IOS Firewall causes slow performance for specific web site

eggy · ‎02-16-2001

Please help me figure-out why my IOS config would cause poor performance (slow loading) for access, via web browser, to a particular web site. ( Actually, it's affects only a specific page on the site.) Performance is fine when accessed from other locations OR when I disable 'ip inspect... ...tcp'. The page is not complex - just output of search results.

If you have ideas of what might cause this problem please write. Otherwise, maybe you can suggest some things to check, or methods to diagnose the problem.

Thanks in advance for your time in helping me out.

Pete Eggenberger

mmcclure · ‎02-19-2001

Pete:

I just ran into the same issue with outbound e-mail. When we disabled the firewall, the mail going out seemed to work just fine. When it was enabled, the mail going to certain sites would sit there for anywhere from 5 - 20 minutes. With some help from the nice folks at TAC, we determined that these sites were doing an IDENT request which wasn't being answered which slowed down or stopped the mail delivery entirely. Once we allowed IDENT, it worked just fine.

Add a line to your access list which reads:

access-list 101 deny ip any any log

and keep an eye on the console of the router. It should log any denied packets coming through and help you identify what the issue with those particular sites are.

I was under the impression that IDENT wasn't really used any more but it seems there are certain strong holds in the world that still use it for mail (like Cisco!). We'll need to fix our registration with the ISP so we can turn off IDENT later, but for now the mail is going through.

- Mark

eggy · ‎02-22-2001

Mark,

Thanks for the tips. The 'log' function should be helpful.

Pete