asabban

many thanks for your response

in this case, we are opening a session to a server that receives client app updates (we contribute prices from a client input, to redistribute them globally). Those prices are not happening frequently, so the connection must not be broken by a FIN packet, supposedly at any time, because price changes can happen once every hour or two, ie.. When that happens (FIN,ACK), our app sees as if the channel was closed by the server, and shows the service as down. I guess that the we need MWG not to close the link due to application level inactivity, at least for 8 hours, because the client will close the app before that, when he leaves the office.

Is there a way to modify/eliminate that timeout restriction, in some very fine grain specification? like src.ip <-> dst.range, so it does not have to allow all connection to be left open endlessly?

thanks again

0 Kudos
asabban
Level 17

Re: fin,ack from proxy

Hello,

okay, I think I got it. Seems to be similar to some "Stock Tickers" we have seen in the past :-)

I would try to things:

- First of all I would check if MWG is set up to inspect the SSL traffic, e.g. it intercepts the connection and tries to look into it. If it does, I would try to skip SSL Scanning for this sort of traffic to see if it helps.

- Try the Event "Enable HTTP Tunnel"

- If this does not help you could make a rule which is executed when such requests are seen in MWG and execute an Event "Enable Proxy Control". Here you can attach a setting where you can increase a timeout. I think it could be the right one, so you could try increasing it to 5 minutes and see if the connection lasts longer and finally increase if to the value you are looking for

I think you probably have to check yourself if these options work. I recommend to try them in that order.

Keeping connections open for such a long time could become a problem for MWG if there are tons of such connections, so you definitely want to limit these to the connections for this application and probably to certain users only.

Best,

Andre

0 Kudos
rafasere
Level 7

Re: fin,ack from proxy

andre

thanks

so the way to increase the timeout control is through "Enable Proxy Control"? if yes, do you know the max time allowed?

I'm asking because I am acting in behalf of my client, as we are not running the WG ourselvs, so I dont have access to it, and I'll certainly pass this suggestions.

thanks a lot again

Do i have to close this request by doing anything? like click on correct answer?

0 Kudos