ch_b
asked on
BlueCoat SG510 problem
Hello,
We are an educational company running arround 500 users (Windows XP) using Blue Coat SG510 for HTTP and HTTPs trffic. The problem is that some websites, like facebook start loading on the client machines and then hang or restart loading. While sniffing the input and the output traffic of the BlueCoat I found on the external interface an HTTP Retransmit comming after the HTTP Get. While on the input interface HTTP requests are comming normaly (No HTTP retransmit).
Is there any configuration or upgrade that should be done in order to prevent HTTP Retransmit from being sent.
Thank you.
We are an educational company running arround 500 users (Windows XP) using Blue Coat SG510 for HTTP and HTTPs trffic. The problem is that some websites, like facebook start loading on the client machines and then hang or restart loading. While sniffing the input and the output traffic of the BlueCoat I found on the external interface an HTTP Retransmit comming after the HTTP Get. While on the input interface HTTP requests are comming normaly (No HTTP retransmit).
Is there any configuration or upgrade that should be done in order to prevent HTTP Retransmit from being sent.
Thank you.
ASKER
Thank you for your help.
I have attached a snapshot showing the traffic capture.
What is happening at the output of the buecoat is a Get is sent from bluecaot to facebook and before receiving any reply from facebook a retransmit is sent.
untitled.JPG
I have attached a snapshot showing the traffic capture.
What is happening at the output of the buecoat is a Get is sent from bluecaot to facebook and before receiving any reply from facebook a retransmit is sent.
untitled.JPG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was trying to troubleshoot the problem and connected a PC directly to the same vlan of the external port of the bluecoat and i was able to browse normaly including facebook
Is the SG510 192.168.101.210? If so, what is providing the NAT? Is there any type of bandwidth throttling being done by the device that is doing the NAT?
When you connected the PC to the same VLAN, as the SG510, was it also going through the same box for NAT as the SG510 goes through?
Does the issue with FaceBook occur all of the time, some of the time, or most of the time??
When you did the packet capture where did you do it from? The picture of the trace you posted show that the packet is not getting to the SG510. This means that whatever is happening is happening outside of the SG510. That is the SG510 is the victim, not the cause.
If the SG510's traffic is going through something that is throttling traffic by "inside IP address", then the SG510 will have packets dropped more often than a PC on the same VLAN, as the SG510 would/should be generating more traffic.
When you connected the PC to the same VLAN, as the SG510, was it also going through the same box for NAT as the SG510 goes through?
Does the issue with FaceBook occur all of the time, some of the time, or most of the time??
When you did the packet capture where did you do it from? The picture of the trace you posted show that the packet is not getting to the SG510. This means that whatever is happening is happening outside of the SG510. That is the SG510 is the victim, not the cause.
If the SG510's traffic is going through something that is throttling traffic by "inside IP address", then the SG510 will have packets dropped more often than a PC on the same VLAN, as the SG510 would/should be generating more traffic.
ASKER
The 192.168.101.210. is the BlueCoat, it is connected to a firewall doing the NAT. The PC was going through the same firewall as the SG510. Facebook is not working all the time. The packet capture was on the Outside interface connected directly to the firewall.
We have the same topology (PCs connected to bluecoat connected to the same firewall) working without problems. The problem appears on a part of the network.
I agree with you that problem could be from the NAT but can I delay more the Retransmit message sent from the SG510 in order to know if this could resolve the problem (in case the response was delayed and not dropped, that what i'm expecting since i can receive other traffic)
We have the same topology (PCs connected to bluecoat connected to the same firewall) working without problems. The problem appears on a part of the network.
I agree with you that problem could be from the NAT but can I delay more the Retransmit message sent from the SG510 in order to know if this could resolve the problem (in case the response was delayed and not dropped, that what i'm expecting since i can receive other traffic)
Typically you can't change the delay time on retransmit. This is determined by the IP stack and actually I am surprised to see it wait almost 1.5 seconds. Normally this is in the 0.5 second or less range.
Is there anyway you can to a packet capture in-front of the firewall?
Or possibly sniff from the firewall?
Do you (can you) do bandwidth throttling on the firewall?
Is there anyway you can to a packet capture in-front of the firewall?
Or possibly sniff from the firewall?
Do you (can you) do bandwidth throttling on the firewall?
ASKER
I don't have access to the firewall. In all cases I think that the problem has been located in the delay of the response. I will try to find other way to resolve the delay.
I would like to ask you if I can see if there is errors on the interfaces of the bluecoat, I'm using PUTTY to telnet it.
Thank you
I would like to ask you if I can see if there is errors on the interfaces of the bluecoat, I'm using PUTTY to telnet it.
Thank you
I have never uses/admin'ed a BlueCoat device. If it is like most devices there should be something like show interface, which may show you stats for the interface.
If everything through this one SG510 is having problems, it could be that there is a mis-match on duplex between the SG510 and the switch port.
If everything through this one SG510 is having problems, it could be that there is a mis-match on duplex between the SG510 and the switch port.
If it is only happening on part of the network, it could be a collision domain issue.
Is that part of the network on a satellite switch or router, on longer cables, or on older cabling?
Is that part of the network on a satellite switch or router, on longer cables, or on older cabling?
If you see the response to the HTTP GET coming in from Face Book, do you see SG510 forwarding it to the Inside PC?
You state that " found on the external interface an HTTP Retransmit comming after the HTTP Get"
Can you be a little clearer? To me this means that on the external interface of the SG510 you saw a HTTP retransmit come in FROM Facebook to the SG510. If that is what you mean, did you ever see the ACK flow from the SG510 to face book for the prior packet? If not, did you ever see the ACK flow from the inside PC to the SG510.
InsidePC <- inside SG510 interface -> SG510 <- External SG510 Interface -> "The Internet"