cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1816
Views
0
Helpful
14
Replies

PC slow accessing the internet through proxy

mbroberson1
Level 3
Level 3

Have a strange one trying to nail down here.

Senario:

A pc at a remote branch (across a full p-to-p T-1) has extremely slow responses accessing the internet. The PC does use a proxy server to handle the internet requests. There is virtually no load in the T-1 and the issue seems to clear up sometimes. The users at the main site don't experience slowness to the same internet sites while using the same proxy server. To me it really looks like something with the proxy server, but then how do you explain the fact the users at the headquarters don't experience the issue. Also several other branch sites may be experiencing this same issue while other branch locations are not. Could this be a MTU issue or something else? It's strange that users at the main site don't experience the issue, and while the issue is happening the T-1 links to the remotes are at less than 5% utilization. There is nothing fancy no nating or anything with the devices configs.

I did perform a packet capture (see attachment) from the proxy server (10.101.4.19) of the clients request (10.122.59.11) and see gobs of TCP retransmissions.

Any advice from to point me in a direction would be greatly appreciated.

Thanks,

Brandon

14 Replies 14

mulhollandm
Level 1
Level 1

brandon

have you looked at the latency between the remote site and the proxy server when access is slow

what are the ping response times like

i assume the main office has a layer 2 connection to the proxy so routing isn't an issue here but is it an issue from the remote sites

also

are you running any kind of authentication on the proxy to authenticate users

hope this helps or at least gives you something to think about

ps - have you captured on the local pc at the same time as on the proxy so you can compare?

good luck

Hi Mulhollandm,

I have looked at latency between the remote site and the proxy server and it is very low when the issue hapening, like 20ms to 30ms round trip times.

The main office has a L2 connection to the proxy server.

Remember that if you disable and don't use the proxy from a client at the remote site internet browsing is very fast and normal.

What makes it strange is the fact that when users at the remote site are having the issue, users at the main site are not even though they are using the same proxy server and there is virtually no load and excellent latency between the remote site and the proxy server.

The proxy server is utilizing authentication, but it's still strange the main office users don't expereince the issue when the remote users do.

I have captured on a local pc and seem to get the same results as capturing on the proxy server "lots of retransmissions".

Could an MTU issue cause this in the direction of proxy to client or vice versa?

Thanks,

Brandon

Joseph W. Doherty
Hall of Fame
Hall of Fame

BTW, I'm unable to open your attachment, my PC considers it corrupted.

However, when you note ". . . gobs of TCP retransmissions.", such will generally kill TCP performance. So much so, it could also explain your "virtually no load" to "less than 5% utilization" on the T-1.

Try to find the cause of all the TCP retransmissions.

I get the same file is corrupt message.

Hi Pompeychmes,

Please try the new attachment.

Thanks,

Brandon

Hi Joseph,

Please try the new file. I am trying to find the cause of the retransmissions, but that's the problem what is?

Thanks,

Brandon

Looks like something on your PC at the browser level.

1. you send GET to Proxy

2. Proxy replies that it needs you to enter Name/Password

---2 seconds pause, PC does not reply or confirms TCP reception ---

3. Proxy retransmits - why didn't you confirmed packet

4. PC retransmits GET to proxy

So... possible reasons.

A. problems on L7.

1. Try using browser that supports proxy authentication, like (uh.. i hate to say it) MSIE.

2. Try using different OS.

3. Different users, different PCs...

B.

On the other hand it also looks that there is a big problem on TCP level - your PC does not seem to care to confirm reception/reply in time. I'd look at your PC. If the TCP options/timers are different than that of a proxy

C. Group policy. There is a small possibility that this is happening because of admin group policy in your active directory domain container.

Hi Slidersv,

Thanks for your reply. Some more info that may help.

The users at the remote sites are using IE6.0. Also the weird thing is it has been know to happen intermittently. Sometimes the users will experience slow browsing (like taking google.com 3 to 5 minutes to pull up the page). And it has also seemed normal and fast.

Just some more info for you.

Thanks,

Brandon

To isolate the proxy as the problem i'd bypass it or at leaset turn off authentication temporarily.

folks

pompeychimes makes a good point

brandon,

can you identify a single host on one of the remote networks and tell the proxy not to authenticate traffic from that host to any site or tell the proxy to allow all users on the remote site to have unauthenticated access to a single single safe site, i.e. google, bbc, ramones.com etc

when access slows get the users to try access to the unauthenticated site

hope this helps

When we bypass the proxy all internet surfing is very fast low latency. So common knowledge would point to the proxy. The weird thing is when the remote sites are experiencing the slowness through the proxy users at the main site/location don't seem to experience this slowness through the same proxy. Not knowing how Microsoft ISA works I wonder if maybe there is an authentication rule based on subnets thats somehow been overlooked for the remote sites.

Thanks

tek-tips.com has a ISA forum.

Hey guys just curious, but could adjusting the tcp retransmission timeout on the proxy possibly help?

Thanks

Hi guys,

We placed a TAC call with Cisco to have them bless the configuration. From an ip connectivity standpoint they cleard the configuration and seem certain it's something related to the proxies. They looked back at similar cases and found that adjusting the "tcp retransmision timeout" helped the issue. Does this seem correct?

Thanks,

Brandon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco