cancel
Showing results for 
Search instead for 
Did you mean: 

SA 4500 reverse proxy and pass through proxy.

New Contributor

SA 4500 reverse proxy and pass through proxy.

We have a web server  behind a Juniper SA 4500 appliance configure as a secure reverse proxy.  We are running into issues with content not being delivered to the client that is connecting to the SA4500.  From the client's perspective, they get a blank window, or if looking at developer tools network capture, the transfer of data stalls. (ie stalls downloading the web page)

 

From packet captures taken between the Juniper SA appliance and the backend  web server that has the content, i can see there are  HTTP get request for a content, and the web server responds back with a content-length of X number of MBytes, I see the transfer start, but it stalls out.

 

The Juniper SA appliance's TCP receive window goes from 64K down to  0, and never recovers.  It's like the recieve buffer fills up, and cannot get emptied, so the Web server keeps checking to see if the juniper appliance is ready to receive more data, but Juniper keeps stating a tcp recieve window of 0.  The frustrating part is this is not consistent, but consistent enough that users complain that pages are not being displayed.  Has anyone else seen any TCP recieve window issues with Juniper SA appliances or know of any issues that may exist?  We are at the latest patch set, 8.0r6. but we were also experiencing the issue with 7.x code.

5 REPLIES 5
New Contributor

Re: SA 4500 reverse proxy and pass through proxy.

Hi,

 

I am not sure if this is relevant to your case but I have come across similar where the back end web server was Windows based and using TCP Window Scaling in its network settings.

 

I do believe this is a known bug in the SA series also, that it doesnt interact well with this. 

 

The workaround on the web server at the time was to disable "Receive Window Scaling" / "Auto Tuning". 

 

Hope this provides some help.

New Contributor

Re: SA 4500 reverse proxy and pass through proxy.

Do you have any details on the old bug, or any ref to old case number?  We are currently working with Jtac, and seem to be going nowhere fast.  Any help appreciated.

Valued Contributor

Re: SA 4500 reverse proxy and pass through proxy.

What is the case # on this issue?  I haven't heard about any issues with TCP Scaling Window in a long time.

New Contributor

Re: SA 4500 reverse proxy and pass through proxy.

The current case number is 2014-0905-0949. 

 

Note, I do not manage these boxes directly, but I'm a customer of these devices and they are managed by a third party company.  I'm able to retrieve packet captures using a span session in front of the juniper device, and the back end server.  Based on the caputures, Where the juniper device keeps advertising a tcp receive window of zero, tells me the issue is on the juniper device, where the backend web server keeps sending packtes to see if the Juniper device is ready to continue.  Sometimes it recovers, other times it times/stalls out.

 

 

Contributor

Re: SA 4500 reverse proxy and pass through proxy.

Was there any progress on this? I have a case where it might be related, I'm not sure. I have an application that is being rewritten, but it doesn't work right on iOS. Looking at dev tools, the page being rewritten gets an error shoved into it after a period of time. A packet capture shows the TCP windows getting full.

I do already have a case open with JTAC: 2015-0310-0874