Slow Network Access Due to an Incorrectly Configured Interzone Policy

Publication Date:  2015-07-03 Views:  274 Downloads:  0
Issue Description
Networking:

The USG serves as an egress gateway connecting the intranet to the public network. Intranet users access public network services through the USG that has outbound NAT enabled. A strict packet filtering policy is configured on the USG to allow intranet users to access only specific websites.





Fault Symptom:

It takes over 20 seconds for an intranet user to access a music website. Then a ping test is performed for the website domain name, and no exception is found.
Handling Process
Slow Internet access may be caused by packet loss over links or poor server performance. As no exception is found during the test, the link is working properly. Then check the server performance. According to an analysis on captured packets, the server slowly responds to the GET request from a client. Information about captured packets is as follows:





The preceding information shows that the client requests thickbox-compressed.js 21 seconds after requesting window.js and the server has responded to the window.js request. It is suspected that the client is not working properly and does not send a request for a long period. Because the Internet Explorer obtains resource files one by one, check whether the client accesses other URLs before requesting thickbox-compressed.js. Check whether the access failure is caused by strict packet filtering. Use a PC to ping address 203.208.37.22. The ping result is as follows:



The client requests ga.js at the interval for requesting window.js and thickbox-compressed.js. The ga.js request, however, is blocked by the interzone packet filtering policy. The client attempts to request ga.js many times. As a result, the Internet access is slow.

The fault is rectified after the interzone packet filtering policy is modified.
Root Cause
The page contains resources of multiple servers. However, some servers are inaccessible due to packet filtering. Clients attempt to access these servers several times, causing slow Internet access.
Solution
Identity the IP addresses of the servers connected to the page and modify the interzone packet filtering policy to make these IP addresses accessible.

In addition, the heartbeat link is also the channel for backing up configuration commands and status information. If much information needs to be synchronized between the two firewalls and it consumes much bandwidth, heartbeat packets may be discarded.

END