Users going to blocked sites were experiencing long delays, just over 80 seconds in having the exception render on the browser.
The customer was using the ident.username field in their deny exception page. This field is used in conjunction with Policy Substitution Realms (see Blue Coat Systems SGOS Administration Guide for more information on Policy Substitution Realms) and IDENT protocol to provide the username associated with a session as returned from an ident query. As a result the ProxySG was trying to contact the users workstation on port 113 in an attempt to retrieve the user name, however, this was being silently dropped by the firewall.
The ProxySG will make multiple attempts to connect on port 113 eventually timing out and then proceeding to display the denied exception page.
Removing the ident.username from the exception page resolved the issue, if this is not an option then getting the firewall to reset the connection or allowing traffic on port 113 to the workstations, will also help.
Please note that it is not necessary to have IDENTD enabled on the ProxySG (see article TECH241524) for this issue to be seen, it is just enough to have the ident.username field in an exception for the connection on port 113 to be triggered, also even if the firewall allows traffic on port 113 to the users workstation if the IDENTD is not installed on the workstation the symptoms will be the same.
Imported Document ID: 000032934
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe