ProxySG & Advanced Secure Gateway

 View Only
  • 1.  Reverse Proxy rejects one IP out of the Natted IP subnet

    Posted Jun 02, 2023 09:22 AM

    Proxy rejects one ip out of  Natted subnet the from the clients end when reaching to my authenticated site.  What other methods i can check or do without placing the IP in bypass mode.  The other Natted IPs in the range can access the site without any issues and I am able to see they are connected. 

    1.Check logs and indicated when trying to reaching to authenticated site this error keeps appearing:

    Dameon.Alert X.X.X.X ProxySG: 80204 Abnormal receive request termination of connection from local port 40436 to advance forwarded server 198.X.X.X 13 retransmission occured with at least one packet having 13 retransmission(0) SEVERE_ERROR htp_server.cpp 5437
    2. When doing a pcap capture and review the logs it shows the client end ip (natted IP) is trying to reach my site ; However, it shows RST termination errors. It doesn't give the full acknowledgement , never starts the hello, or certificate process.
    I pulled logs the following logs and no result:
    1.SSLDEBUG
    2. Policy Trace
    3. When I place the "Natted IP" into bypass mode, I was able to see in pcap the full acknowledgment, hello ,and authentication process. 
    4. Checked my firewall and i see the Natted IP able to reach within my network and going out the network. The only issue it stops at my reverse proxy.
     
     


    ------------------------------
    Tekola Wells
    ------------------------------


  • 2.  RE: Reverse Proxy rejects one IP out of the Natted IP subnet

    Posted Jun 05, 2023 02:27 AM

    I would say, the "RST" in the PCAP should fingerpoint to the Client:

    • Reboot the Client
    • Change the Client IP
    • Maybe the Client missed an Update (MS had an Update regarding supportes Encryption-Methodes for the Active Directory).
    • Check the Eventlog on the Client

    Best regards, 
    Klaus