Automated Alert: ERROR condition detected - Available connections

  • Article ID: 120106
  • Rating:
  • 10 customers rated this article 2.7 out of 6
  • Updated: 03 Dec 2013
This article provides information concerning the "Automated Alert: ERROR condition detected - Available connections" Alert message and troubleshooting steps.

Applies to the following Sophos product(s) and version(s)


Sophos Web Appliance Virtual
Sophos Web Appliance

Limitation of connections for scanning web traffic

The Sophos Web Appliance has a limited number of processes available for filtering and scanning HTTP and HTTPS requests. Each process can handle one connection at a time, at a rate of several requests per second. However, once all processes are in use, new requests will not be handled until at least one process becomes available again. This will be experienced by your users as delays in web browsing.

Unless the HTTPS Scanning feature is enabled, HTTPS traffic does not use the processes available for filtering and scanning, and only a URL categorization filter is applied. However, when the HTTPS Scanning feature is enabled, then HTTPS connections will be held by a scanning process for as long as the SSL connection is maintained. These connections can last several minutes, during which the held process is not available to handle other requests. This affects how much traffic the appliance is able to handle. Note that HTTPS scanning is required for such uses as SafeSeach, Youtube for Schools, Google Apps Control, Blog Control or Webmail Control.

There are two scenarios for getting this alert; traffic has increased to a point where there are not enough processes on the Web Appliance to handle the requests coming from your clients, or there is a certain type of request that has used up most or all of your available connections.

Attached to each alert, you will find a summary of the connections your Web Appliance is making. This can be used to help you identify items that may improve the throughput of your appliance. This is an example of what you might see, including Subnet ranges with connection counts, the domain of the request, and the User Agent of the client making the request:

 184.150.182.0 - Total Connections in Subnet: 2 
=> 184.150.182.162 - Connections: 1
=> Domain: google.com
=> Domain: google-analytics.com
=> Domain: google.ca
=> Domain: youtube.com
=> Domain: ytimg.com
=> UA: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
=> UA: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
=> UA: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/536.30.1 (KHTML, like Gecko) Version/6.0.5 Safari/536.30.1
=> UA: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0
=> UA: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0

=> 184.150.182.143 - Connections: 1
=> Domain: googlevideo.com
=> Domain: youtube.com
=> Domain: google.com
=> UA: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
=> UA: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.71 (KHTML, like Gecko) Version/6.1 Safari/537.71
=> UA: Mozilla/5.0 (X11; Linux i686; rv:21.0) Gecko/20100101 Firefox/21.0
=> UA: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
=> UA: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36


108.160.162.0 - Total Connections in Subnet: 6
=> 108.160.162.50 - Connections: 1
=> Domain: dropbox.com
=> UA: DropboxDesktopClient/2.0.22 (Windows; 7; i32; en_US)

=> 108.160.162.102 - Connections: 1
=> Domain: dropbox.com
=> UA: DropboxDesktopClient/2.4.6 (Linux; 2.6.32-5-686-bigmem; i32; en_US)

=> 108.160.162.103 - Connections: 1
=> Domain: dropbox.com
=> UA: DropboxDesktopClient/2.0.22 (Macintosh; 10.7; ('i32',); en_US)
=> UA: DropboxDesktopClient/2.4.6 (Macintosh; 10.9; ('i32',); en_US)

=> 108.160.162.33 - Connections: 1
=> Domain: dropbox.com
=> UA: DropboxDesktopClient/2.0.22 (Macintosh; 10.9; ('i32',); en_US)
=> UA: DropboxDesktopClient/2.0.26 (Windows; 7; i32; en_US)

=> 108.160.162.49 - Connections: 1
=> Domain: dropbox.com
=> UA: DropboxDesktopClient/2.0.22 (Macintosh; 10.9; ('i32',); en_US)
=> UA: DropboxDesktopClient/2.0.26 (Windows; 7; i32; en_US)

=> 108.160.162.36 - Connections: 1
=> Domain: dropbox.com
=> UA: DropboxDesktopClient/2.4.6 (Windows; 7; i32; en_US)

This allows to you to see if there are requests to specific IPs and IP subnets that might be overwhelming your appliance. In the example above, you see two connections to 184.150.182.0/24, and the IP's connection details. Top 10 domains and user-agent strings are displayed for each IP. In this case, these requests are going to Google services. The user agent is also displayed, allowing you to identify the application which may be producing large numbers of requests. In the second subnet shown above, you can see that the Dropbox Client is making these requests.

There are several things that can be done to optimize your appliance capacity:

  1. Exclude routing internal HTTP/HTTPS requests from going through the appliance. Internal traffic is generally considered safe and doesn't need to be filtered or scanning. Excluding private IP ranges like 10.0.0.0/8, 192.168.0.0/16 and 172.0.0.0/8 is recommended.

  2. If using HTTPS scanning, add domains that you consider safe to the HTTPS Scanning Exemptions list.

  3. Exclude routing connections to the appliance for services such as Office365 or hosted MS Exchange Servers.

To exclude traffic from being routed through the appliance, you can do the following for each deployment mode:

Explicit Mode: If the proxy settings on Windows clients are published using GPO, an admin can add an exception such as "199.83.168.*" (without the quotes) to the Exemptions section. This is located under "Advanced" in the Proxy Settings in GPO. If using a proxy.pac/wpad.dat file, an admin can create an exception in this file for this traffic to go "direct" out instead of being routed to the web appliance.

Transparent Mode (Including WCCP): An ACL can be created on their router for the destination IP/IP Range to be routed out directly.

Bridged Inline Mode: On the web appliance, the destination IP/IP Range can be added to the exemption list under Configuration > Network > Network Interface > Configure.

If there are no specific optimizations that can be made, then additional appliances will be required to handle the load of your HTTP/HTTPS requests.

Known issues:

TangoME VOIP software:  Attempts to use VOIP protocol on port 443 instead of the VOIP standard.  This locks up the processes on the appliance as it's not HTTP traffic.  You will see connections to the IP range of 199.83.168.0/24.  Please exclude this traffic from being redirected to the appliance.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments