Solved

Need help to solve why our site is slow behind firewall

Posted on 2007-03-21
17
344 Views
Last Modified: 2013-11-16
Looking for someone to help figure out what a checkpoint firewall does not like about our site.  We have a .Net 2.0 site and people behind certain firewalls are experiencing mega (1.5 minutes) load time.  Can anyone recommend a solution or would be willing to help?

0
Comment
Question by:mcannonmcannon
  • 8
  • 3
  • 2
  • +3
17 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18770221
I don't have any Checkpoint exposure but first of all, are you sure that checkpoint is the one which is causing this? If so, how did you arrive at that conclusion ?

Cheers,
Rajesh
0
 

Author Comment

by:mcannonmcannon
ID: 18770732
We have several customers experiencing the delays and the only thing I have found so far in common is the Checkpoint firewall.  Not saying that is the problem but certianly looks to be a good candidate.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 18772281
just for clarification.  You are hosting the web server at your site.  People at outside sites behind checkpoint firewalls are experiencing slow connections.  People outside not behind checkpoint firewalls are ok?

I just want to make sure of this since I've actually never heard of this type of issue before.  The only thing I can think of right away is DNS not resolving correctly so it times out on a couple of servers before it gets to one with an answer it can use.  However, this should only cause a problem the first time as then subsequent loads should be faster as the DNS entry would be cached.

Can you confirm that after the site loads the first page, that navigation goes smoothly or goes slow for every page.
0
 

Author Comment

by:mcannonmcannon
ID: 18774956
The site is hosted at a premium facility and yes so far as we can determine the only commonality is the checkpoint firewall.  Each page is slow when they are behind the firewall.  I have tested from 30+ locations and it is pretty fast 3-5 seconds.

Thought maybe the firewall was doing some type of deep packet inspection and getting hung up on something.  Not sure.  Right now I am attempting to get some of the users to perform Netmon traces.

Any thoughts / ideas / recommendations are helpful
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18777065
One possible reason can be high fragmentation at firewall's side. What is the MTU set on the firewall for both incoming and outgoing interfaces ??

Cheers,
Rajesh
0
 

Author Comment

by:mcannonmcannon
ID: 18779188
A big issue is its not our firewall but rather the customers.  Other sites are fine for them as well and it is just our site having the issue.  Wondering if the firewall could be having an issue with the .net code.
0
 

Expert Comment

by:gatomalaco
ID: 18806256
Some questions (for better understanding ^_^ )

1- Which product and version of Checkpoint are you using?
2- Are you using applieaces like Nokia's IPSO or any other vendor like crossbeam? Or, Are you using a SecurePlatform distro?
3- Have you check if in the rulebase is SmartDefence applied? If you are using SmartDefence, how fast is your firewall MicroProcessor? how much RAM do you have? what is the NIC's brand and model?
4- In the rule base (security policy), which services are you allowing in the rule? (tcp, udp & others? which version of all of them?)
5- have you tried to replicate this problem and scenario on a lab?

0
 

Author Comment

by:mcannonmcannon
ID: 18823108
gatomalaco - Did you read the posts?  It is NOT our firewall so I have very little information on it except to note that the few customers having the issue are behind Checkpoints.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:mcannonmcannon
ID: 18823206
gatomalaco - Did you read the posts?  It is NOT our firewall so I have very little information on it except to note that the few customers having the issue are behind Checkpoints.
0
 

Author Comment

by:mcannonmcannon
ID: 18908463
Turns out is was an ISAPI filter causing all the issues.  
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 18909812
Could you be a bit more precise, on what side what ISAPI filter did reduce the speed.

This site is also a knowledge base, and there will be others facing the same problems too.

Tolomir
0
 

Author Comment

by:mcannonmcannon
ID: 18926645
We had an ISAPI filter loaded on our IIS web server that helped our web analytics package.   We are not sure why it caused problems but removing it fixed the issue for them.  We are looking to see if we can determine what the issue with the ISAPI filter and the handful of our customers that were experiencing the issue was.  For now the solution is to not use the ISAPI fiter.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 18931004
That's why I only use Apache, IIS has too many issues  ;)  jk, please don't flame me.

That is really bizarre though.  Just out of curiousity how did you know to look at disabling the ISAPI filter.  Mainly just curious if you were trying random things or you had a reason to check it out (e.g event logs, etc.).
0
 

Author Comment

by:mcannonmcannon
ID: 19684210
Did not realize it was still open. Sorry.  The issue while only with Checkpoint Firewalls turned out to be an ASAPI filter on IIS that was doing a reverse DNS lookup.  Not sure what the issue was but disabling the reverse DNS lookup solved the problem.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 19684437
ok, so I was right, dns lookups timing out.  However, I have no clue how the ISAPI reverse dns lookups work. It should still have loaded quicker on subsequent page loads as the dns resolving should have the failures cached as well as the successes.   Still quite odd that it was only Checkpoint firewalls. Either that or an unbelievable coincidence.
0
 

Accepted Solution

by:
AnnieMod earned 0 total points
ID: 19699547
PAQed with points refunded (500)

AnnieMod
Cleanup Admin
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now