"Window Scaling" (RFC 1323) support on the Edge SWG (ProxySG)
search cancel

"Window Scaling" (RFC 1323) support on the Edge SWG (ProxySG)

book

Article ID: 167353

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

What is "Window Scaling" (RFC-1323)?

The TCP Receive Window (also known as RWIN) in the initial TCP protocol specifications was limited to 65535 bytes (2^16 - 1). RFC 1323 defines "TCP Options" to overcome limitations to the original specs including TCP window scaling. Window Scaling (WS) is a multiplier that allows the TCP window to be scaled up from the original RFC. The Window Scaling option multiplier is an 8 bit value which tells how many bit shifts should be done to find the value to multiply meaning, a Window Scale of 5 means to shift the bit by 5 resulting in a multiplicative factor of 2^5 = 32. To find the TCP window size, find the value in the header and multiply it by 32. This is done automatically in most packet analysis tools if the beginning of the TCP connection is captured.

For example, for TCP to advertise a 256960 byte receive window, the TCP headers would contain a value of 64240 bytes and a Window Scale factor of 2 which means the multiplicative factor is 2^2 = 4 (64240*4=256960). Any TCP clients or servers that do not support the TCP Options defined in RFC 1323 ignore the Windows Scaling and would use the value of 64240 bytes as the TCP receive window.
 
 
 

Resolution

SGOS behaviour and compatibility
 
By default, RFC 1323 support is enabled.
 
In all current versions of SGOS an Edge SWG Proxy will set the window scale option to "6" on all SYN packets if RFC 1323 support is enabled and the TCP window size is set higher than the default of 65535.
 
The Edge SWG will set a window-scale of  "0" if RFC 1323 support is enabled but the TCP window-size is default or smaller.
The Edge SWG will set a window-scale of  "0" if RFC 1323 support is disabled.
 
In environments with older networking equipment, RFC 1323 support may not be fully supported which may result in the TCP Window Scaling factor to be dropped.
That could result in more TCP segments on the network and slower data transmission times.
 
For example, if the Edge SWG sent a SYN packet that has a Window Scale of 6 and a TCP window of 102400:
 
1              2010-04-14 13:42:29.003000         10.10.10.1         10.10.10.2         TCP        50704 > http [SYN] Seq=0 Win=102400 Len=0 MSS=1460 WS=6 TSV=14897848 TSER=0
 
but the receiving TCP didn't support RFC 1323 (which includes Window Scaling) it would interpret the Window Scaling option as non-existent (0) and the TCP Window size would be seen as 1600 bytes (2^6=64, 102400/64 = 1600). This would result in many more TCP segments over the wire and slow data transfer. 
 
To remedy this situation one option would be to disable RFC 1323 support on the Edge SWG.
 
Changing the RFC 1323 support option affects both the client (client to proxy) and server (proxy to OCS) side connection.
Changing this setting should be done only after careful consideration and only if you are sure that your network devices do not support RFC 1323.
 
RFC 1323 support can be disabled via serial console or an SSH session.
 
ProxySG>enable
Enable Password:
ProxySG#config t
Enter configuration commands, one per line.  End with CTRL-Z.
ProxySG#(config)show tcp-ip
  RFC-1323 support:             enabled
  TCP Newreno support:          enabled
  IP forwarding:                enabled
  ICMP bcast echo response:     disabled
  ICMP timestamp echo response: disabled
  Path MTU Discovery:           disabled
  TCP silly-window avoidance:   enabled
  Routing algorithm:            weighted-round-robin
  TCP 2MSL timeout:             120 seconds
  TCP window size:              2031585 bytes
  TCP Loss Recovery Mode:       normal
  Bypass connection keep-alive: disabled
  Fast retransmit:              enabled
  Fast TCP FIN_WAIT_2 recycle:  disabled
  SCPS link bandwidth:          (not configured)
  SCPS interface:               (not configured)
  SCPS link rtt:                (not configured)
  SCPS processing:              Disabled

ProxySG#(config)tcp-ip rfc-1323 disable
  ok
ProxySG#(config)exit
ProxySG#
 
A reboot of the Edge SWG (ProxySG) is required for RFC1323 configuration to take effect.
 
How can RFC 1323 be re-enabled on the Edge SWG (ProxySG)?
 
ProxySG>enable
Enable Password:
ProxySG#config t
Enter configuration commands, one per line.  End with CTRL-Z.
ProxySG#(config)show tcp-ip
  RFC-1323 support:             disabled
  TCP Newreno support:          enabled
  IP forwarding:                enabled
  ICMP bcast echo response:     disabled
  ICMP timestamp echo response: disabled
  Path MTU Discovery:           disabled
  TCP silly-window avoidance:   enabled
  Routing algorithm:            weighted-round-robin
  TCP 2MSL timeout:             120 seconds
  TCP window size:              2031585 bytes
  TCP Loss Recovery Mode:       normal
  Bypass connection keep-alive: disabled
  Fast retransmit:              enabled
  Fast TCP FIN_WAIT_2 recycle:  disabled
  SCPS link bandwidth:          (not configured)
  SCPS interface:               (not configured)
  SCPS link rtt:                (not configured)
  SCPS processing:              Disabled

ProxySG#(config)tcp-ip rfc-1323 enable
  ok
ProxySG#(config)exit
ProxySG#

A reboot of the Edge SWG (ProxySG) is required for RFC1323 configuration to take effect.

 
Is it possible to disable RFC 1323 for a single connection on the Edge SWG (ProxySG)?
 
It is NOT possible to disable RFC 1323 for just one website. The setting is global and impacts all connections to and from the Edge SWG.

 

Powered by Wolken Software