Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to fix slow Internet connectivity issues when N2H2, URL Filtering Server, is used with PIX firewall version 6.x

Core issue

You can face slow connectivity when N2H2 is used to filter URLs in conjunction with PIX. Two common known reasons for this behavior are:

  • URL-Block—Long URLs are filtered by PIX

  • URL-Cache—PIX caches previously retrieved URL access privileges from the N2H2 server

Resolution

In order to resolve this issue, use these commands in global configuration mode. These commands can be considered tweaking commands for URL filtering servers.

pixfirewall(config)#url-block block 128

For N2H2 filtering servers, the url-block block command causes the PIX firewall to buffer packets received from a web server in response to a web client request while it waits for a response from the URL filtering server. This improves performance for the web client compared to the default PIX firewall behavior, which is to drop the packets and to require the web server to retransmit the packets if the connection is permitted.

When the url-block block command is used and the filtering server permits the connection, the PIX firewall sends the blocks to the web client from the HTTP response buffer and removes the blocks from the buffer. If the filtering server denies the connection, the PIX firewall sends a deny message to the web client and removes the blocks from the HTTP response buffer.

pixfirewall(config)#url-cache dst size 128

The url-cache command provides a configuration option in order to allow the PIX to cache previously retrieved URL access privileges from a Websense or N2H2 server. Caching stores URL access privileges in memory on the PIX firewall. When a host requests a connection, the PIX firewall first looks in the URL cache for access privileges that match and does not forward the request to the N2H2 or Websense server.

1537
Views
0
Helpful
0
Comments