09-20-2010 08:59 PM - edited 03-11-2019 11:42 AM
Hello,
I am facing a problem in my Singapore office network that a single website is taking 2-3 minute to load the page however other sites are opening very quickly. Proxy server is there in between and users accesing site through proxy. I tried accessing site via DMZ out bypassing firewall and proxy page is opening quickly. Also if I use our US proxy result is good,problem is only with singapore proxy and only for a single website i.e http://202.96.221.2 . Even proxy authentication prompt is taking time to pop up on screen for this particular website. Connectivity is like ....
Internet route------->Firewall------> Proxy------>User in LAN
Can somebody please suggest on this.
09-20-2010 10:07 PM
You mentioned that the problem is not necessarily the ASA because even bypassing the ASA, the proxy response is slow correct?
Might be a problem with the proxy server.
Things to look in the ASA could be if you're doing HTTP inspection or if there's any rule defined for this particular site.
I had a similar problem before and it turns out it was a Traffic Shaper device facing the Internet... (no other device in the path that could be causing the slowliness)?
Federico.
09-20-2010 10:19 PM
Hi Federico,
I bypassed ASA and proxy both. I jus connected a host directly after the firewall with DMZ out switch and the result is perfect. There is no policy or rule in firewall for this particular website, policies are same for all. There is no traffic shaper or any WAN accelerator placed with firewall. Proxy authentication prompt takes time to come up on screen just for this particular website and works normally for all other sites. And when we use US proxy it works fast
for this site however traffic is crossing through same firewall.
09-20-2010 10:29 PM
Is there any chance that you can try bypassing the proxy and just sending the traffic to this website through the ASA?
In other words, do the same test but not using the proxy on the local machine (just sending the traffic through the ASA as it will normally will).
The ASA should not be slowing this particular traffic if there's not any weird configuration on it.
Federico.
09-20-2010 10:41 PM
Yes, some rules need to be added on ASA. I will do this testing and will check the same as you said. One more thing I found that if we nslookup the ip
202.96.221.2 its not getting resolved, so is it possible it could take time from DNS server side to resolve this website?
09-21-2010 07:22 AM
Rishant,
Your DNS server should not be trying to do a reverse lookup on the IP address, the server should only turn hostname into IP. WHat is the URL you are trying to browse to? If you setup some captures on the ASA, what do you see:
cap in interface inside match ip any host 202.96.221.2
cap out interface outside match ip any host 202.96.221.2
show cap out
show cap in
09-21-2010 08:44 PM
There is no URL for this ip, user is only accesing the site with ip only. Thats what i am trying to find out whether there is any delay or something which DNS is causing and trying resolving the IP. Is it possible that DNS could cause this issue as site is accessing through ip only and there is no entry
for this ip in DNS?
09-22-2010 10:55 AM
Hi Rishant,
DNS doesn't come into play at all if the users are accessing the host directly by IP address.
Were you able to perform the test that Federico suggested, where the traffic passes through the ASA but not the proxy? This will help you to focus on either the ASA or the proxy as the cause of the slowness.
-Mike
09-22-2010 12:28 PM
Pls. run thorugh this link: https://supportforums.cisco.com/docs/DOC-8982
-KS
09-23-2010 06:45 AM
Mike/Kusankar
I am in planning to do these testings. This document is really good I will start step by step to get the root cause of this. Will update once done with testing.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide