Results 1 to 7 of 7
  1. #1
    Untangler
    Join Date
    Nov 2016
    Location
    Grafton, Australia
    Posts
    39

    Default Intermittent "ERR - CONNECTION RESET" on HTTPS webpages

    Hi, This problem has been solved, but I would like to understand why it may have occurred.

    We are a small school, and have been running UT for several years. It's a very simple topology, just 1 Windows 2008 domain controller, AD, Exchange, UT Build 14.1.2, 1 x external WAN interface and 1 x internal interface. Interfaces are 1gb, full-duplex, Addressed. There's no VLANS, extra subnets, no DMZ's or the like. We run 4 UT racks.

    4 weeks ago our ISP advised of an upcoming extended 1 week planned outage, so I purchased a 4G router, connected to a spare NIC on the UT box and set up WAN FAILOVER in UT apps.

    All went very well during the outage. When the main interface went down, UT failed over to the 4G router and reverted to the original link when it came back up. Excellent !

    But problems started after the outage was finished. I turned off WAN FAILOVER and unplugged the backup NIC. UT Interface Screen correctly showed the 4G link as DISCONNECTED.

    Then about 10% of HTTPS web page hits failed with "ERR-CONNECTION RESET" in various browsers. It was always the same 10 - 15 users impacted. Different pages failed for different users, but always the same pages failed for each specific user. HTTP worked fine for all users, although a bit slow.

    I cleared all browser history / cookies / cache's, flushed DNS cache, changed IP addresses, ran netsh Winsock resets on the PC's all to no avail.

    As a last resort, I tried to DELETE the backup interface in UT NETWORK-INTERFACES, but UT did not allow me to DELETE it. Thus I DISABLED the 4G link in INTERFACES and all problems immediately went away.

    Can anyone shed any light on what may have happened here ?

    Thanks Wayne R.
    Last edited by Pilotpak; 05-01-2019 at 09:28 PM.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,400

    Default

    Before it gets forgotten, I hope you've got a window planned this summer to get rid of that 2k8 server, support dies in January!

    As for the HTTPs errors, honestly I'd blame the ISP. If the platform worked before, I'm not sure why you'd blame it now. The "new" in this reality are the changes made to the ISP provided equipment that feeds your facility.

    You're going to have to use TCPDump (config -> networking -> troubleshooting) to try and figure out where those resets are coming from. Untangle support can help with that.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangler
    Join Date
    Nov 2016
    Location
    Grafton, Australia
    Posts
    39

    Default

    Thanks Rob. I had previously discounted the idea of the ISP being the cause since the same HTTPS sites worked fine on some PC's and not others. I'm pretty sure its not ISP related because when I disabled the backup 4G interface in Untangle, everything works OK.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,400

    Default

    I'm sorry, then what's the problem? I read your original post to say you had it disabled and were still having issues beyond that. Or are you wanting to use the 4g as a backup connection?

    If you are, I'd suggest configuring WAN Balancer to push 100% of the traffic to the main line, then the 4g will only engage when WAN Fail over says the primary is offline. You will get SSL issues when the system is forcing traffic to a new WAN, but that should only be during the transition. If you want to go multiwan, I'd suggest double checking your WAN failover tests to determine "down" status. If those tests were poorly implemented, and the unit couldn't make up its mind which WAN to use... that would explain this behavior.

    Otherwise, just leave that interface disabled. That's "off", there is no way to delete an interface.

    On second read, I think you just wanted a possible explanation of the behavior? I think I've provided a possible one... take everything I've said here with a grain of salt I've been up far too many hours and I can barely see at the moment.
    Last edited by sky-knight; 05-02-2019 at 01:38 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangler
    Join Date
    Nov 2016
    Location
    Grafton, Australia
    Posts
    39

    Default

    Thx Rob, Yes, everything is working fine now - we-re now just using our primary wan. But when the dust settles, I would like to go multi-wan again, with 4G as the stand-by contingency. I'd like to understand the what has happened here before I run 2 wans again.

    Foremost, my questions would be;
    1/ Why did the same https pages always fail whilst all others worked?
    2/ Why the the same workstations always fail?
    3/ Why were http pages not impacted?
    4/ Does this mean there is some sort of "routing" cache in Untangle that I need to clear when returning to the primary wan?
    5/ Was Untangle trying to send traffic down the "disconnected" 4G interface?
    6/ Why did the errors keep happening for 3 weeks after the planned ISP outage?

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,400

    Default

    1.) and 2.) Untangle uses sticky sessions, and that's done by IP address. Otherwise you'd have all sorts of problems when a certain client had portions of its requests going out one WAN, while others went out the other. It doesn't end well. So a specific internal IP address was using a broken WAN link, and stuff didn't work. But switch either the target or source IP address in the session and POOF, different path, different result.

    3.) HTTP doesn't care who you are or where you're coming from, HTTPS does.

    4.) YES YES YES! And WAN Failover controls that process, it has tests you must tune to determine what "down" is. If they aren't tuned right and a WAN link isn't functioning properly, the clients stuck using it will have trouble.

    5.) I actually think Untangle couldn't make up its mind which WAN link to use, do to the intermittent nature of 4g, along with the ISP playing with your world over there. But, I'd need to do packet captures to prove that on sessions that were busted. I can't do that from here, but Untangle support can help you learn how to do this.

    6.) Because something s weird here... I'm not sure. I can't see your network I can only guess based on the stuff you've posted here.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangler
    Join Date
    Nov 2016
    Location
    Grafton, Australia
    Posts
    39

    Default

    Excellent, thx for this...it explains everything that we saw.

    Looking forward to the day when we have reliable comms available that doesn't need a 4g backup

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2