Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Websense server status is down

0

0

Article ID: KB13346 KB Last Updated: 29 Jan 2010Version: 1.0
Summary:
Websense server status is down due to TCP Socket issue


Symptoms:
Websense server status is down

UMPMWR-FW2(M)-> get url
Server Type: Websense
Web Filtering: Enabled
Websense Server Info
Name: 10.68.1.6
Port: 15868
Timeout: 10 (sec)
Message Info
Type: "Server Specific"
Connection Info
Source Interface Configured: ethernet1/1:2
Socket Count: 8
Fail Mode: Fail-Permit
Connection: Down
Solution:
One possible reason for this is stuck sockets. Capturing "get socket" you may notice some sockets are stuck in close state.

These sockets are holding net-bufs, so that no other url requests can be sent out to the Websense server.

There is a limitation in the TCP code where the zero window probe mechanism is not supported. Once the send window is zero, the TCP stack will not send any data until it receives the packets with the changed window size from peer. In this case, the customer changed the server ip from 10.1.1.5 to 10.1.1.6 and old ip 10.1.1.5 no longer exists.

Because the server IP is changed, the window size changed packets are never notified by peer. Thus all data will be pending on this socket forever.

In the ScreenOS 6.3 release, the zero window probe mechanism has been implemented. When the send window reaches zero, TCP periodically will send a zero window probe packet to its peer. If several probe packets are sent but no response packets are received, TCP will consider the connection closed by peer and will free the socket.

get socket id 1246
.....
send window 0, w1/w2 1640929421/2495493252 cwnd 65535
.....


Until the release of ScreenOS 6.3, the work around to this problem is to reboot the firewall to free up the stuck sockets.



Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search