INFO: TCP Errors and Broken Sessions in a Proxy Chain with BlueCoat

Expand / Collapse

  • Description
    In a proxy chain with BlueCoat Proxy SG (downstream proxy) and Finjan Vital Security (upstream proxy) clients get "TCP errors" and see broken sessions.

  • Symptoms
    Clients browsing the internet see "TCP error" pages, and experience overall performance drop.

  • Cause
    This might be related to a specific HTTP setting on the BlueCoat Proxy SG:
    "HTTP persistent server" enables support for persistent server requests to web servers.
    It is enabled by default and set to 15 minutes.
    That means a session is kept open for 15 minutes, even if no data is retrieved, in order to avoid the necessity of a new TCP session setup (if required).

    This makes sense if the BlueCoat is the external proxy as the load is distributed over all addressed internet servers.

    However, in a proxy chain the upstream proxy has to hold all sessions even if no data is retrieved anymore.
    This is a waste of resources with regards to the capacity of established connections, and can lead to the situation that no new sessions can be established.

  • Solution
    Disable session persistency for server connections as follows:
    1. Get SSH or serial access to the BlueCoat Proxy SG.
    2. Change to enable mode ("en").
    3. Change to config  mode ("config t").
    4. In HTTP settings: disable persistent server requests ("http no persistent server").
    5. Quit config mode ("exit").

    This setting is active now.
    You might want to check the settings afterwards:

    • Type "show http".
    • The console output should look like this:

    Persistent connections:
      Client connections:   enabled
      Server connections:   disabled


  • Software Version
    not related to SWG
    This article applies to:
    NG 5000 / SWG 3000
    NG 6000 / SWG 5000
    NG 8000 / SWG 7000
    This article was previously published as:
    Finjan KB 1523

  • To contact Trustwave about this article or to request support:

    Rate this Article:

    Add Your Comments

    Comment submission is disabled for anonymous users.
    Please send feedback to Trustwave Technical Support or the Webmaster