Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 17 replies
  • Answers 2 answers
  • Subscribers 32 subscribers
  • Views 5885 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow Browsing after enabling security features

ChristianD

Hi!

We are testing a Sophos XG 230 Firewall. Internet access works but when we enable something like HTTPS Scan or Web policy or prevention internet speed extremly slows down. Especially HTTPS websites take 20-30 sec. to load.

I already checked various posts on that topic - they all point to DNS errors, so I checked DNS:

  • Static DNS is configured with 2 IPv4-DNS servers from our ISP.
  • Testing DNS name resolution is not working!

Could it be that something is wrong with our DNS configuration? How can we use all the security features without loss of performance?



This thread was automatically locked due to age.
  • 0

    You should check quickly awarrenhttp_access.log on the CLI. There you can see exactly what is consuming time regarding your Webrequests.

  • 0 in reply to HuberChristian

    Hi Huber. Could you please conduct the following test and check in Advance Shell?

    1. Enter nslookup sophos.com
    2. Check the response time made for that query
    3. You may conduct the same test on the client machine.
    4. Take a Tcpdump and monitor the flags . i.e. tcpdump 'host Sophos.com , you may use Option 4 Console for this command.

    You should see the incoming Packets from the LAN interface and the Output Interface i.e. WAN. 

  • 0 in reply to Aditya Patel

    Hello Aditya,

    thanks for you reply!

    I activated HTTP Scan on my LAN-to-WAN rule. Browsing is slow again...

    Here are my results:

    1) nslookup didn't work so I used dnslookup on the appliance. I also checked various other sites.

    console> dnslookup host cnn.com
    Domain Name Server# 127.0.0.1
    Domain Name # cnn.com
    Resolved Address 1# 151.101.1.67
    Resolved Address 2# 151.101.65.67
    Resolved Address 3# 151.101.193.67
    Resolved Address 4# 151.101.129.67
    Total query time # 1515.74 msec

    console> dnslookup host msnbc.com
    Domain Name Server# 127.0.0.1
    Domain Name # msnbc.com
    Resolved Address 1# 23.58.218.132
    Total query time # 563.39 msec

    If I check one site twice, the second check takes 0.08 msec - I assume that's because it's being cached.

    2) nslookup on my Windows-client:

    C:\Users\user>nslookup sophos.com
    Server: dc2.local.domain
    Address: 192.168.31.10
    Nicht autorisierende Antwort:
    Name: sophos.com
    Address: 31.222.175.174

    The server dc2.local.domain is the anonymized fqdn of our second domain controller.

    3) tcpdump of dnslookup didn't capture any packets so I made one of yahoo.de and browsed the site on my Windows-client (IP 192.168.30.138):

    console> tcpdump 'host yahoo.de
    tcpdump: Starting Packet Dump
    11:06:14.566445 CLIENTS, IN: In 90:1b:0e:d9:9f:5d ethertype Unknown (0x0bcc), length 72:
    0x0000: 0000 0800 4500 0034 138c 4000 8006 a563 ....E..4..@....c
    0x0010: c0a8 1e8a 6a0a f897 f529 0050 4973 26be ....j....).PIs&.
    0x0020: 0000 0000 8002 faf0 cc9f 0000 0204 05b4 ................
    0x0030: 0103 0308 0101 0402 ........
    11:06:14.566447 CLIENTS.3020, IN: IP 192.168.30.138.62761 > 106.10.248.151.80: Flags [S], seq 1232283326, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    11:06:14.566524 CLIENTS.3020, OUT: IP 106.10.248.151.80 > 192.168.30.138.62761: Flags [S.], seq 2797326038, ack 1232283327, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    11:06:14.566524 CLIENTS, OUT: Out 7c:5a:1c:4c:a7:c8 ethertype Unknown (0x0bcc), length 72:
    0x0000: 0000 0800 4500 0034 0000 4000 4006 f8ef ....E..4..@.@...
    0x0010: 6a0a f897 c0a8 1e8a 0050 f529 a6bb ced6 j........P.)....
    0x0020: 4973 26bf 8012 7210 41fb 0000 0204 05b4 Is&...r.A.......
    0x0030: 0101 0402 0103 0307 ........
    11:06:14.566525 Port1, OUT: Out 7c:5a:1c:4c:a7:c8 ethertype Unknown (0x0bcc), length 72:
    0x0000: 0000 0800 4500 0034 0000 4000 4006 f8ef ....E..4..@.@...
    0x0010: 6a0a f897 c0a8 1e8a 0050 f529 a6bb ced6 j........P.)....
    0x0020: 4973 26bf 8012 7210 dfdd 0000 0204 05b4 Is&...r.........
    0x0030: 0101 0402 0103 0307 ........
    11:06:14.566743 Port1, IN: In 90:1b:0e:d9:9f:5d ethertype Unknown (0x0bcc), length 66:
    0x0000: 0000 0800 4500 0028 138d 4000 8006 a56e ....E..(..@....n
    0x0010: c0a8 1e8a 6a0a f897 f529 0050 4973 26bf ....j....).PIs&.
    0x0020: a6bb ced7 5010 0805 8abb 0000 0000 0000 ....P...........
    0x0030: 0000 ..
    11:06:14.566743 CLIENTS, IN: In 90:1b:0e:d9:9f:5d ethertype Unknown (0x0bcc), length 66:
    0x0000: 0000 0800 4500 0028 138d 4000 8006 a56e ....E..(..@....n
    0x0010: c0a8 1e8a 6a0a f897 f529 0050 4973 26bf ....j....).PIs&.
    0x0020: a6bb ced7 5010 0805 8abb 0000 0000 0000 ....P...........
    0x0030: 0000 ..
    11:06:14.566744 CLIENTS.3020, IN: IP 192.168.30.138.62761 > 106.10.248.151.80: Flags [.], ack 1, win 2053, length 0
    11:06:14.566987 Port1, IN: In 90:1b:0e:d9:9f:5d ethertype Unknown (0x0bcc), length 72:
    0x0000: 0000 0800 4500 0034 138e 4000 8006 a561 ....E..4..@....a
    0x0010: c0a8 1e8a 6a0a f897 f52b 0050 c0cb e93c ....j....+.P...<
    0x0020: 0000 0000 8002 faf0 92c6 0000 0204 05b4 ................
    0x0030: 0103 0308 0101 0402 ........
    11:06:14.566988 CLIENTS, IN: In 90:1b:0e:d9:9f:5d ethertype Unknown (0x0bcc), length 72:
    0x0000: 0000 0800 4500 0034 138e 4000 8006 a561 ....E..4..@....a
    0x0010: c0a8 1e8a 6a0a f897 f52b 0050 c0cb e93c ....j....+.P...<
    0x0020: 0000 0000 8002 faf0 92c6 0000 0204 05b4 ................
    0x0030: 0103 0308 0101 0402 ........
    11:06:14.566988 CLIENTS.3020, IN: IP 192.168.30.138.62763 > 106.10.248.151.80: Flags [S], seq 3234588988, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    11:06:14.567004 CLIENTS.3020, OUT: IP 106.10.248.151.80 > 192.168.30.138.62763: Flags [S.], seq 241793917, ack 3234588989, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    11:06:14.567005 CLIENTS, OUT: Out 7c:5a:1c:4c:a7:c8 ethertype Unknown (0x0bcc), length 72:
    0x0000: 0000 0800 4500 0034 0000 4000 4006 f8ef ....E..4..@.@...
    0x0010: 6a0a f897 c0a8 1e8a 0050 f52b 0e69 7b7d j........P.+.i{}
    0x0020: c0cb e93d 8012 7210 41fb 0000 0204 05b4 ...=..r.A.......
    0x0030: 0101 0402 0103 0307 ........
    11:06:14.567005 Port1, OUT: Out 7c:5a:1c:4c:a7:c8 ethertype Unknown (0x0bcc), length 72:
    0x0000: 0000 0800 4500 0034 0000 4000 4006 f8ef ....E..4..@.@...
    0x0010: 6a0a f897 c0a8 1e8a 0050 f52b 0e69 7b7d j........P.+.i{}
    0x0020: c0cb e93d 8012 7210 91b0 0000 0204 05b4 ...=..r.........
    0x0030: 0101 0402 0103 0307 ........
    11:06:14.567232 Port1, IN: In 90:1b:0e:d9:9f:5d ethertype Unknown (0x0bcc), length 66:
    0x0000: 0000 0800 4500 0028 138f 4000 8006 a56c ....E..(..@....l
    0x0010: c0a8 1e8a 6a0a f897 f52b 0050 c0cb e93d ....j....+.P...=
    0x0020: 0e69 7b7e 5010 0805 3c8e 0000 0000 0000 .i{~P...<.......
    0x0030: 0000 ..
    11:06:14.567233 CLIENTS, IN: In 90:1b:0e:d9:9f:5d ethertype Unknown (0x0bcc), length 66:
    0x0000: 0000 0800 4500 0028 138f 4000 8006 a56c ....E..(..@....l
    0x0010: c0a8 1e8a 6a0a f897 f52b 0050 c0cb e93d ....j....+.P...=
    0x0020: 0e69 7b7e 5010 0805 3c8e 0000 0000 0000 .i{~P...<.......
    0x0030: 0000 ..
    11:06:14.567233 CLIENTS.3020, IN: IP 192.168.30.138.62763 > 106.10.248.151.80: Flags [.], ack 1, win 2053, length 0
    11:06:14.647888 Port1, IN: In 90:1b:0e:d9:9f:5d ethertype Unknown (0x0bcc), length 458:
    0x0000: 0000 0800 4500 01b6 1390 4000 8006 a3dd ....E.....@.....
    0x0010: c0a8 1e8a 6a0a f897 f529 0050 4973 26bf ....j....).PIs&.
    0x0020: a6bb ced7 5018 0805 104f 0000 4745 5420 ....P....O..GET.
    0x0030: 2f20 4854 5450 2f31 2e31 0d0a 486f 7374 /.HTTP/1.1..Host
    0x0040: 3a20 7961 686f 6f2e 6465 0d0a 436f 6e6e :.yahoo.de..Conn
    11:06:14.647892 CLIENTS, IN: In 90:1b:0e:d9:9f:5d ethertype Unknown (0x0bcc), length 458:
    0x0000: 0000 0800 4500 01b6 1390 4000 8006 a3dd ....E.....@.....
    0x0010: c0a8 1e8a 6a0a f897 f529 0050 4973 26bf ....j....).PIs&.
    0x0020: a6bb ced7 5018 0805 104f 0000 4745 5420 ....P....O..GET.
    0x0030: 2f20 4854 5450 2f31 2e31 0d0a 486f 7374 /.HTTP/1.1..Host
    0x0040: 3a20 7961 686f 6f2e 6465 0d0a 436f 6e6e :.yahoo.de..Conn
    11:06:14.647893 CLIENTS.3020, IN: IP 192.168.30.138.62761 > 106.10.248.151.80: Flags [P.], ack 1, win 2053, length 398
    11:06:14.647925 CLIENTS.3020, OUT: IP 106.10.248.151.80 > 192.168.30.138.62761: Flags [.], ack 399, win 237, length 0
    11:06:14.647927 CLIENTS, OUT: Out 7c:5a:1c:4c:a7:c8 ethertype Unknown (0x0bcc), length 60:
    0x0000: 0000 0800 4500 0028 d9eb 4000 4006 1f10 ....E..(..@.@...
    0x0010: 6a0a f897 c0a8 1e8a 0050 f529 a6bb ced7 j........P.)....
    0x0020: 4973 284d 5010 00ed 41ef 0000 Is(MP...A...
    11:06:14.647929 Port1, OUT: Out 7c:5a:1c:4c:a7:c8 ethertype Unknown (0x0bcc), length 60:
    0x0000: 0000 0800 4500 0028 d9eb 4000 4006 1f10 ....E..(..@.@...
    0x0010: 6a0a f897 c0a8 1e8a 0050 f529 a6bb ced7 j........P.)....
    0x0020: 4973 284d 5010 00ed 9045 0000 Is(MP....E..
    11:06:15.563275 CLIENTS.3020, OUT: IP 106.10.248.151.80 > 192.168.30.138.62763: Flags [S.], seq 241793917, ack 3234588989, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    11:06:15.563281 CLIENTS, OUT: Out 7c:5a:1c:4c:a7:c8 ethertype Unknown (0x0bcc), length 72:
    0x0000: 0000 0800 4500 0034 0000 4000 4006 f8ef ....E..4..@.@...
    0x0010: 6a0a f897 c0a8 1e8a 0050 f52b 0e69 7b7d j........P.+.i{}
    0x0020: c0cb e93d 8012 7210 41fb 0000 0204 05b4 ...=..r.A.......
    0x0030: 0101 0402 0103 0307 ........
    11:06:15.563284 Port1, OUT: Out 7c:5a:1c:4c:a7:c8 ethertype Unknown (0x0bcc), length 72:
    0x0000: 0000 0800 4500 0034 0000 4000 4006 f8ef ....E..4..@.@...
    0x0010: 6a0a f897 c0a8 1e8a 0050 f52b 0e69 7b7d j........P.+.i{}
    0x0020: c0cb e93d 8012 7210 91b0 0000 0204 05b4 ...=..r.........
    0x0030: 0101 0402 0103 0307 ........
    11:06:15.563700 Port1, IN: In 90:1b:0e:d9:9f:5d ethertype Unknown (0x0bcc), length 72:
    0x0000: 0000 0800 4500 0034 1391 4000 8006 a55e ....E..4..@....^
    0x0010: c0a8 1e8a 6a0a f897 f52b 0050 c0cb e93d ....j....+.P...=
    0x0020: 0e69 7b7e 8010 0805 f2a8 0000 0101 050a .i{~............
    0x0030: 0e69 7b7d 0e69 7b7e .i{}.i{~
    11:06:15.563700 CLIENTS, IN: In 90:1b:0e:d9:9f:5d ethertype Unknown (0x0bcc), length 72:
    0x0000: 0000 0800 4500 0034 1391 4000 8006 a55e ....E..4..@....^
    0x0010: c0a8 1e8a 6a0a f897 f52b 0050 c0cb e93d ....j....+.P...=
    0x0020: 0e69 7b7e 8010 0805 f2a8 0000 0101 050a .i{~............
    0x0030: 0e69 7b7d 0e69 7b7e .i{}.i{~
    11:06:15.563701 CLIENTS.3020, IN: IP 192.168.30.138.62763 > 106.10.248.151.80: Flags [.], ack 1, win 2053, options [nop,nop,sack 1 {0:1}], length 0
    11:06:20.763540 Port2.605, OUT: IP 194.39.183.49.35625 > 212.82.100.151.80: Flags [S], seq 2202416361, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
    11:06:20.763541 Port2, OUT: Out 7c:5a:1c:4c:a7:c9 ethertype Unknown (0x025d), length 72:
    0x0000: 0000 0800 4500 0034 29dc 4000 4006 5ea5 ....E..4).@.@.^.
    0x0010: c227 b731 d452 6497 8b29 0050 8346 34e9 .'.1.Rd..).P.F4.
    0x0020: 0000 0000 8002 7210 0715 0000 0204 05b4 ......r.........
    0x0030: 0101 0402 0103 0307 ........
    11:06:20.796694 Port2, IN: In b8:af:67:ea:7b:00 ethertype Unknown (0x025d), length 72:
    0x0000: 0000 0800 4500 0034 0000 4000 3906 8f81 ....E..4..@.9...
    0x0010: d452 6497 c227 b731 0050 8b29 8ae3 1555 .Rd..'.1.P.)...U
    0x0020: 8346 34ea 8012 3908 9fd2 0000 0204 05b4 .F4...9.........
    0x0030: 0101 0402 0103 0308 ........
    11:06:20.796696 Port2.605, IN: IP 212.82.100.151.80 > 194.39.183.49.35625: Flags [S.], seq 2330137941, ack 2202416362, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 8], length 0
    11:06:20.796990 Port2.605, OUT: IP 194.39.183.49.35625 > 212.82.100.151.80: Flags [.], ack 1, win 229, length 0
    11:06:20.796991 Port2, OUT: Out 7c:5a:1c:4c:a7:c9 ethertype Unknown (0x025d), length 60:
    0x0000: 0000 0800 4500 0028 29dd 4000 4006 5eb0 ....E..().@.@.^.
    0x0010: c227 b731 d452 6497 8b29 0050 8346 34ea .'.1.Rd..).P.F4.
    0x0020: 8ae3 1556 5010 00e5 18c9 0000 ...VP.......
    11:06:20.797180 Port2.605, OUT: IP 194.39.183.49.35625 > 212.82.100.151.80: Flags [P.], ack 1, win 229, length 437
    11:06:20.797181 Port2, OUT: Out 7c:5a:1c:4c:a7:c9 ethertype Unknown (0x025d), length 497:
    0x0000: 0000 0800 4500 01dd 29de 4000 4006 5cfa ....E...).@.@.\.
    0x0010: c227 b731 d452 6497 8b29 0050 8346 34ea .'.1.Rd..).P.F4.
    0x0020: 8ae3 1556 5018 00e5 5a62 0000 4745 5420 ...VP...Zb..GET.
    0x0030: 2f20 4854 5450 2f31 2e31 0d0a 486f 7374 /.HTTP/1.1..Host
    0x0040: 3a20 7961 686f 6f2e 6465 0d0a 5570 6772 :.yahoo.de..Upgr
    11:06:20.830386 Port2, IN: In b8:af:67:ea:7b:00 ethertype Unknown (0x025d), length 66:
    0x0000: 0000 0800 4500 0028 cf88 4000 3906 c004 ....E..(..@.9...
    0x0010: d452 6497 c227 b731 0050 8b29 8ae3 1556 .Rd..'.1.P.)...V
    0x0020: 8346 369f 5010 003e 17bb 0000 0000 0000 .F6.P..>........
    0x0030: 0000 ..
    11:06:20.830389 Port2.605, IN: IP 212.82.100.151.80 > 194.39.183.49.35625: Flags [.], ack 438, win 62, length 0
    11:06:20.833707 Port2, IN: In b8:af:67:ea:7b:00 ethertype Unknown (0x025d), length 769:
    0x0000: 0000 0800 4500 02ed cf89 4000 3906 bd3e ....E.....@.9..>
    0x0010: d452 6497 c227 b731 0050 8b29 8ae3 1556 .Rd..'.1.P.)...V
    0x0020: 8346 369f 5018 003e 265a 0000 4854 5450 .F6.P..>&Z..HTTP
    0x0030: 2f31 2e31 2033 3031 204d 6f76 6564 2050 /1.1.301.Moved.P
    0x0040: 6572 6d61 6e65 6e74 6c79 0d0a 4461 7465 ermanently..Date
    11:06:20.833709 Port2.605, IN: IP 212.82.100.151.80 > 194.39.183.49.35625: Flags [P.], ack 438, win 62, length 709
    11:06:20.833915 Port2.605, OUT: IP 194.39.183.49.35625 > 212.82.100.151.80: Flags [.], ack 710, win 240, length 0
    11:06:20.833916 Port2, OUT: Out 7c:5a:1c:4c:a7:c9 ethertype Unknown (0x025d), length 60:
    0x0000: 0000 0800 4500 0028 29df 4000 4006 5eae ....E..().@.@.^.
    0x0010: c227 b731 d452 6497 8b29 0050 8346 369f .'.1.Rd..).P.F6.
    0x0020: 8ae3 181b 5010 00f0 1444 0000 ....P....D..
    11:06:20.833931 CLIENTS.3020, OUT: IP 106.10.248.151.80 > 192.168.30.138.62761: Flags [P.], ack 399, win 237, length 748
    11:06:20.833931 CLIENTS, OUT: Out 7c:5a:1c:4c:a7:c8 ethertype Unknown (0x0bcc), length 808:
    0x0000: 0000 0800 4500 0314 d9ec 4000 4006 1c23 ....E.....@.@..#
    0x0010: 6a0a f897 c0a8 1e8a 0050 f529 a6bb ced7 j........P.)....
    0x0020: 4973 284d 5018 00ed 44db 0000 4854 5450 Is(MP...D...HTTP
    0x0030: 2f31 2e31 2033 3031 204d 6f76 6564 2050 /1.1.301.Moved.P
    0x0040: 6572 6d61 6e65 6e74 6c79 0d0a 4461 7465 ermanently..Date
    11:06:20.833932 Port1, OUT: Out 7c:5a:1c:4c:a7:c8 ethertype Unknown (0x0bcc), length 808:
    0x0000: 0000 0800 4500 0314 d9ec 4000 4006 1c23 ....E.....@.@..#
    0x0010: 6a0a f897 c0a8 1e8a 0050 f529 a6bb ced7 j........P.)....
    0x0020: 4973 284d 5018 00ed cb79 0000 4854 5450 Is(MP....y..HTTP
    0x0030: 2f31 2e31 2033 3031 204d 6f76 6564 2050 /1.1.301.Moved.P
    0x0040: 6572 6d61 6e65 6e74 6c79 0d0a 4461 7465 ermanently..Date
    11:06:20.874538 Port1, IN: In 90:1b:0e:d9:9f:5d ethertype Unknown (0x0bcc), length 66:
    0x0000: 0000 0800 4500 0028 1392 4000 8006 a569 ....E..(..@....i
    0x0010: c0a8 1e8a 6a0a f897 f529 0050 4973 284d ....j....).PIs(M
    0x0020: a6bb d1c3 5010 0802 8644 0000 0000 0000 ....P....D......
    0x0030: 0000 ..
    11:06:20.874541 CLIENTS, IN: In 90:1b:0e:d9:9f:5d ethertype Unknown (0x0bcc), length 66:
    0x0000: 0000 0800 4500 0028 1392 4000 8006 a569 ....E..(..@....i
    0x0010: c0a8 1e8a 6a0a f897 f529 0050 4973 284d ....j....).PIs(M
    0x0020: a6bb d1c3 5010 0802 8644 0000 0000 0000 ....P....D......
    0x0030: 0000 ..
    11:06:20.874543 CLIENTS.3020, IN: IP 192.168.30.138.62761 > 106.10.248.151.80: Flags [.], ack 749, win 2050, length 0
    11:06:27.434614 Port1, IN: In 90:1b:0e:d9:9f:5d ethertype Unknown (0x0bcc), length 66:
    0x0000: 0000 0800 4500 0028 1393 4000 8006 a568 ....E..(..@....h
    0x0010: c0a8 1e8a 6a0a f897 f52b 0050 c0cb e93d ....j....+.P...=
    0x0020: 0e69 7b7e 5011 0805 3c8d 0000 0000 0000 .i{~P...<.......
    0x0030: 0000 ..
    11:06:27.434618 CLIENTS, IN: In 90:1b:0e:d9:9f:5d ethertype Unknown (0x0bcc), length 66:
    0x0000: 0000 0800 4500 0028 1393 4000 8006 a568 ....E..(..@....h
    0x0010: c0a8 1e8a 6a0a f897 f52b 0050 c0cb e93d ....j....+.P...=
    0x0020: 0e69 7b7e 5011 0805 3c8d 0000 0000 0000 .i{~P...<.......
    0x0030: 0000 ..
    11:06:27.434621 CLIENTS.3020, IN: IP 192.168.30.138.62763 > 106.10.248.151.80: Flags [F.], seq 1, ack 1, win 2053, length 0
    11:06:27.434686 CLIENTS.3020, OUT: IP 106.10.248.151.80 > 192.168.30.138.62763: Flags [F.], seq 1, ack 2, win 229, length 0
    11:06:27.434687 CLIENTS, OUT: Out 7c:5a:1c:4c:a7:c8 ethertype Unknown (0x0bcc), length 60:
    0x0000: 0000 0800 4500 0028 635f 4000 4006 959c ....E..(c_@.@...
    0x0010: 6a0a f897 c0a8 1e8a 0050 f52b 0e69 7b7e j........P.+.i{~
    0x0020: c0cb e93e 5011 00e5 41ef 0000 ...>P...A...
    11:06:27.434687 Port1, OUT: Out 7c:5a:1c:4c:a7:c8 ethertype Unknown (0x0bcc), length 60:
    0x0000: 0000 0800 4500 0028 635f 4000 4006 959c ....E..(c_@.@...
    0x0010: 6a0a f897 c0a8 1e8a 0050 f52b 0e69 7b7e j........P.+.i{~
    0x0020: c0cb e93e 5011 00e5 43ac 0000 ...>P...C...
    11:06:27.434944 Port1, IN: In 90:1b:0e:d9:9f:5d ethertype Unknown (0x0bcc), length 66:
    0x0000: 0000 0800 4500 0028 1394 4000 8006 a567 ....E..(..@....g
    0x0010: c0a8 1e8a 6a0a f897 f52b 0050 c0cb e93e ....j....+.P...>
    0x0020: 0e69 7b7f 5010 0805 3c8c 0000 0000 0000 .i{.P...<.......
    0x0030: 0000 ..
    11:06:27.434944 CLIENTS, IN: In 90:1b:0e:d9:9f:5d ethertype Unknown (0x0bcc), length 66:
    0x0000: 0000 0800 4500 0028 1394 4000 8006 a567 ....E..(..@....g
    0x0010: c0a8 1e8a 6a0a f897 f52b 0050 c0cb e93e ....j....+.P...>
    0x0020: 0e69 7b7f 5010 0805 3c8c 0000 0000 0000 .i{.P...<.......
    0x0030: 0000 ..
    11:06:27.434945 CLIENTS.3020, IN: IP 192.168.30.138.62763 > 106.10.248.151.80: Flags [.], ack 2, win 2053, length 0
    ^C
    58 packets captured
    834 packets received by filter
    0 packets dropped by kernel

  • 0 in reply to HuberChristian

    Hi Christian!

    Can you please provide more detailed information on how to check awarrenhttp_access.log?

  • 0 in reply to ChristianD

    Hello Cristian ,

    Could you follow the steps ,it does seem the delay is not caused on the firewall.

    1. Enable Debug  for Service Awarrenhttp Go to Shell Option 5>3  service awarrenhttp:debug -ds nosync

    2. Run the command to capture the logs .# tail -f /log/awarrenhttp_access.log | grep 103.23.140.55

    3. Open browser and open "http://103.23.140.55"

    4. Share the transition logs and run the command in 1 again to disable debug.

  • 0 in reply to Aditya Patel

    Hello Aditya,

    I followed the steps you provided, here is the log:

    XG230_WP02_SFOS 17.1.3 MR-3# tail -f /log/awarrenhttp_access.log | grep 103.23.140.55
    1543930722.681615786 [ 3735/0x7f4163a1ec00] fwid=2 fwflag="VN" iap=0 aap=0 conn_id=3998701248 id="0001" name="http access" action="pass" method="GET" srcip="192.168.30.138" dstip="54.247.166.237" user="" statuscode=200 cached=0 trxlen=199 rxlen=68 url="http.00.s.sophosxl.net/.../" referer="" type="" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=6030752 cattime=0 avscantime=0 fullreqtime=6094419 ua="SXL/3.1" activity="" av_transaction_id="" categoryname="None" category="" app_id=0 app_name="None" app_cat="None" exceptions=""
    1543930722.961287601 [ 3735/0x7f416507a800] fwid=2 fwflag="VN" iap=0 aap=0 conn_id=3859885312 id="0001" name="http access" action="pass" method="GET" srcip="192.168.30.138" dstip="103.23.140.55" user="" statuscode=302 cached=0 trxlen=442 rxlen=333 url="http://103.23.140.55/" referer="" type="text/html" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=0 cattime=6059672 avscantime=1752 fullreqtime=6365649 ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36" activity="" av_transaction_id="" categoryname="IPAddress" category="83" app_id=0 app_name="None" app_cat="None" exceptions="" sandbox="off"
    1543930723.401867049 [ 3735/0x7f416507a800] fwid=2 fwflag="VN" iap=0 aap=0 conn_id=3859885312 id="0001" name="http access" action="pass" method="GET" srcip="192.168.30.138" dstip="103.23.140.55" user="" statuscode=200 cached=0 trxlen=455 rxlen=5454 url="103.23.140.55/.../login.php" referer="" type="text/html" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=0 cattime=35337 avscantime=3946 fullreqtime=383889 ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36" activity="" av_transaction_id="" categoryname="IPAddress" category="83" app_id=0 app_name="None" app_cat="None" exceptions="" sandbox="off"
    1543930723.689412147 [ 3735/0x7f416507a800] fwid=2 fwflag="VN" iap=0 aap=0 conn_id=3859885312 id="0001" name="http access" action="pass" method="GET" srcip="192.168.30.138" dstip="103.23.140.55" user="" statuscode=200 cached=0 trxlen=464 rxlen=2392 url="103.23.140.55/.../default.css" referer="103.23.140.55/.../login.php" type="text/css" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=0 cattime=30 avscantime=637 fullreqtime=152894 ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36" activity="" av_transaction_id="" categoryname="IPAddress" category="83" app_id=0 app_name="None" app_cat="None" exceptions="" sandbox="off"
    1543930723.887755718 [ 3735/0x7f416507a800] fwid=2 fwflag="VN" iap=0 aap=0 conn_id=3859885312 id="0001" name="http access" action="pass" method="GET" srcip="192.168.30.138" dstip="103.23.140.55" user="" statuscode=200 cached=0 trxlen=486 rxlen=440 url="103.23.140.55/.../submit.gif" referer="103.23.140.55/.../login.php" type="image/gif" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=0 cattime=58 avscantime=627 fullreqtime=152632 ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36" activity="" av_transaction_id="" categoryname="IPAddress" category="83" app_id=0 app_name="None" app_cat="None" exceptions="" sandbox="off"
    1543930723.968072185 [ 3735/0x7f4163a1b000] fwid=2 fwflag="VN" iap=0 aap=0 conn_id=3859887808 id="0001" name="http access" action="pass" method="GET" srcip="192.168.30.138" dstip="103.23.140.55" user="" statuscode=200 cached=0 trxlen=485 rxlen=3975 url="103.23.140.55/.../login.gif" referer="103.23.140.55/.../login.php" type="image/gif" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=0 cattime=18 avscantime=620 fullreqtime=431321 ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36" activity="" av_transaction_id="" categoryname="IPAddress" category="83" app_id=0 app_name="None" app_cat="None" exceptions="" sandbox="off"
    1543930723.987270920 [ 3735/0x7f416507bc00] fwid=2 fwflag="VN" iap=0 aap=0 conn_id=3998695424 id="0001" name="http access" action="pass" method="GET" srcip="192.168.30.138" dstip="103.23.140.55" user="" statuscode=200 cached=0 trxlen=488 rxlen=3561 url="103.23.140.55/.../login-02.gif" referer="103.23.140.55/.../login.php" type="image/gif" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=0 cattime=57 avscantime=575 fullreqtime=451873 ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36" activity="" av_transaction_id="" categoryname="IPAddress" category="83" app_id=0 app_name="None" app_cat="None" exceptions="" sandbox="off"
    1543930724.168227474 [ 3735/0x7f416513d400] fwid=2 fwflag="VN" iap=0 aap=0 conn_id=3861962752 id="0001" name="http access" action="pass" method="GET" srcip="192.168.30.138" dstip="103.23.140.55" user="" statuscode=200 cached=0 trxlen=488 rxlen=3991 url="103.23.140.55/.../login-04.gif" referer="103.23.140.55/.../login.php" type="image/gif" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=0 cattime=25 avscantime=630 fullreqtime=432776 ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36" activity="" av_transaction_id="" categoryname="IPAddress" category="83" app_id=0 app_name="None" app_cat="None" exceptions="" sandbox="off"
    1543930724.180107644 [ 3735/0x7f41641ee000] fwid=2 fwflag="VN" iap=0 aap=0 conn_id=3861965664 id="0001" name="http access" action="pass" method="GET" srcip="192.168.30.138" dstip="103.23.140.55" user="" statuscode=200 cached=0 trxlen=488 rxlen=5693 url="103.23.140.55/.../login-03.gif" referer="103.23.140.55/.../login.php" type="image/gif" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=0 cattime=40 avscantime=617 fullreqtime=434955 ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36" activity="" av_transaction_id="" categoryname="IPAddress" category="83" app_id=0 app_name="None" app_cat="None" exceptions="" sandbox="off"
    1543930724.392589213 [ 3735/0x7f41641ee000] fwid=2 fwflag="VN" iap=0 aap=0 conn_id=3861965664 id="0001" name="http access" action="pass" method="GET" srcip="192.168.30.138" dstip="103.23.140.55" user="" statuscode=404 cached=0 trxlen=474 rxlen=521 url="103.23.140.55/favicon.ico" referer="103.23.140.55/.../login.php" type="text/html" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=0 cattime=57 avscantime=1691 fullreqtime=145307 ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36" activity="" av_transaction_id="" categoryname="IPAddress" category="83" app_id=0 app_name="None" app_cat="None" exceptions="" sandbox="off"

  • 0 in reply to ChristianD

    This is quite informative. See first Package:

    authtime=0 dnstime=6030752 cattime=0 avscantime=0 fullreqtime=6094419

    This means, nearly all the time of your fullrequest is needed by DNS Categorization. You are probably using a slow DNS Server. 

     

    In your second request, there is no more DNS Resolution needed, (Because it probably allready has the IP of your Name in Cache). But here, Categorization time again is using nearly all of your Requesttime:

    authtime=0 dnstime=0 cattime=6059672 avscantime=1752 fullreqtime=6365649

    Depending on the Version, Categorization is done by DNS as well if I remember correctly.

     

    Maybe you can switch to another DNS Server, preferably the one of your ISP?

  • 0 in reply to HuberChristian

    Hi HuberChristian ,

    Could you share the logs from the following 

    Use Advance Shell Option 5>3

    1. less /log/WINGc.log

    2. less /log/nSXLd.log

  • 0 in reply to Aditya Patel

    Here are the logs. I truncated the WINGc.log - hopefully you get the information you are looking for.

    3438.WINGc.txt

    Fullscreen 5504.nSXLd.txt Download 
    [2018-01-09 00:38:41] <4142233536> [info] nSXLd: Parent proxy disabled
[2018-01-09 00:38:41] <4142233536> [info] nSXLd: Cache created with maximum number of 204800 records
[2018-01-09 00:38:41] <4142233536> [info] nSXLd: nSXLd started log level: info
[2018-01-09 00:39:46] <4142233536> [info] nSXLd: caught SIGINT or SIGTERM signal. Stopping daemon
[2018-01-09 00:39:46] <4142233536> [info] nSXLd: nSXLd finished
[2018-10-04 10:29:13] <4141479872> [info] nSXLd: Parent proxy disabled
[2018-10-04 10:29:13] <4141479872> [info] nSXLd: Cache created with maximum number of 204800 records
[2018-10-04 10:29:13] <4141479872> [info] nSXLd: nSXLd started log level: info
[2018-10-04 10:46:34] <4141488064> [info] nSXLd: Parent proxy disabled
[2018-10-04 10:46:34] <4141488064> [info] nSXLd: Cache created with maximum number of 204800 records
[2018-10-04 10:46:34] <4141488064> [info] nSXLd: nSXLd started log level: info
[2018-10-04 10:49:49] <4141488064> [info] nSXLd: Parent proxy disabled
[2018-10-04 10:49:49] <4141488064> [info] nSXLd: Cought SIGHUP. Configuration was reloaded with log severity: info
[2018-10-04 10:13:02] <4141488064> [info] nSXLd: caught SIGINT or SIGTERM signal. Stopping daemon
[2018-10-04 10:13:02] <4141488064> [info] nSXLd: nSXLd finished
[2018-10-04 11:16:06] <140414395914432> [info] nSXLd: Parent proxy disabled
[2018-10-04 11:16:06] <140414395914432> [info] nSXLd: Cache created with maximum number of 102400 records
[2018-10-04 11:16:06] <140414395914432> [info] nSXLd: nSXLd started log level: info
[2018-10-15 08:30:10] <140414395914432> [info] nSXLd: caught SIGINT or SIGTERM signal. Stopping daemon
[2018-10-15 08:30:10] <140414395914432> [info] nSXLd: nSXLd finished
[2018-10-15 08:32:35] <139649003874496> [info] nSXLd: Parent proxy disabled
[2018-10-15 08:32:35] <139649003874496> [info] nSXLd: Cache created with maximum number of 102400 records
[2018-10-15 08:32:35] <139649003874496> [info] nSXLd: nSXLd started log level: info
[2018-10-16 09:30:23] <140128346560704> [info] nSXLd: Parent proxy disabled
[2018-10-16 09:30:23] <140128346560704> [info] nSXLd: Cache created with maximum number of 102400 records
[2018-10-16 09:30:23] <140128346560704> [info] nSXLd: nSXLd started log level: info
[2018-10-22 07:09:26] <140128346560704> [info] nSXLd: caught SIGINT or SIGTERM signal. Stopping daemon
[2018-10-22 07:09:26] <140128346560704> [info] nSXLd: nSXLd finished
[2018-10-22 07:29:10] <139760833509568> [info] nSXLd: Parent proxy disabled
[2018-10-22 07:29:10] <139760833509568> [info] nSXLd: Cache created with maximum number of 102400 records
[2018-10-22 07:29:10] <139760833509568> [info] nSXLd: nSXLd started log level: info
[2018-10-24 09:45:18] <139664994441408> [info] nSXLd: Parent proxy disabled
[2018-10-24 09:45:18] <139664994441408> [info] nSXLd: Cache created with maximum number of 102400 records
[2018-10-24 09:45:18] <139664994441408> [info] nSXLd: nSXLd started log level: info
[2018-10-26 09:37:02] <140034087237824> [info] nSXLd: Parent proxy disabled
[2018-10-26 09:37:02] <140034087237824> [info] nSXLd: Cache created with maximum number of 102400 records
[2018-10-26 09:37:02] <140034087237824> [info] nSXLd: nSXLd started log level: info
[2018-10-26 11:08:17] <140136532351168> [info] nSXLd: Parent proxy disabled
[2018-10-26 11:08:17] <140136532351168> [info] nSXLd: Cache created with maximum number of 102400 records
[2018-10-26 11:08:17] <140136532351168> [info] nSXLd: nSXLd started log level: info
[2018-11-05 08:14:40] <139880479586496> [info] nSXLd: Parent proxy disabled
[2018-11-05 08:14:40] <139880479586496> [info] nSXLd: Cache created with maximum number of 102400 records
[2018-11-05 08:14:40] <139880479586496> [info] nSXLd: nSXLd started log level: info
[2018-11-06 14:45:17] <139880479586496> [info] nSXLd: caught SIGINT or SIGTERM signal. Stopping daemon
[2018-11-06 14:45:17] <139880479586496> [info] nSXLd: nSXLd finished
[2018-11-19 09:28:13] <139727068072128> [info] nSXLd: Parent proxy disabled
[2018-11-19 09:28:13] <139727068072128> [info] nSXLd: Cache created with maximum number of 102400 records
[2018-11-19 09:28:13] <139727068072128> [info] nSXLd: nSXLd started log level: info
[2018-11-19 10:10:13] <139727068072128> [info] nSXLd: caught SIGINT or SIGTERM signal. Stopping daemon
[2018-11-19 10:10:13] <139727068072128> [info] nSXLd: nSXLd finished
[2018-11-19 10:24:31] <139691304495296> [info] nSXLd: Parent proxy disabled
[2018-11-19 10:24:32] <139691304495296> [info] nSXLd: Cache created with maximum number of 102400 records
[2018-11-19 10:24:32] <139691304495296> [info] nSXLd: nSXLd started log level: info
[2018-11-20 16:12:46] <140271521704128> [info] nSXLd: Parent proxy disabled
[2018-11-20 16:12:46] <140271521704128> [info] nSXLd: Cache created with maximum number of 102400 records
[2018-11-20 16:12:46] <140271521704128> [info] nSXLd: nSXLd started log level: info

  • 0 in reply to Aditya Patel

    Hi Aditya,

    did you get any further information from the logs I provided?

    Nevertheless, we changed the DNS servers to our internal servers and that seems solve the problem.

    DNS-lookup now shows results and the request time seems to be ok (before, I had a blank results page):

    Allthough I don't know why, browsing speed is now fast with enabled security features!