Internal website access from VPN client is very slow

Experts Exchange

	[x] Posted via EE Mobile
	Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.

Question

	[x] Attachment Details

Internal website access from VPN client is very slow

Asked by eidpassport in Cisco PIX Firewall, Virtual Private Networking (VPN)

Problem:
This problem surfaced after changing ISPs no other changes were made to the ASA, other than ISP-specific changes. When connecting to an internal website from a VPN client, the website eventually connects but can take up to 10 minutes before a page loads. There is no problem accessing the internal website from the LAN. It only happens when remote users attempt to access the site through the VPN. It worked prior to the changeover in ISPs.

Troubleshooting:
While trying to connect we can see connections being built to external IP addresses (port 80), but then they timeout after 30 seconds. After 10 minutes there are 5 Deny TCP (no connection) from <Client IP>/1706 to <Web Server IP>/443 flags ACK on interface Internet and then new connections are built and the webpage loads. Somewhere during the 10 minute period we might see a Teardown TCP connection 30867753 for Internet:<Client IP>/1706 to Internet:<Web Server IP>/443 duration 0:03:33 bytes 66182 TCP Reset-O

Initial connection built:
Built inbound TCP connection 30867753 for Internet: <Client IP>/1706 (<Web Server IP>/1706) to Internet: <Web Server IP>/443

After 3min 33seconds:
Teardown TCP connection 30867753 for Internet: <Client IP>/1706 to Internet: <Web Server IP>/443 duration 0:03:33 bytes 66182 TCP Reset-O

After about 10 minutes total:
Deny TCP (no connection) from <Client IP>/1706 to <Web Server IP>/443 flags ACK on interface Internet
Deny TCP (no connection) from <Client IP>/1706 to <Web Server IP>/443 flags ACK on interface Internet
Deny TCP (no connection) from <Client IP>/1706 to <Web Server IP>/443 flags ACK on interface Internet
Deny TCP (no connection) from <Client IP>/1706 to <Web Server IP>/443 flags ACK on interface Internet
Deny TCP (no connection) from <Client IP>/1706 to <Web Server IP>/443 flags ACK on interface Internet
Built inbound TCP connection 30878399 for Internet:<Client IP>/1709 (<Client IP>/1709) to Internet:<Web Server IP>/443 (<Web Server IP>/443)
Built inbound TCP connection 30878401 for Internet:<Client IP>/1710 (<Client IP>/1710) to Internet:<Web Server IP>/443 (<Web Server IP>/443)
Built inbound UDP connection 30878403 for Internet:<Client IP>/51650 (<Client IP>/51650) to Inside:<DNS Server IP>/53 (<DNS Server IP>/53)
Built inbound UDP connection 30878404 for Internet:<Client IP>/51650 (<Client IP>/51650) to Inside:<2nd DNS Server IP>/53 (<2nd DNS Server IP>/53)
Built inbound UDP connection 30878405 for Internet:<Client IP>/65530 (<Client IP>/65530) to Inside:<DNS Server IP>/53 (<DNS Server IP>/53)
Built inbound UDP connection 30878406 for Internet:<Client IP>/137 (<Client IP>/137) to Internet:<Client Broadcast IP>/137 (<Client Broadcast IP>/137)
Built inbound UDP connection 30878407 for Internet:<Client IP>/65530 (<Client IP>/65530) to Inside:<2nd DNS Server IP>/53 (<2nd DNS Server IP>/53)
Teardown UDP connection 30878403 for Internet:<Client IP>/51650 to Inside:<DNS Server IP>/53 duration 0:00:00 bytes 44
Teardown UDP connection 30878404 for Internet:<Client IP>/51650 to Inside:<2nd DNS Server IP>/53 duration 0:00:00 bytes 44
Teardown UDP connection 30878405 for Internet:<Client IP>/65530 to Inside:<DNS Server IP>/53 duration 0:00:00 bytes 44
Teardown UDP connection 30878407 for Internet:<Client IP>/65530 to Inside:<2nd DNS Server IP>/53 duration 0:00:00 bytes 44

Hardware/Software:
We have two ASA 5500 series Cisco Pix/Firewalls connected via L2L VPN. VPN Clients connect to the ASA at HQ and the Web Server is hosted behind the other ASA at the offsite Datacenter. Client computers are running Cisco VPN Client 5.0 on Windows XP.

Additional Information:
One of the changes that may have affected this process is that we had changed ISPs and our public IP address to the ASA at HQ about the time we started experiencing these symptoms. I dont believe that there was any configuration changes made to the ASA during that process that might have caused this effect. Everything else is working as expected (L2L connections, all other VPN Client traffic, etc.) and the website does come up eventually, so it is not like the communication is being blocked.

Conclusion:
Any ideas why were getting the TCP Reset-O and why it takes 10 minutes to receive the Deny TCP (no connection) and then a new connection created so that the webpage will load?

Is there a way to deny built connections to public IP addresses from the VPN Client network, since they are timing out anyways (Ive tried adding ACEs to the access-group xxx in interface internet)?
Built inbound TCP connection 30868057 for Internet:<Client IP>/1707 (<Client IP>/1707) to Internet:208.111.162.31/80
Teardown TCP connection 30868057 for Internet:<Client IP>/1707 to Internet:208.111.162.31/80 duration 0:00:30 bytes 0 SYN Timeout

View the Solution FREE for 30 Days

20091111-EE-VQP-92 - Hierarchy / EE_QW_3_20080625

Hall of Fame

There are currently no qualifying experts in Cisco PIX Firewall