ASG 7.505
Running as VM on ESXi
ESXi Hardware is brand new with plenty of horsepower
I have three servers with DNAT rules. Two are working perfectly. The third has multiple of DNAT rules, all of which are showing the same symptoms. When making a request from outside, a small "spurt" of data makes it through, in the case of an HTTP service it is enough to show the HTML page title and maybe some text, but that's it. If you leave it long enough, sometimes the page will fully load, but it takes forever - I'm talking 5 or 10 minutes. Most of the time it just times out. The symptoms are the same for all of the DNAT rules to this server (HTTP, HTTPS, WebDAV, RDP). On the internal network, everything is nice and fast from that server as it should be. This all started happening after changing out our Cisco ASA for the ASG so all fingers point to the ASG - BUT
Here's where the troubleshooting gets weird:
I set up new identical IIS virtual server instances on port 10001 on Server #1 (one of the ones that is working) and Server #2 (the one with the problem). I put the same ~100k PDF file on each of the servers to provide data to test with. I set up a "test" DNAT rule for port 10001 pointing to Server #1. Tested from outside and it worked nice and fast. I modified the same DNAT rule and the only change I made was to point to Server #2. The problem appears. I get enough for the web browser to know it's a PDF and run the Adobe plugin, but the PDF file never fully loads. So now I'm thinking it's the server with the problem, right? Well, again, both servers work perfectly on the internal LAN.
I set the DNAT to not automatically create the PF rule and created my own to see what's up and I'm getting nothing but green. It does not appear that the ASG is blocking anything at all related to this problem.
No other services are running on the ASG except QoS and I fully disabled it as part of the testing with the same result. No IPS, no proxying, nothing - only DNAT and PF rules.
I have removed all of the DNAT rules for that server and re-added them. For a while, I just using one DNAT rule for testing to keep things simple. Same result.
I have removed the server host definition in the ASG and re-added it.
IP information on the server with the problem has been triple-checked. Gateway is set to the ASG IP. Again, it worked perfectly with the Cisco ASA which was in place before I installed the ASG.
I have done everything I can think of and this one has me completely stumped. I thought I would poll you guys before opening a support call.
Thanks!
A.J.
This thread was automatically locked due to age.
Guest User!
You are not Sophos Staff.
