Cannot access the Internet when going through ProxySG and Advanced Secure Gateway (ASG)
search cancel

Cannot access the Internet when going through ProxySG and Advanced Secure Gateway (ASG)

book

Article ID: 174163

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Cannot access the Internet through the ProxySG or ASG, reflect client IP is disabled and support says it is a firewall issue upstream.

Forward Proxy Deployment, traffic captured on your client machine shows proxy sending a RST.  While it is natural to assume it is the proxy that is breaking the connection, the proxy is only doing it because it cannot establish an upstream connection, and hence there is no point keeping the connection to the client open since it will never succeed.  This can be verified by taking a packet capture on the proxy with a filter for the client IP address and the server IP address or URL (ip host <client_IP> or ip host <server_IP or server_URL>)  There are 2 situations possible where the proxy will close the connection:

1) Firewall send a RST as a result of a BLOCK rule configured:

In this case Passive FTP over a SOCKs proxy is being reset from upstream (stream 12) to the proxy right after the SYN packet. If you take a packet capture on the client you will only ever see stream 11 and it will seem like the proxy closes the connection (Proxy actually closes it inside the Command Response - Connect packet and the client terminates the circuit with a RST).

2)  Firewall sends nothing as a result of a silent DROP, and proxy continues to send SYN retransmissions and then closes the connection downstream after some time:

This condition however could be caused by other issues, such as incorrect DNS resolution and incorrect network routes, and those should also be investigated.

On an explicit proxy a common sign that there is an issue with the upstream connection between the proxy and OCS is the proxy returning an HTTP code of 503 in the packet capture.  This is almost always a result of a protocol failing at a lower layer than HTTP (DNS incorrect or failed, or TCP failure due to firewall or incorrect network route). On some occasions it can actually be forwarded to the proxy by the OCS (a policy trace will be needed to verify) but in this case it is also an upstream issue.

Resolution

If you see HTTP 503 – take policy trace, if coming from server contact server administrator, if coming from proxy investigate upstream connection.
If you suspect upstream connection DNS – ensure that DNS resolves the query to the correct IP address; if it does not we will see SYN retransmissions (since destination IPs do not really exist / are not really those servers). Also verify that DNS resolves DNS queries.
If you see SYN retransmissions (upstream connection TCP) – ensure that there is no firewall blocking the connection via silent DROP. Ensure there is network routes on your routers to the destination IPs and back.
If you see RSTs on SYN packets (upstream connection firewall) – ensure the firewall allows traffic (inbound / outbound) based on appropriate criteria. For example, if you are trying to use Active FTP out of the network you need to allow inbound connections from port 20, as that is needed for the Data circuit.

Additional Information

If you see the ProxySG receiving SYN packets and retransmissions, but taking a long time to send the outbound SYN out, chances are the proxy is running out of available ports, and you need to lower the lowport value as per this KB:
https://knowledge.broadcom.com/external/article/167384/what-tcp-source-ports-are-used-by-the-pr.html