Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jkougoulos
Participant

R80.40 explicit proxy does not close the connection to client in certain conditions

Hi,

I have one VSX gateway configured as non-transparent proxy (r80.40 take 158) and I face a an issue that appears as random but I believe I have narrow it down to something more specific.

So, there are some web servers that do not provide "Content-Length" but they close the TCP connection at the end of the transmission eg when they transmit content in gzip format. In most cases this is not a problem, as the proxy closes the connection to the client when all data are sent.
However, when the connection of the proxy to the server is better/faster than the one to the client, which causes various re-transmissions, the proxy does not close the connection and the client stays idle. The web browser in this case looks like stalling in transfer.
I have confirmed with tcpdump/wireshark that the proxy does not send a FIN/RST when the issue happens and the issue does not seem to appear when I use squid instead of checkpoint.

I was able to reproduce this by setting up a server close to our data center and setting the client to 10mbps/half duplex. I transfer a .js file of around 1.7MB which becomes ~400kB after gzip compression.
The server (an Apache) is configured with something like the following to emulate the behavior of the server that triggered the investigation for this issue (this is for firefox > 100):

               BrowserMatch "Firefox/10" \
                                nokeepalive ssl-unclean-shutdown \
                                downgrade-1.0 force-response-1.0

 

The issue is reproducible in Edge, Chrome, Firefox, curl, wget in Windows and Linux. The only client that does not show the problem is powershell or .net code using (Invoke-)WebRequest with AutomaticDecompression flag enabled.

The Gateway has HTTPS inspection enabled but the policy does not inspect the specific sites.
I have tried disabling the IPS, the issue persists.

Does the above behavior ring any bell of any kind of workaround or setting that I may miss?
Any hints on further troubleshooting, like what kind of debug commands I could enable to see any further information?

Kind regards,

John

3 Replies
_Val_
Admin
Admin

I would suggest a TAC case

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Take 161 GA contains some gzip & proxy fixes.

Suggest working the case further with TAC since you seem to have a good handle on how it can be replicated.

CCSM R77/R80/ELITE
0 Kudos
jkougoulos
Participant

thanks for suggestions. Just as an update,  Take 180 did not fix the issue... I have to open a TAC case

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events