We have some ProxySGs. The version is SGOS 6.4. They are configured in explicit mode. Meaning for https requests: they are tunnelled through port 80 of the proxy's IP address.
Anyone using a similar setup please try the following CSS stylesheet address of a french webmail provider and explain to me why that takes 30 seconds or more to load across the proxy (if that is the case at your site):
I have tried several ProxySGs behind different Internet connections. When I go direct, no problem. Doesn't matter what browser I use, tried IE in Windows, FF in Windows, FF in Linux. Via the proxy there are terrible timeouts to that site, making it impossible to use since they updated their site half a year or so ago.
I have also tried going through an explicit Squid proxy: no problem!
I am at a loss here.
- Are they using something inside HTTP that the ProxySG is choking on?
- Is there something wrong with SSL? I see their certificate does not always seem to match their actual hostname (laposte.net vs. laposte.fr)...
- I had complete policy tracing of the SG turned on yet saw no apparent errors, there was no blacklist match or the like (which wouldn't consistently take 30+ seconds to evaluate anyhow)
Funny thing: Using wget on the same Linux box with FF installed, both across the proxy, wget downloads the file without any delay.
Please advise :)
See packet capture below (left=PC to proxy, right=proxy to internet)
Again, this is very crazy.
This seems to happen because of an odd interaction between Bluecoat's OS and (outdated) F5's used at the other end. More specifically, Bluecoat's TCP silly window syndrom (SWS) avoidance algorithm seems to trigger this:
https://support.f5.com/kb/en-us/solutions/public/8000/900/sol8927.html
Now the question is, would disabling SWS avoidance break something else? I don't know but will investigate.
Since the other party's F5s are outdated one may even be able to just log in and update ;-)