HTTPS requests which match policy to disable protocol detection through a ProxySG running SGOS 188.8.131.52 through 184.108.40.206 may fail or be delayed for 30 seconds.
The following requirements must be present to experience this issue:
SGOS 220.127.116.11, 18.104.22.168, 22.214.171.124, or 126.96.36.199 installed on ProxySG
The HTTPS request must match a policy rule the contains the 'Disable SSL Detection' object action or a detect_protocol CPL action that includes specific protocols but does not include 'sip'. Examples: detect_protocol[ssl,https,sips](no) or detect_protocol[ssl,https](no)
Client browser is Internet Explorer 11 (or older) or Chrome with its SSL max configuration set to default or TLS1.2.
The issue will not occur if any of the following is true:
Advanced Secure Gateway (ASG) is being used.
SGOS 6.6.x.x or 6.7.x.x is installed on the ProxySG.
The HTTPS requests match CPL rules that disable protocol detection for all protocols such as detect_protocol(no) or detect_protocol(none).
Clients using FireFox.
The impacted SGOS versions contain an issue in how protocol detection is processed. Bug 248876 tracks this issue.
The fix for bug 248876 is available in SGOS release 188.8.131.52 (released on June 29, 2017).
The following work around to this issue is available if the proxy cannot be upgraded:
If the ProxySG is configured with policy using the 'Disable SSL Detection' action within the Visual Policy Manager (VPM) this policy will need to be migrated to a CPL layer within VPM and changed to detect_protocol[ssl,https,sips,sip](no).
If the ProxySG is configured with CPL policy in a CPL layer within VPM or in a local policy file or in a central policy file that uses detect_protocol[ssl,https,sips](no) or detect_protocol[ssl,https](no) these will need to change to detect_protocol[ssl,https,sips,sip](no).
Subscribing will provide email updates when this Article is updated. Login is required.