1 2 Previous Next 10 Replies Latest reply on Nov 7, 2014 8:47 AM by asabban

    fin,ack from proxy

    rafasere

      Hi

       

      I am having a problem with a client's proxy

       

      he is using web gateway 7.4.2.2.0,

      we are running an app in a PC, which establishes a secure connection to our server and inserts information to that server, over internet, going through the proxy.

       

      I see recurrent alarms that say service down, and then service up. regularly.

       

      when I run wireshark on the PC, I see that TCP+TLS connections are open ok, then some keepalikve packets come and go, and then, I see a packet from the proxy that has  FIN,ACK flags set, then the app answers ACK, and answers again RST, ACK, to the  proxy.

       

      proxy: FIN,ACK   seq=591  ack=817

      app: ACK       seq=817   ack=592

      app: RST,ACK  seq=817   ack=592

       

      then, the app starts the regular SYN-ACK sequence to re-establish the channel, and the cycle runs periodically (down and up)

       

      Does anyone has an idea what could be happening?

       

      I also see the same pattern for a regular HTTP connection (not a TLS)

       

      thanks

       

      I can attach filtered and unfiltered captures

        • 1. Re: fin,ack from proxy
          asabban

          How much time elapses between establishing the connection and MWG sending the Fin,Ack? Probably this is a timeout that steps in when no application data is passed through.

           

          Best,

          Andre

          • 2. Re: fin,ack from proxy
            rafasere

            hi

            I dont know, exactly, let me check, but when there is no data sent at the app level, I see keep alive messages going. Let me see and I'll be back.

            thanks

            • 3. Re: fin,ack from proxy
              rafasere

              asabban

               

              here's the conversation (filtered only packets in the conv), I hope it helps, thanks

              Displaying capture.jpg

              • 4. Re: fin,ack from proxy
                asabban

                Hello,

                 

                the link/image  throws a 403 so we cannot see it.

                 

                Best,

                Andre

                • 5. Re: fin,ack from proxy
                  rafasere

                  here it goes again, I hope you can see it

                   

                  thanks again

                  captura2.jpg

                  • 6. Re: fin,ack from proxy
                    asabban

                    Hello,

                     

                    in frame 602/603 the last pieces of application data are exchanged. Then in frame 2533 MWG closes the connection. If you look at the time you will notice that there are 2 minutes where no data was exchanged. I am pretty sure this is a timeout MWG runs into. Please note that the keep-alives you see are TCP keep alives which keep the TCP connection up and running. Nevertheless no application data is exchanged between client and server, which means MWG sees an "idle" HTTP(s) session, which is eliminated by the proxy.

                     

                    What is the reason there is no data exchanged?

                     

                    If this is plain HTTPS, e.g. you are transferring HTTP through the tunnel (GET/POST requests) you may want to close the connection after you received the last object and open a new connection when another object is fetched. If there is some kind of proprietary data flowing through MWG to proxy non-HTTP traffic you may need to send keep alives on application layer in order to keep the session up and running (note that keeping connections open longer than necessary is not a good idea for a proxy, from a performance perspective).

                     

                    From what I can see MWG behaves as expected. Maybe you can provide some more insight into what you are trying to achieve so we could better understand and make a suggestion to solve the problem.

                     

                    Best,

                    Andre

                    • 7. Re: fin,ack from proxy
                      rafasere

                      asabban

                       

                      many thanks for your response

                       

                      in this case, we are opening a session to a server that receives client app updates (we contribute prices from a client input, to redistribute them globally). Those prices are not happening frequently, so the connection must not be broken by a FIN packet, supposedly at any time, because price changes can happen once every hour or two, ie.. When that happens (FIN,ACK), our app sees as if the channel was closed by the server, and shows the service as down. I guess that the we need MWG not to close the link due to application level inactivity, at least for 8 hours, because the client will close the app before that, when he leaves the office.

                       

                      Is there a way to modify/eliminate that timeout restriction, in some very fine grain specification? like src.ip <-> dst.range, so it does not have to allow all connection to be left open endlessly?

                       

                      thanks again

                      • 8. Re: fin,ack from proxy
                        asabban

                        Hello,

                         

                        okay, I think I got it. Seems to be similar to some "Stock Tickers" we have seen in the past :-)

                         

                        I would try to things:

                         

                        - First of all I would check if MWG is set up to inspect the SSL traffic, e.g. it intercepts the connection and tries to look into it. If it does, I would try to skip SSL Scanning for this sort of traffic to see if it helps.

                        - Try the Event "Enable HTTP Tunnel"

                        - If this does not help you could make a rule which is executed when such requests are seen in MWG and execute an Event "Enable Proxy Control". Here you can attach a setting where you can increase a timeout. I think it could be the right one, so you could try increasing it to 5 minutes and see if the connection lasts longer and finally increase if to the value you are looking for

                         

                        I think you probably have to check yourself if these options work. I recommend to try them in that order.

                         

                        Keeping connections open for such a long time could become a problem for MWG if there are tons of such connections, so you definitely want to limit these to the connections for this application and probably to certain users only.

                         

                        Best,

                        Andre

                        • 9. Re: fin,ack from proxy
                          rafasere

                          andre

                           

                          thanks

                           

                          so the way to increase the timeout control is through "Enable Proxy Control"? if yes, do you know the max time allowed?

                          I'm asking because I am acting in behalf of my client, as we are not running the WG ourselvs, so I dont have access to it, and I'll certainly pass this suggestions.

                           

                          thanks a lot again

                           

                          Do i have to close this request by doing anything? like click on correct answer?

                          1 2 Previous Next