Description
In a proxy chain with BlueCoat Proxy SG (downstream proxy) and Finjan Vital Security (upstream proxy) clients get "TCP errors" and see broken sessions.
Symptoms
Clients browsing the internet see "TCP error" pages, and experience overall performance drop.
Cause
This might be related to a specific HTTP setting on the BlueCoat Proxy SG:
"HTTP persistent server" enables support for persistent server requests to web servers.
It is enabled by default and set to 15 minutes.
That means a session is kept open for 15 minutes, even if no data is retrieved, in order to avoid the necessity of a new TCP session setup (if required).
This makes sense if the BlueCoat is the external proxy as the load is distributed over all addressed internet servers.
However, in a proxy chain the upstream proxy has to hold all sessions even if no data is retrieved anymore.
This is a waste of resources with regards to the capacity of established connections, and can lead to the situation that no new sessions can be established.
Solution
Disable session persistency for server connections as follows:
-
Get SSH or serial access to the BlueCoat Proxy SG.
- Change to enable mode ("en").
- Change to config mode ("config t").
- In HTTP settings: disable persistent server requests ("http no persistent server").
- Quit config mode ("exit").
This setting is active now.
You might want to check the settings afterwards:
- Type "show http".
- The console output should look like this:
Persistent connections:
Client connections: enabled
Server connections: disabled
Software Version
not related to SWG
- This article applies to:
- NG 5000 / SWG 3000
- NG 6000 / SWG 5000
- NG 8000 / SWG 7000
- This article was previously published as:
- Finjan KB 1523
