Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 30 subscribers
  • Views 5173 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow first response HTTP / HTTPS

Thomas Hommers

Hi,

i am trying to troubleshoot an issue with a XG Firewall SG115 running SFOS 17.5.6 MR-6.

1. When I open a http website e.g. http://google.de the request will be redirected to https://www.google.de and first response is slow when "http scan" in firewall rule is enabled. When open https://www.google.de directly, response time is good.

2. When I set a policy at intrusion prevention inside the firewall rule, both http and https first response is slow, regardless of "http scan" enabled or disabled.

3. When I set sophos as a fixed proxy in the browser the response times are fine.

What could be wrong ? Is this standard behaviour or eventually some configuration mistake ?

 

Thanks in advance for all help.

 

Regards,

Thomas



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LuCar Toni

    Others already gave you a good place to check. DNS. lately 8.8.8.8 is working slow in few countries. I recommend you to go to a workstation and set manual dns 1.1.1.1

    Also change the dns in the wan to your isp or 1.1.1.1

  • 0 in reply to Hayim Caspy

    Hi Hayim,

    as i mentioned before. DNS on the client it not an issue. Unless there might be another problem of DNS with Sophos (separate from client DNS) I don't think it's a DNS issue. DNS in Sophos was set to 1.1.1.1 already. DNS at the client is the local AD / DNS server. (DNS server's forwarding is set to 1.1.1.1 too). I tested speed of local AD/DNS and 1.1.1.1 from client side and did not find any problem.

     

    I will try to debug http proxy in Sophos once I can spare some time.

     

    Thanks and regards,

    Thomas

  • 0 in reply to Thomas Hommers

    I understand. Debug is a good way to check. But trying different ways that are physical is an option I like. I learn a lot from it. If you want to try this small tool http://www.pingplotter.com/download

    It is a ping tool with trace and also tells you the time it takes between the different routers on the way to destination.

    I would try to ping with this tool to 1.1.1.1 once and try to ping www.google.com

  • 0 in reply to Hayim Caspy

    I could be mistaken but I think you should have your DNS set on the firewall for 1.1.1.1 or whatever you like, then your AD DC's to forward to the firewall then your workstations to you AD DC's.

  • 0 in reply to Badrobot

    The correct way when you have a server with dns server (domain controller) is the way the he configured.

    The server has to have himself as the dns server, and in the dns server properties, you have forwarders, there he can configure any external dns server he wants. the fastest should be your ISP, but sometimes 1.1.1.1 is better. All workstations should have the local DC dns as their dns server.

    The firewall wan should have the same as the forwarders in the Servers DNS. can be the ISP or the 1.1.1.1

    For test case, when you feel it is slow in the first site I always ignore my recommendations and manually configure the workstation and the firewall wan with external DNS server. Just for testing to get the fastest DNS.

  • 0 in reply to LuCar Toni

    I am now trying to debug the proxy logs awarrenhttp_access.log and awarrenhttp.log

     

    1. Currently I am seeing a flood of this message in awarrenhttp.log:

    gr_io: Resource temporarily unavailable, after retrying 5 times

    What does it mean ?

     

    2. I see this high value for dnstime:

    1563542161.759655652 [ 9843/0x7f5dbf428c00] fwid=14 fwflag="V" iap=0 aap=0 conn_id=58943200 id="0001" name="http access" action="pass" method="POST" srcip="X.X.X.X" dstip="104.107.217.55" user="" statuscode=200 cached=0 trxlen=0 rxlen=85 url="ocsp.int-x3.letsencrypt.org/" referer="" type="" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=6069492 cattime=270 avscantime=0 fullreqtime=6071279 ua="Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0" activity="" av_transaction_id="" categoryname="CRL and OCSP" category="13" app_id=0 app_name="None" app_cat="None" exceptions=""

    Could this have something to do with very slow page loading times ?

     

     

    Thanks and Regards,

    Thomas

  • 0 in reply to Thomas Hommers

    Most likely this DNS Time is to high. 

    You should check the DNS Forwarder, maybe change to another forwarder etc. 

    Test some results with nslookup on the GUI etc.