topic Smells like an MTU issues to in Network Security

ASA Slowing down a single web page load

abdou.bekk1 — Tue, 12 Mar 2019 07:54:46 GMT

Hi guys,

I am experiencing a unique problem. Before explanations, I'll post this schema below so that you can have an idea about the issue.

We have external clients that try to access a web page which is on our internal WebServer illustrated before on port 444 which forwards to the 443 (the real port). While doing my tests with the ASA as a firewall instead of the old iptables firewall, I can get to the page hosted on our server from an external network (my 4G for example or any other network) using a navigator and can authenticate my self, so the NAT here is really forwarding the mapped port to reach the real port.

My problem is that after the authentication process the web page don't load or load very very slowly and sometimes some parts of the page don't load at all (It's very "random" without touching to the settings)

Do you have any idea from where the problem might be coming ?

If it can help, i can post my NAT configuration :

nat (outside,inside) source static any any destination static interface VESR003 service 444 444- unidirectional

444 : is a service that have as a source port (1-65535) and destination port 444

444- : is a service that forward (source port 444) to (destination port 443) after translation

I don't know if I am doing the port forwarding properly but it seems that this is working as soon as I can reach the authentication page and authenticate on the htaccess box.

For your information : i'm using ASA version 9.2.4 and ASDM 7.2

Thank you very much.

Smells like an MTU issues to

Philip D'Ath — Sun, 19 Jun 2016 20:10:21 GMT

Smells like an MTU issues to me.

Try an extreme value like the below is see if it resolves it, and then remove the command:

sysopt connection tcpmss 1000

Hi Philip,

abdou.bekk1 — Mon, 20 Jun 2016 06:49:54 GMT

Hi Philip,

I just did try the command but it didn't resolve the issue. This is the only site which blocks on loading.

Also, I noticed that when I

abdou.bekk1 — Mon, 20 Jun 2016 08:19:52 GMT

Also, I noticed that when I launch a "netstat -ano" on Windows to check ports and active connections, I can see that when it comes to the public IP of the website (outside ASA interface IP) it stucks on "SYN_SENT".

Output on Windows :

TCP 192.168.199.41:2734 212.xxx.xxx.xxx:444 SYN_SENT 4756

TCP 192.168.199.41:2735 212.xxx.xxx.xxx:444 SYN_SENT 4756

TCP 192.168.199.41:2736 212.xxx.xxx.xxx:444 SYN_SENT 4756

TCP 192.168.199.41:2737 212.xxx.xxx.xxx:444 SYN_SENT 4756