TCP port exhaustion can starve all new TCP connection attempts.
Affected products and versions
The use of a restricted TCP port range and port randomization is available on the ProxySG from SGOS v5.4.
Symptomatically, the machine appears to stop forwarding traffic. Yet, existing established connections work. Access to the Management Console and CLI via SSH work as well. However, new TCP connections are not possible and users will be unable to obtain web pages, map CIFs shares (if CIFs is intercepted), or really access any TCP application that requires a new connection setup (e.g. 3-way handshake).
There is a new randomization algorithm being incorporated into SGOS which will avoid the global side effect that prevents other applications from creating TCP connections. The original application that experienced the port exhaustion issue must be mitigated (see below workaround steps)
Additionally, the 10 minute FIN_WAIT_2 timer will be adjustable to a lower value (one minute) which will allow the reuse of these timed out connections and free up ports.
Here are some recommended mitigation steps you may follow to alleviate and potentially avoid this condition at the SG. In the case of misbehaving servers or network elements that are interfering with the proper use of the TCP/IP protocol, it is best to determine the source of the issue and correct it first and foremost. Additionally, at the Proxy SG there is a knob and a switch that can be used to help mitigate the issue in the short term.
The knob increases the available port range from the 16K default to a larger number. This is done using the following hidden CLI command at the SG:
As stated, though, in the case of misbehaving servers or network devices that are causing the TCP connection table to fill up with timed entries (e.g. FIN_WAIT_2, TIME_WAIT), it is best to correct the external problem for a complete solution.
The problem is resolved in the following versions of SGOS:
SGOS 5.5 code branch: Fixed in SGOS 126.96.36.199. Search for "tcp-ip tcp-fast-finwait2-recycle" in the release notes (should be the top of page 21 in the release notes PDF). SGOS 188.8.131.52 and accompanying release notes can be downloaded at https://bto.bluecoat.com/download/product/41 .
SGOS 5.4 code branch: Fixed in SGOS 184.108.40.206. Search for bug 145266 in the SGOS 220.127.116.11 release notes. SGOS 18.104.22.168 and accompanying release notes can be downloaded at https://bto.bluecoat.com/download/product/17 .
Rate this Page
Please take a moment to complete this form to help us better serve you.