Handling Process
1. NAT is configured on the firewall. It takes several seconds for users to open web pages from PCs connected to the firewall. When the firewall or PC is configured to ping the Internet through 3972-byte packets, no packet is discarded. When the firewall or PC is configured to ping the Internet through ping packets of 3973 bytes or more, packets are discarded.
<USG> ping -s 3972 192.168.0.26
13:48:27 2013/05/29
PING 192.168.0.26: 3972 data bytes, press CTRL_C to break
Reply from 192.168.0.26: bytes=3972 Sequence=1 ttl=64 time=10 ms
Reply from 192.168.0.26: bytes=3972 Sequence=2 ttl=64 time=1 ms
Reply from 192.168.0.26: bytes=3972 Sequence=3 ttl=64 time=1 ms
Reply from 192.168.0.26: bytes=3972 Sequence=4 ttl=64 time=1 ms
Reply from 192.168.0.26: bytes=3972 Sequence=5 ttl=64 time=1 ms
--- 192.168.0.26 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 1/2/10 ms
<USG> ping -s 3973 192.168.0.26
13:48:36 2013/05/29
PING 192.168.0.26: 3973 data bytes, press CTRL_C to break
Request time out
2. Defense against large ICMP packets is enabled on the firewall. The default size of a large ICMP packet is 4000 bytes. Packets longer than 4000 bytes are discarded. After defense against large ICMP packets is disabled on the firewall, large ping packets can be transmitted.
3. Change the TCP MSS on the firewall to 1200 using the firewall tcp-mss 1200 command and continue to test Internet access services. The Internet access is still slow.
4. Check outgoing traffic.
[USG] display interface Ethernet 0/0/0
14:04:44 2013/05/29
Ethernet0/0/0 current state : UP
Line protocol current state : UP
Ethernet0/0/0 current firewall zone : untrust
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
Internet Address is 60.13.x.y/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a103-b597
Media type is twisted pair, loopback not set, promiscuous mode not set
100Mb/s-speed mode, Full-duplex mode, link type is force link
Output flow-control is unsupported, input flow-control is unsupported
QoS max-bandwidth : 100000 kbps
Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
Output queue : (Frag queue : Size/Length/Discards) 0/1000/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queue : Size/Length/Discards) 0/256/0
Last 300 seconds input rate 1552832 bits/s, 268 packets/s ---->Downstream 1.5M
Last 300 seconds output rate 570448 bits/s, 226 packets/s ------>Upstream 0.5M
Input: 3130297 packets, 2716622072 bytes
0 broadcasts(0.00%), 0 multicasts(0.00%)
0 runts, 0 giants,
0 errors, 0 CRC,
0 collisions, 0 late collisions, 0 overruns,
0 jabbers, 0 input no buffers, 0 Resource errors,
0 other errors
Output:2368780 packets, 719977662 bytes
0 errors, 0 late collisions,
0 underruns, 0 retransmit limits
Check whether the fault is caused by bandwidth limit.
5. According to field engineers, it is found that the users have only 2 Mbit/s bandwidth. Therefore, the network access is slow. Users need to apply for higher bandwidth.
Root Cause
The cause of this fault is that user bandwidth is too low.
Solution
Inform users to apply for higher bandwidth.
