R80.40 explicit proxy does not close the connection to client in certain conditions

jkougoulos — Mon, 24 Oct 2022 10:29:19 GMT

Hi,

I have one VSX gateway configured as non-transparent proxy (r80.40 take 158) and I face a an issue that appears as random but I believe I have narrow it down to something more specific.

So, there are some web servers that do not provide "Content-Length" but they close the TCP connection at the end of the transmission eg when they transmit content in gzip format. In most cases this is not a problem, as the proxy closes the connection to the client when all data are sent.
However, when the connection of the proxy to the server is better/faster than the one to the client, which causes various re-transmissions, the proxy does not close the connection and the client stays idle. The web browser in this case looks like stalling in transfer.
I have confirmed with tcpdump/wireshark that the proxy does not send a FIN/RST when the issue happens and the issue does not seem to appear when I use squid instead of checkpoint.

I was able to reproduce this by setting up a server close to our data center and setting the client to 10mbps/half duplex. I transfer a .js file of around 1.7MB which becomes ~400kB after gzip compression.
The server (an Apache) is configured with something like the following to emulate the behavior of the server that triggered the investigation for this issue (this is for firefox > 100):

BrowserMatch "Firefox/10" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0

The issue is reproducible in Edge, Chrome, Firefox, curl, wget in Windows and Linux. The only client that does not show the problem is powershell or .net code using (Invoke-)WebRequest with AutomaticDecompression flag enabled.

The Gateway has HTTPS inspection enabled but the policy does not inspect the specific sites.
I have tried disabling the IPS, the issue persists.

Does the above behavior ring any bell of any kind of workaround or setting that I may miss?
Any hints on further troubleshooting, like what kind of debug commands I could enable to see any further information?

Kind regards,

John

Re: R80.40 explicit proxy does not close the connection to client in certain conditions

_Val_ — Mon, 24 Oct 2022 11:09:01 GMT

I would suggest a TAC case

Re: R80.40 explicit proxy does not close the connection to client in certain conditions

Chris_Atkinson — Mon, 24 Oct 2022 11:15:28 GMT

Take 161 GA contains some gzip & proxy fixes.

Suggest working the case further with TAC since you seem to have a good handle on how it can be replicated.

Re: R80.40 explicit proxy does not close the connection to client in certain conditions

jkougoulos — Thu, 17 Nov 2022 16:39:16 GMT

thanks for suggestions. Just as an update, Take 180 did not fix the issue... I have to open a TAC case

topic Re: R80.40 explicit proxy does not close the connection to client in certain conditions in Firewall and Security Management

R80.40 explicit proxy does not close the connection to client in certain conditions

Re: R80.40 explicit proxy does not close the connection to client in certain conditions

Re: R80.40 explicit proxy does not close the connection to client in certain conditions

Re: R80.40 explicit proxy does not close the connection to client in certain conditions