Why, in some cases, does a ProxySG send back a (2xx) response to a "CONNECT" request without opening a socket to the OCS first?

FAQ ID:    FAQ1827
Version:    1.0
Status:    Published
Published date:    01/16/2012


This behavior can sometimes appear in contradiction to RFC2817 which stipulates that when a Proxy returns a (2xx) response to a connect request, it means that the proxy has established a connection to the origin server. When looking at packet captures, we sometimes see the proxy return a (2xx) response and then reset the client connection, and at the same time not attempt to connect to the OCS.

It is also possible that in the event where the origin server is not available, the client still gets a (2xx) from the proxy.


This behavior changes depending on the protocol detection feature.

When protocol detection is disabled, the Proxy won't examine the connection and simply relay the information to the origin server. In this case here, a simple tunnel is established and the ProxySG will not send a (2xx) response back to the client without first checking with the origin server

When protocol detection is enabled, the ProxySG needs to examine what the client sends before it opens a connection to the origin server, which in turn means the proxy needs to return a (2xx) to the client so that the client starts sending it's first request. In this case here, the ProxySG is partly acting as an origin server and RFC2817 mentions that an origin server can return a (2xx) response when a connection is established.


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.

Your response will be used to improve our document content.

Ask a Question