ProxySG & Advanced Secure Gateway

 View Only
  • 1.  proxysg is not compatible with Session Ticket

    Posted Jul 09, 2020 01:09 PM
    Hi Team,

    In our country , have a web www.baidu.com which is like www.google.com. "www.baidu.com" is a search engine website. After using the ProxySG, when Cx access to the www.baidu.com, they will fail to access. other Baidu site also has this problem


    Troubleshooting:
    1.They must close the browser and open it again, then they can access this web site.
    2.We check the wireshark pcap, it shows the traffic always fail in the Session Ticket Cycle.

    3.We also see the same problem KB
    https://knowledge.broadcom.com/external/article?articleId=170224

    It only shows the workaround. But we have no solution. Because we also use NDLP to check and intercept the HTTPS traffic. So if we bypass the "www.baidu.com" and other Baidu son site like "pan.baidu.com" which can upload the files, we will have the dangerous of lossing data.

    how can we do now?#


  • 2.  RE: proxysg is not compatible with Session Ticket

    Broadcom Employee
    Posted Jul 09, 2020 03:02 PM
    Edited by Jacob Miles Jul 09, 2020 06:22 PM
    Hi Chris,

    Thanks for reaching out. A few things to note:

    • The KB you mentioned is specifically for the Kindle for Mac app.
    • Where you are saying this magically works again when the browser is closed and reopened makes me lean toward this being a browser issue, and not necessarily a ProxySG issue
    • The most common places for the TLS handshake to break when the ProxySG is at fault is right after the Client Hello on a Client-Proxy session (if the Client Hello doesn't contain at least one allowed cipher or isn't using an allowed protocol), or after the Server Hello and Certificate in a Proxy-Server session (if the Server Hello contains an incompatible cipher, or if the ProxySG is set to do Server Certificate Validation and doesn't trust the Server Certificate)

    I understand the you can't turn off SSL decryption as a fix, but I would try it temporarily disable it and some of the other services with an affected user using the troubleshooting CPL found in the below KB to either vindicate or condemn the ProxySG in this case:

    https://knowledge.broadcom.com/external/article?legacyId=tech243229

    With the CPL installed and configured for your test user, I would try accessing the website again and see what happens. If the issue persists, and you can see from a policy trace that those rules are matching, then the issue lies outside of the ProxySG. If you consistently can reach it after applying the policy, then you can comment out different elements of the script to see what service is at play.

    While you mentioned that you saw TLS handshake failures in a packet capture, I would expect that traffic would fail every time, and not work when closing and reopening the browser. If you are using a surrogate method authentication (ProxyIP, Origin-IP-Redirect, etc), I could possibly see an issue with authentication on this site, that would resolve itself once the surrogate was set by authenticating to a different site. . . One would need to take a closer look to see.

    This is where I would start. As always, feel free to log a ticket with Support to have someone take a closer look at the situation.

    Thanks!


  • 3.  RE: proxysg is not compatible with Session Ticket

    Posted Jul 09, 2020 11:30 PM
    Hi Jacob

    thanks for you reply. when we only connect 10-50 clients, it does not happen this problem. If we connect over 300 clients, sometimes , the clients will happen this problem. Maybe they can access to the Baidu website successfully at first, If they want to open the second website on the browser(which is not closed), fail to open.


  • 4.  RE: proxysg is not compatible with Session Ticket

    Posted Jul 09, 2020 11:33 PM
    I also upload the pcap log from client and proxySG, could you see it

    unfortunately , the customer ' license expired.  we fail to open a ticket.  He also said if we fail to solve this problem, he won't renewal the license.......


  • 5.  RE: proxysg is not compatible with Session Ticket

    Posted Sep 14, 2020 11:39 AM
    While you mentioned that you saw TLS handshake failures in a packet capture, I would expect that traffic would fail every time, and not work when closing and reopening the browser. If you are using a surrogate method authentication (ProxyIP, Origin-IP-Redirect, etc), I could possibly see an issue with authentication on this site, that would resolve itself once the surrogate was set by authenticating to a different site. . . One would need to take a closer look to see.