ProxySG & Advanced Secure Gateway

We found that the client sent TCP Zero window error to the proxy. Please advise to proceed further.

Whether we need to increase tcp window size in the client or proxy?

Note: issue is intermittent.

Thaks,

Ram

Hi Ram,

TCP Zero Window is when the Window size in a machine remains at zero for a specified amount of time.

This means that a client is not able to receive further information at the moment, and the TCP transmission is halted until it can process the information in its receive buffer.

Ref: https://wiki.wireshark.org/TCP%20ZeroWindow

      You may want to take a simultaneous pcap at proxy and client to confirm whether the TCP Zero window is from client or not. Sometime devices in between which is busy dealing a high load can cause this.

I took PCAP from the proxy, we fount that that first proxy sent tcp windows full message to client and then client sent Zero window to the proxy.

In that proxy we have enabled RFC1323.

What is the next step to proceed further. 

Thanks,

Ram.

Hi Ram,

         As mentioned, you will have to first confirm that the TCP Zero window is from client or not. Taking a simultanous pcap at client will clear that. If this found to be sent by client, it could be due to overloading on the network. Check that part too.

Hi Aravind,

Thank you for your suggesion. we will check with client end also.

We could see this error while accesing the particular url not all the url.

We are getting 503 error only for the one url. all other url's are working fine through the proxy server.

Thanks,

Ram.

Hi Ram,

             If this is only for one specific url, then the TCP Zero Window message from client might not be the cause of it. 503 is more related to server OCS issue. Take a packet capture with Client and Server's address as filter to see why 503. Most of the time, 503 is when proxy is not able to reach the server. Btw, which url is causing the trouble ?

The url is service.8mmail.com.

Out of 15 request 1 got 503 error. 

We dont have any clue where is the problem is. Even we took packet capture found that TCP Zero window and below error in PACP

proxy IP: 10.20.221.18

Hi Ram,

              The 503 exception details is showing as "tcp_error" which shows up when proxy is not able to reach the server itself. Can you share me a pacp with below filter

"ip host x.x.x.x or host service.8mmail.com or port 53"

change x.x.x.x to the testing linux machine's IP address. Retry till the error shows up.

In our case We have a set up like  downstream and upstream proxy.

user-->proxy1-->Proxy 2 or proxy 3

Proxy 1 is directly receive the client request but wont do the DNS resolution. policy check and and happining here only.

Proxy2 or 3--> only do the DNS, 

Hi Ram,

            In that setup, we may have to rely on Packet capture and policy trace. For packet capture, you can use the filter in downstream proxy to capture client traffic "ip host x.x.x.x". On Parent proxies Proxy-2 and 3, use the filter "host service.8mmail.com or port 53" . On all 3 proxies, run a policy trace by using the below trace file

<Proxy>
url.domain=service.8mmail.com trace.request(yes) trace.destination("123.html")

Dear Arvind,

I have uploaded the PCAP files taken from the LAN proxy and DMZ proxy.

Thanks,

Ram.

Hi Ram,

              Where did you uploaded it to ?

I have uploaded the files in this portal. Is there any other way can upload the log files.

Hi Ram,

                Did you tried attaching it to the post? The post new comment gives option to upload zip file. You can name the files respectively and then zip > attach.

Hi Aravind,

PFA logs

Hi Ram,

               Still not able to see the log attached. Have to attached to your last comment ?

Hi Bro,

Still i couldn't upload the zip files. Even though the file size is less than 100 MB.

Thanks,

Ram.

Hi Bro,

Still i couldn't upload the zip files. Even though the file size is less than 100 MB.

Thanks,

Ram.

Hi Ram,

              Even I am not sure why these are not getting through. Can you host these in some external site like google drive and then share me the link via message ?

Dear Aravind,

Please share your symentec mail ID, i will share you logs via FTP link.

Thanks,

Ram.

Hi Ram,

               I have sent you a PM.

Dear Aravind,

We have shared you the logs to you  via FTP.

Thanks,

Ram.

Hi Ram,

               Looks like you modified the packet capture filter on the upstream from what I have given. When you added the IP address of our child proxy, the pcap got filled with lots on non-related requests within seconds. Our expected information didn't get captured. Requesting you to keep the pcap filters intact when capturing.

"filter in downstream proxy to capture client traffic "ip host x.x.x.x". On Parent proxies Proxy-2 and 3, use the filter "host service.8mmail.com or port 53""