Thanks for the quick reply. The application is called IQMS. All systems connect to it like this:

https://gateway.domainname.com/rdweb

Gateway.domainname.com is the internal ip of 172.17.146.50.

I could try to add the deny any any, but my issue is that the company runs 24x7 but may be able to try it real fast. If I were to do that, where/how do I find the logs? Thanks again

If you do deny ip any any log you will find logs by issuing show log on the switch / router. Be careful to add at the last. For that:

- Ip access-list extended restricted_ext_access

100 deny ip any any log 

Or you can remove acl from interface, create a test acl matching traffic from your lan to your server and do a debug ip packet 100 (100 will correspond to acl number you've created)

Or monitor traffic by using wireshark 

So adding the 100 deny ip any any log is in theory the same as the explicit already in place correct? By manually adding it will log what is failing so I can check. What bothers me is that it works so nothing is getting blocked, just slow. I will do this tomorrow if that deny is the same as the explicit already in place. Thanks again!

Yes this is same as implicit deny. The thing is that without acl it works perfectly. 

I don't see why it slower with acl except that's something is blocked going to your application and may trigger a resend of transactions. 

The slow forwarding could be done also from high cpu or TCAM memory...

Did you checked the cpu process just in case but i'll be sure that this part is correct. 

Could you also issue the command:

show platform health

This is what i got from the log in the attachment. Hope this helps get this resolved. Thanks.

i created a rule for this and it gets permitted, however the issue still remains.

That multicast address is used for LLMNR. This protocol is native on Windows machines to perform name resolution without requiring any dns server.

Question very basic, does your dns are working correctly for that specific application from your host when acl is configured?

could you do a nslookup from your machine pointing to your application hostname?

Yes I can successfully connect and I have attached a screenshot from a system on the VLAN8 and it is identical to the VLAN that can connect without issue. Can I go ahead and remove the line for the LLMNR?

Yes you can remove the line for LLMNR. Did you checked the TCAM and CPU?

Is it possible to do some debugging on your switch?

the goal would be to create an acl matching traffic from specific host not on vlan 8 and run a debug ip packets on this acl. It's to have a view of what traffic should be allowed while user accessing this website.

The configuration looks like:

access-list 100 permit ip host 172.17.x.x  any

access-list 100 permit ip any host 172.17.x.x

debug ip packet 100

Thanks for the information. I will try this today and get back with you.

I haven't been able to do this yet. I did create an new acl, just about as simple as it can be...

VLAN8_INBOUND -in            (not sure if I actually need this)

10 permit ip any any

VLAN_OUTBOUND out

10 deny tcp any eq www any

20 permit ip any any

Some systems work faster than others. I am not sure if it can get any simpler than that. Still, when the ACL is gone, all systems are fast.

To the debug, if you create a open acl like you said it will better to view which traffic needs to be allowed and which could be denied when analyzing traces.