This seems to be affecting all OSX Macs on campus...

Strange issues with the proxy have developed since upgrading to 7.5 around Christmas. Its taken me awhile to quantify it.

Computers affected: All OSX Macs
Browser used: all browsers
Other conditions: Proxy only, if packet filter is added allowing everything for the mac, and proxy is removed, mac works fine

Initially it seemed like it was a problem with HTTPS - most of the time sites requiring authentication using https will not go anywhere after entering credentials. Yet sometimes it works. I've had two Macs side by side and one will go through and the other will not - both using the same browser.

Its not solely HTTPS however because the page 'https://gmail.google.com' loads but after entering credentials, it goes nowhere. Sometimes other sites are affected. One good example is by simply going to 'http://www.yahoo.com' nothing happens and a blank page finally appears. With all these occurences, nothing appears in the HTTP/S Content log on the astaro - in other words, the example of going to yahoo.com has no entry in the log for yahoo it only lists the last page visited before yahoo.com was browsed to in the browser. Again this doesn't happen all the time or on all Macs but occasionally. Issues with HTTPS occur much more frequently.

Sometimes yahoo.com or youtube.com will eventually come up but it will be text only with no formatting or images.

I have done packet traces by mirroring the private port of the astaro and capturing all traffic from the mac host. I have these logs available if anyone is interested. The only defining characteristic is line after line of:

10.2.1.198 (mac) >> 10.1.1.1 (astaro) HTTP [TCP Retransmission] Continuation or non-HTTP traffic

OR

10.2.1.198 >> 10.1.1.1 SSLV3 [TCP Retransmision] Application DATA

Windows computers work fine! And in the interest of full disclosure this is just happening on one of our subnets so I'm open to other things being the cause. But since I can trace the traffic flowing all the way up to the Astaro and windows computers are working fine, I'm not sure where to go with this.

I have HTTPS scanning disabled.

__________________
ASG v7.504 Software -- HP360G5, Quad Xeon E5410, 4GB RAM -- 500 User

Interesting! That one definitely sounds worth submitting on a ticket to Astaro Support.

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!

we have been having the same exact problem for over a week. i have a ticket in to astaro but it has not been resolved yet.

yahoo and other sites seem to time out from Macs in a particular subnet, everything else works fine. very strange.

Is there anything unusual in the packet filter or intrusion prevention log?

Cheers - Bob

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!

just upgraded to 7.504 and this problem is not fixed. No -- there is absolutely nothing in the packet filter or IPS logs -- there is nothing in any log indicating any drop, block, rejection, or error. I have gone so far as to ssh into the firewall and grep the log files and not found anything with IPs that experience this behavior. This is very frustrating.

I have had to disable the content filter and anti-virus for all of our networks. I'm not happy.

I have a lot of clients using Web Security, and have not seen this issue. Every packet handled by the HTTP/S Proxy is tracked in the 'Content Filter (HTTP)' log. What did those show when the problem was ocuring?

Cheers - Bob

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!

nothing in the log. successful requests are logged properly. requests that time out do not appear in the log at all. disabling the content filter or adding the client(s) to the transparent mode bypass list immediately fixes the problem and all sites load properly.

Okay! Thanks to the astaro support personnel I believe we have tracked down and resolved this problem!! We have our ASG625 in transparent bridging mode. When the transparent web proxy is enabled the Astaro P2P classifier incorrectly flags it as the WINNY P2P protocol and drops a large percentage of the packets. After disabling detection of this protocol the content filter is working properly again!

edit: the reason i was unable to find anything in the log is because the astaro IP was being logged as violating the WINNY protocol in the IM/P2P log and not the clients.

Hi,
Do you know why it mostly affected Macs?

Barry

__________________
http://DealBert.net
Home & business end-user since v1.x

• ASL 6.3x, HP DL145 Dual Opteron, 1GB RAM, 6 gigE NICs, 50-IP Platinum License
  
• ASL 7.5x, HP DL360G5, Xeon 5160, 3GB, RAID, gigE NICs, 50-IP Platinum License
  
• ASL 7.5x, 17-watt fanless mini-ITX system: MSI IM-945GSE-A Atom n270, 2GB RAM, Morex T3310 case. 2 Intel GigE, 3 VLANs. 80G 5200rpm 2.5" HD
  Netgear GS108T gigE VLAN switch & Linksys WRT54G WAP
  Total network infrastructure: 27 watts. 100-IP Home User. FiOS 10mb/2mb

Nope, no idea. My guess would be some subtle difference in the tcp packet structure?

I hate to say it, but it's also possible that the mac users were more likely to report the issue. I can not think of any other reason why it was reported that way.