Solved

Website Loads Slowly Publicly (From some IP's) but is Fast Internally

Posted on 2009-04-10
4
571 Views
Last Modified: 2012-05-06
Hi Experts,

I'm pretty proficient with websites and networks but I can't crack this problem.  A couple of days ago, a user reported a website we host was running slow.  The user was hitting the site over the public IP and sure enough it was painfully slow to load. I checked the server and it is fine on resources.  Again, its smoking fast internally.  I get home and start working on it but the speed is suddenly good; I remoted into one of the servers at the office and it starts running painfully slow again across the Public IP.  

So, its fine from some IP's outside the office, but not all sites (we have about 75 sites so I'm jumping onto their local servers to see if it can hit the site over the public IP).

So I'm thinking firewall/ACL problem (Cisco ASA 5510). The NAT rule is solid and the ACL looks fine.  I'm also NAT'ing OWA through the same ASA and it loads fine from the outside (I've got a different public IP/DNS for each site).  Pings and tracerts are all good. I also changed the clients to different public DNS servers just to make sure.

I wanted to rule out the ASA completely so I un-teamed the NIC's, re-IP'd one of them with a public IP so it's [Cisco 2960 EDGE Switch] > [SERVER], disabled the internal IP.  Pings fine on the new public IP, but IIS still hangs, but again only from certain areas.  So this should rule out the ASA.

Before anyone asks, I tested the site with Firefox - still hangs.

From my house its fine - tested from 2 machines including my laptop from work so I know its not a Windows patch problem (same laptop used in the office to test where its slow).

I've verified that Routing and Remote Access isn't running on the web server.

This is where it gets good: I started doing packet level traces and saw something.  At sites where the page loads quickly, I see a handshake between the browswer and server; the protocol is ISAKMP and the Info is "Identity Protection Main Mode".  (The site is running on port 443 with a valid VeriSign SSL).  I'd would see a few of these packets and then you can "see" the html data going back and forth.

Now doing the same packet level trace from a site that's running slowly shows something different.  It shows a quite a few more of ISAKMP entries (10 or so), just back and forth between the server and the client. Now I'm not Cisco certified but I can fumble around and usually get something working but this has got me stumped.  Oh yeah, this happens when the server is plugged directly into the Edge as well.

So the only difference between a page loading and not loading are these ISAKMP entries that I'm seeing.  Also, when I load the page from its internal IP, I don't get these ISAKMP packets at all.

Bring on the answers!

Cheers,

David
0
Comment
Question by:it_david_glover
  • 2
4 Comments
 
LVL 51

Expert Comment

by:tedbilly
ID: 24123249
I notice you didn't mention any frame buffering tests.  Are you seeing packet loss because of misaligned settings with the frame rates?  That can kill performance and will give intermittent results based on the route the client consumes.
0
 
LVL 3

Accepted Solution

by:
n7okn earned 500 total points
ID: 24123384
We had the same problems. Al I  I had to do is put in a static route in the default gateway router to point to the inside web address when the outside address was encounterd.

ip route 216.230.137.41 255.255.255.255 172.27.4.16

Assuming 216.230.137.41 is the outside address, and 172.27.4.16 is the address for the inside web page.
0
 
LVL 1

Author Closing Comment

by:it_david_glover
ID: 31569124
Adding a static route at the remote sites fixed the problem - though I'm not exactly sure why adding a static route would tell the Router not to try to initiate an ISAKMP connection.  

Thanks for the help!
0
 
LVL 1

Author Comment

by:it_david_glover
ID: 24359818
So we finally found the root cause of this issue that was impacting both internal and external users.  I couldn't figuire out why we were seeing the ISAKMP packets in the first place.  I mentioned it to another friend (in IT) and he suggested I make sure the IPSEC service isn't running on the webserver.  Sure enough it was, and once we disabled that, all problems went away for both internal and external users.

David
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now