Solutions

"Unknown" content in SYN packet causes some websites to refuse connections to ADN enabled web-gateway proxies.

Solutions ID:    KB4771
Version:    1.0
Status:    Published
Published date:    11/28/2011
 

Problem Description

Some websites (observed for eg with www.pisiffik.gl and some French government sites) will ignore SYN packets sent by a proxy, which result in the end user receiving a TCP_ERROR exception message, even though other websites are not affected.  A packet capture shows a series of SYN packets sent by the proxy which get no response, exactly as if the site was down.

However, if the client bypasses the proxy, all works ok and online testing sites confirm that the site is up.

Finally, if you disable ADN entirely, access resumes.

Resolution

A packet capture shows that in each SYN packet for http port 80, the proxy adds a small amount of unknown data (see attached image), around 15-20 bytes.  This is the ADN serial number needed to allow an ADN tunnel to be established with any other peers.  This is added in a transparent open ADN network since the proxy does not at this stage know what ADN peers the traffic will reach.  Some web servers therefore assume this is malware and ignore the incoming connection.

The solution is to seperate the services the proxy uses - on the one hand use a service listener on a port reserved for the ADN traffic, allowing you to disable ADN for the standard port 80 web gateway traffic, which will in turn avoid this content being added.

If for example, you have a port 80 adn enabled listener for your adn traffic, you can change your adn config so it uses another port.  This should allow you to disable adn on the port 80 listener.  Any other solution would require a separate proxy dedicated to internet facing traffic.

To summarize:

1- switch all internal http traffic to a new port, eg 8080:  create a new service “Explicit HTTP port 8080”  on both core and edge proxies, and enable ADN for this service.

2- modify client browser settings to use the new "internal" port - in this case 8080

2- disable ADN for the http service using port 80 on the internet gateway (typically the Core ADN peer) proxy


Attachment


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question