I am facing a problem in my Singapore office network that a single website is taking 2-3 minute to load the page however other sites are opening very quickly. Proxy server is there in between and users accesing site through proxy. I tried accessing site via DMZ out bypassing firewall and proxy page is opening quickly. Also if I use our US proxy result is good,problem is only with singapore proxy and only for a single website i.e http://188.8.131.52 . Even proxy authentication prompt is taking time to pop up on screen for this particular website. Connectivity is like ....
Internet route------->Firewall------> Proxy------>User in LAN
Can somebody please suggest on this.
You mentioned that the problem is not necessarily the ASA because even bypassing the ASA, the proxy response is slow correct?
Might be a problem with the proxy server.
Things to look in the ASA could be if you're doing HTTP inspection or if there's any rule defined for this particular site.
I had a similar problem before and it turns out it was a Traffic Shaper device facing the Internet... (no other device in the path that could be causing the slowliness)?
I bypassed ASA and proxy both. I jus connected a host directly after the firewall with DMZ out switch and the result is perfect. There is no policy or rule in firewall for this particular website, policies are same for all. There is no traffic shaper or any WAN accelerator placed with firewall. Proxy authentication prompt takes time to come up on screen just for this particular website and works normally for all other sites. And when we use US proxy it works fast
for this site however traffic is crossing through same firewall.
Is there any chance that you can try bypassing the proxy and just sending the traffic to this website through the ASA?
In other words, do the same test but not using the proxy on the local machine (just sending the traffic through the ASA as it will normally will).
The ASA should not be slowing this particular traffic if there's not any weird configuration on it.
Yes, some rules need to be added on ASA. I will do this testing and will check the same as you said. One more thing I found that if we nslookup the ip
184.108.40.206 its not getting resolved, so is it possible it could take time from DNS server side to resolve this website?
Your DNS server should not be trying to do a reverse lookup on the IP address, the server should only turn hostname into IP. WHat is the URL you are trying to browse to? If you setup some captures on the ASA, what do you see:
cap in interface inside match ip any host 220.127.116.11
cap out interface outside match ip any host 18.104.22.168
show cap out
show cap in
There is no URL for this ip, user is only accesing the site with ip only. Thats what i am trying to find out whether there is any delay or something which DNS is causing and trying resolving the IP. Is it possible that DNS could cause this issue as site is accessing through ip only and there is no entry
for this ip in DNS?
DNS doesn't come into play at all if the users are accessing the host directly by IP address.
Were you able to perform the test that Federico suggested, where the traffic passes through the ASA but not the proxy? This will help you to focus on either the ASA or the proxy as the cause of the slowness.
I am in planning to do these testings. This document is really good I will start step by step to get the root cause of this. Will update once done with testing.