Solutions

What TCP source ports are used by the ProxySG and how do I manage them?

Solutions ID:    KB4676
Version:    5.0
Status:    Published
Published date:    10/05/2011
Updated:    03/05/2014
 

Problem Description

Typically, the ProxySG appliance uses a randomly-assigned source port in a range range between 49152 and 65535 for outgoing connections. This is the ephemeral port range suggested by Internet Assigned Numbers Authority (IANA). On a very busy appliance, this low range of TCP ports can result in the ProxySG reusing source ports at quick rate, which can cause issues with other devices (such as firewalls or intrusion detection applictaions). Those devices, upon seeing multiple requests with the same source and destination ports within a short window of time may flag the connection as invalid.

The exception to this is when Reflect Client IP is enabled. In that case, the appliance will re-use the source port from the client request as it contacts the OCS; even if that port is lower than the port configured. This is by design, and necessary to mirror the details in the client connection to the 

Resolution

You can resolve this issue by either increasing the range of source ports the appliance uses, or by disabling the automatic randomization used to assign source ports to outbound traffic.

 
Configure the Source Port Range
tcp-ip inet-lowport <value between 1,024 and 49,152>
Example: SG300#(config)tcp-ip inet-lowport 16384

This will increase the range of available source ports from the default of 16K  to the difference between 65,535 (max ports available) and this lowport specification. So, if you use 16,384 as the lowport value, then there are 48K ports in the new range.

Disable Source Port Randomization
tcp-ip tcp-randomize-port <enable|disable>
Example: SG300#(config)tcp-ip tcp-randomize-port disable

Disables the new randomization algorithm and reverts to the old 4.x behavior

 

 

These commands are available in the following SGOS versions:

  • 5.4.5.1 and later
  • 5.5.3.1 and later
  • 6.x all versions

Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question