IOS Firewall causes slow performance for specific web site
Please help me figure-out why my IOS config would cause poor performance (slow loading) for access, via web browser, to a particular web site. ( Actually, it's affects only a specific page on the site.) Performance is fine when accessed from other locations OR when I disable 'ip inspect... ...tcp'. The page is not complex - just output of search results.
If you have ideas of what might cause this problem please write. Otherwise, maybe you can suggest some things to check, or methods to diagnose the problem.
Thanks in advance for your time in helping me out.
Re: IOS Firewall causes slow performance for specific web site
I just ran into the same issue with outbound e-mail. When we disabled the firewall, the mail going out seemed to work just fine. When it was enabled, the mail going to certain sites would sit there for anywhere from 5 - 20 minutes. With some help from the nice folks at TAC, we determined that these sites were doing an IDENT request which wasn't being answered which slowed down or stopped the mail delivery entirely. Once we allowed IDENT, it worked just fine.
Add a line to your access list which reads:
access-list 101 deny ip any any log
and keep an eye on the console of the router. It should log any denied packets coming through and help you identify what the issue with those particular sites are.
I was under the impression that IDENT wasn't really used any more but it seems there are certain strong holds in the world that still use it for mail (like Cisco!). We'll need to fix our registration with the ISP so we can turn off IDENT later, but for now the mail is going through.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...