Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ASP page slow in initial connection

Posted on 2008-06-13
5
Medium Priority
?
1,080 Views
Last Modified: 2013-11-16
Hi Experts,
I have a nasty question here which drives me crazy for the last week and I don't seem to get a answer from the net.
We just upgraded our datacenter, with a two new Firewalls, both a Juniper SSG-320m which run in HA.
I put some webservers and sqlserver in there and now the problem starts.
A regular unix machine with apache and PHP is fast as lightning, but in the same acces rule (port 80 untrust to front-end zone) a Windows 2003 IIS server hosting a heavy .aspx page takes literaly 21 seconds to load.
I see in my logs a session is created but the request to the server has a timeout of 20 seconds.
So even when I have stopped the application it takes 20 seconds to get the server error.
Yesterday I put the server directly on the net, and then the performance is fine, but now back behing the SSG's the error is there again. I had a play with the ALGS and virus detection, but it didn;t seem to work. Maybe it has something to do with the Adress translation.
Is anyone familiar with this problem or can tell me what to to, because I'm quite desperate.

500 for the winning answer.
0
Comment
Question by:RedAdvanced
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 21784780
Frankly I am not sure what is causing the problem; but I think if you have turned ALG they might be causing the problem; can you check if you disable ALG then what is the behavior.
ALG does packet inspection and hence would introduce latency; latency is even introduced by the firewall itself; NAT, packet inspection and other things like antivirus would also cause latency.

As I said earlier I am not 100% sure, but would be interesting to see the results.

Thank you.
0
 
LVL 1

Author Comment

by:RedAdvanced
ID: 21801296
That's what I thought of aswell, but after turning off ALG for all known services the performance wasn't getting better.

I also turned of all packet filters, anti-virus etc. just to see it would make any diffrence, but no. Nothing seemed to have caused the latency.
0
 
LVL 1

Author Comment

by:RedAdvanced
ID: 21801301
What also needs to be mentioned, is that this firewall cluster is brand new. There are hardly other servers behind it that a DNS server and a apache webserver, which are actually running fine.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 21803720
I am sorry but I am not sure what else might be causing such a behavior; if linux works good so should windows; may be some other expert might have some suggestion.

Regards.
0
 
LVL 1

Accepted Solution

by:
RedAdvanced earned 0 total points
ID: 21844742
I have found the solution, and it was actually provided by a support tech @ Juniper (thanks Manish)

We had to set the "all-tcp-mss" option
The default explenation of this option is:

Sets the TCP-MSS (TCP-Maximum Segment Size) value for all TCP packets for
network traffic. This also sets the TCP-MSS for IPSec VPN traffic if the tcp-mss
option (described below) is not set. If you enter the set flow tcp-mss
command, that setting overrides the all-tcp-mss option for VPN traffic.
The TCP-MSS range can be from 0 to 65,535 bytes. By default, the
all-tcp-mss option is unset.

By setting the maximum segment size to 1320 the problem was gone.
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a how to to configure a UCS Ethernet-uplink portchannel via the console. It is easy to do and can be done quite quickly. In certain versions of the UCS manager the portchannel has issues coming up and this is a workaround. I am…
Hello All, I have been training on Multicast for a while now and whenever I start the topic , I find out that my friends /  Colleagues mention that they do not know how to test Multicast Joins. As most of the multicast would be video traffic and …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question