No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Incorrect ACL Configuration Causes Slow Web Page Access Speed

Publication Date:  2019-07-04 Views:  897 Downloads:  0

Issue Description

Network Topology:

Service overview:
The USG functions as the egress gateway between the intranet and Internet. Access from intranet users goes through the NAT outbound procedure on the USG to access Internet services. Strict ACL packet filtering is configured on the USG to allow intranet users to access only some websites.


When intranet users access a music website, the access speed is slow. It takes about 20 seconds to open the website. However, in the ping operation, the latency is short, and no packets are discarded.

Handling Process

Packet loss on the link or low access speed on the server may cause the slow website access. However, the latency in ping operation is short and no packets are discarded. Therefore, the link does not have any fault. Copy packets to check whether the HTTP service that the server provide is slow. Analyze the tested packets to determine whether the server responds slowly to the Get request. The packet tested result is as follows:

The tested packets show that the client requests for next file thickbox-compressed.js 21 seconds later after the request for window.js. At this time, the window.js request has been responded. Use the Internet Explorer to obtain resource files on the website. The tested packets show that before the client requests for thickbox-compressed.js, the client accesses other addresses. Check whether strict packet filtering causes the access failure and delays other requests for 21 seconds. Compare the configurations. The result shows that cannot be accessed. Use a PC to access this website and copy packets. The comparison result is as follows:

The client requests for ga.js after request for window.js and before request for thickbox-compressed.js. The client has been requesting for ga.js from another server, but access to the server is not allowed by the packet filtering. Therefore, request for ga.js fails. The client skips the request after multiple attempts to request for the next resource. Therefore, the described symptom occurs.

Modify the ACL to allow access to addresses involved in the packet tested, such as,,,, and The problem does not occur.

Root Cause

The web page contains resources on multiple servers, and some servers are prevented from accessing because of packet filtering. Therefore, when a client attempts to access the resource successively, the access speed is very slow.


Copy packets to analyze the server IP addresses required for accessing the website and modify the ACL to allow access to these IP addresses.