Incorrect ACL Configuration Causes Slow Web Page Access Speed

Publication Date:  2015-07-03 Views:  307 Downloads:  0
Issue Description
Network Topology:

Service overview:
The USG functions as the egress gateway between the intranet and Internet. Access from intranet users goes through the NAT outbound procedure on the USG to access Internet services. Strict ACL packet filtering is configured on the USG to allow intranet users to access only some websites.


When intranet users access a music website, the access speed is slow. It takes about 20 seconds to open the website. However, in the ping operation, the latency is short, and no packets are discarded.
Handling Process
Packet loss on the link or low access speed on the server may cause the slow website access. However, the latency in ping operation is short and no packets are discarded. Therefore, the link does not have any fault. Capture packets to check whether the HTTP service that the server provide is slow. Analyze the captured packets to determine whether the server responds slowly to the Get request. The packet capture result is as follows:

The captured packets show that the client requests for next file thickbox-compressed.js 21 seconds later after the request for window.js. At this time, the window.js request has been responded. Use the Internet Explorer to obtain resource files on the website. The captured packets show that before the client requests for thickbox-compressed.js, the client accesses other addresses. Check whether strict packet filtering causes the access failure and delays other requests for 21 seconds. Compare the configurations. The result shows that cannot be accessed. Use a PC to access this website and capture packets. The comparison result is as follows:

The client requests for ga.js after request for window.js and before request for thickbox-compressed.js. The client has been requesting for ga.js from another server, but access to the server is not allowed by the packet filtering. Therefore, request for ga.js fails. The client skips the request after multiple attempts to request for the next resource. Therefore, the described symptom occurs.

Modify the ACL to allow access to addresses involved in the packet capture, such as,,,, and The problem does not occur.
Root Cause
The web page contains resources on multiple servers, and some servers are prevented from accessing because of packet filtering. Therefore, when a client attempts to access the resource successively, the access speed is very slow.
Capture packets to analyze the server IP addresses required for accessing the website and modify the ACL to allow access to these IP addresses.