After posting yesterday, I have received several replies and have done
some more investigation.
Several people have suggested that this could be caused by
cookies....Based on my understanding of client and server side cookies
I disagree. Cookies are just special data or additional URL info
passed in a normal HTTP request/response. The problem I see seems to
be initiated after the firewall has destroyed the user's
connection....Like the server is trying to re-establish the old
connection. I know of lots of sites with cookies that have never
given me this problem.
Here's what I am beginning to think the problem actually is.
This problem is sometimes difficult to reproduce at will, but I think
it is caused by the proxy session timeouts. Proxies have session
establish timeouts [Sidewinder defaults to 30sec, unsure of others]
that destroy a connection attempt after a certain period. What I
think is happening is that sometimes a site is _very_ slow to respond
to a request [more than 30sec in my case], and the firewall destroys
the connection pathway after the proxy times out. When the server is
finally able to send the reply, the firewall logs it as a failed
attempt on an unauthorized dest port [your original source port from
the F/W] with an HTTP source port from the server [your original dest
Here's one way to test this [your mileage may vary, and your test
candidate may suffer for a bit]:
-With Netscape [others would prob. work well also] pick a site outside
your proxy that already seems somewhat slow/busy [www.aol.com comes to
-After loading the URL, hold down on <CTRL> <R> (reload) for about 30
seconds. This will make gobs of requests and should make the server
-Netscape should show the message "connect: server xx.xx.com
contacted, waiting for reply" for at least 45secs.....wait a few
minutes [depends on the server] and take a look at your logs. If you
didn't crash the server with this load, then you should see an entry
in your logs for a failed connection from your test host.
I guess this problem could be reduced by increasing the proxy timeouts
to several minutes.....but what sort of risk does this pose?