I am having a problem with a client's proxy
he is using web gateway 184.108.40.206.0,
we are running an app in a PC, which establishes a secure connection to our server and inserts information to that server, over internet, going through the proxy.
I see recurrent alarms that say service down, and then service up. regularly.
when I run wireshark on the PC, I see that TCP+TLS connections are open ok, then some keepalikve packets come and go, and then, I see a packet from the proxy that has FIN,ACK flags set, then the app answers ACK, and answers again RST, ACK, to the proxy.
proxy: FIN,ACK seq=591 ack=817
app: ACK seq=817 ack=592
app: RST,ACK seq=817 ack=592
then, the app starts the regular SYN-ACK sequence to re-establish the channel, and the cycle runs periodically (down and up)
Does anyone has an idea what could be happening?
I also see the same pattern for a regular HTTP connection (not a TLS)
I can attach filtered and unfiltered captures
How much time elapses between establishing the connection and MWG sending the Fin,Ack? Probably this is a timeout that steps in when no application data is passed through.
in frame 602/603 the last pieces of application data are exchanged. Then in frame 2533 MWG closes the connection. If you look at the time you will notice that there are 2 minutes where no data was exchanged. I am pretty sure this is a timeout MWG runs into. Please note that the keep-alives you see are TCP keep alives which keep the TCP connection up and running. Nevertheless no application data is exchanged between client and server, which means MWG sees an "idle" HTTP(s) session, which is eliminated by the proxy.
What is the reason there is no data exchanged?
If this is plain HTTPS, e.g. you are transferring HTTP through the tunnel (GET/POST requests) you may want to close the connection after you received the last object and open a new connection when another object is fetched. If there is some kind of proprietary data flowing through MWG to proxy non-HTTP traffic you may need to send keep alives on application layer in order to keep the session up and running (note that keeping connections open longer than necessary is not a good idea for a proxy, from a performance perspective).
From what I can see MWG behaves as expected. Maybe you can provide some more insight into what you are trying to achieve so we could better understand and make a suggestion to solve the problem.
many thanks for your response
in this case, we are opening a session to a server that receives client app updates (we contribute prices from a client input, to redistribute them globally). Those prices are not happening frequently, so the connection must not be broken by a FIN packet, supposedly at any time, because price changes can happen once every hour or two, ie.. When that happens (FIN,ACK), our app sees as if the channel was closed by the server, and shows the service as down. I guess that the we need MWG not to close the link due to application level inactivity, at least for 8 hours, because the client will close the app before that, when he leaves the office.
Is there a way to modify/eliminate that timeout restriction, in some very fine grain specification? like src.ip <-> dst.range, so it does not have to allow all connection to be left open endlessly?
okay, I think I got it. Seems to be similar to some "Stock Tickers" we have seen in the past :-)
I would try to things:
- First of all I would check if MWG is set up to inspect the SSL traffic, e.g. it intercepts the connection and tries to look into it. If it does, I would try to skip SSL Scanning for this sort of traffic to see if it helps.
- Try the Event "Enable HTTP Tunnel"
- If this does not help you could make a rule which is executed when such requests are seen in MWG and execute an Event "Enable Proxy Control". Here you can attach a setting where you can increase a timeout. I think it could be the right one, so you could try increasing it to 5 minutes and see if the connection lasts longer and finally increase if to the value you are looking for
I think you probably have to check yourself if these options work. I recommend to try them in that order.
Keeping connections open for such a long time could become a problem for MWG if there are tons of such connections, so you definitely want to limit these to the connections for this application and probably to certain users only.
so the way to increase the timeout control is through "Enable Proxy Control"? if yes, do you know the max time allowed?
I'm asking because I am acting in behalf of my client, as we are not running the WG ourselvs, so I dont have access to it, and I'll certainly pass this suggestions.
thanks a lot again
Do i have to close this request by doing anything? like click on correct answer?