How to determine reasons for slow Internet/network performance
Hi team
I hope someone is able to help me out with a problem that's beginning to generate more and more noise.
We have an office in Hong Kong. Internet traffic goes out via a local Bluecoat proxy and out through local Internet breakout. For the past 7 days, they are reporting that Internet has been very slow between the hours of 2pm-6pm HK time - that's 7am-11am UK time.
I've checked with the ISP and carried out thorough checks on the Bluecoat and everthing appears to be ok. I downloaded some packet captures from the Bluecoat itself but cannot see anything obvious (I'm fairly new to Wireshark). Would you be kind enough to have a look through and see if there's any clue as to what may be causing these issues please?
Many thanks in advance.
B
Capture can be found here: https://www.dropbox.com/s/tbzdkyb19zk...
Is that going through a web proxy?
If so, have you check the logs/statistics on it?
The responses from 10.0.88.100 (Bluecoat proxy?) to HTTP requests are very slow (up to 25 seconds). Everything else like the 3-way-handshake and TLS communication is fast and looks fine.
Have you checked the availability and the response time of the DNS resolvers that are configured in the Bluecoat settings during the issue?
Many thanks for your replies. I will check the DNS server now but then also early Monday morning as that's when the issue is likely to occur. Many thanks for your opinions. Hopefully I will have good news on Monday. By the way JasMan, yes the Bluecoat proxy is 10.0.88.100.
Hi guys. I'm looking at performance issues again. Below is the link to the packet capture, filtered just on the DNS server 10.88.20.200 - do you see anything suspect in here?
https://www.dropbox.com/s/smrdc8252aa...
I'm still seeing very slow Internet performance so I've asked the server guys to log on to the server and check there's nothing wrong from a hardware/memory perspective.
The Dropbox link doesn't work for me. 404.
Hi JasMan, that's strange. Sorry about that, can you try this one please?
https://www.dropbox.com/s/3mk9a4w98c7...
This capture was done around an hour ago and is unfiltered https://www.dropbox.com/s/shh4dgd4803...
@balcee: DNS looks fine. Some querys need up to 5 seconds, but far away from the HTTP response times that I saw in your first capture.
The second capture contains only some multicasts from your phones (I guess), but nothing from/to the Internet.
Is there a way to capture the complete traffic of the Bluecoat proxy, so that we can see the HTTP querys from the client, the DNS request and the WAN traffic also? Of course during the time were the issue occures.
Ok many thanks. I will pull down another capture tomorrow morning. I'm running the packet capture from the built in tool on the Bluecoat. The filter I'm setting is ip host 10.0.88.100 - is this ok or is it better doing an unfiltered capture?
If possible, I will also do a capture from a client on the same network.
Thanks for your help on this. Hopefully, we'll get to the bottom of it soon... :)
Let us try an unfiltered capture to be sure, that we will see everything that's going on at this part of the network.
@JasMan
More captures here: https://www.dropbox.com/s/2mngq0dux6e...
The slowness is happening right now, these captures were recorded in hte last 30-45 minutes. Key info:
Bluecoat Proxy: 10.0.88.100 Domain Controller: 10.88.20.200
Hi JasMan We're still having these issues in Hong Kong. The local Bluecoat Proxy has been completely bypassed now and we're using WSS cloud solution. I'm beginning to think this is more DNS related.
Would you mind looking at this capture. I'm unable to browse to demo.threatpulse.com from this office - hopefully this capture got the key info.
https://www.dropbox.com/s/4x8flsl2a0l...
Is there anything in here that looks wrong to you?
Many thanks B
Hey @balcee, DNS is not the probleme here. You will find the DNS request for demo.threatpulse.com in packet 366 and the response in packet 368, only 0.0075 seconds later. Another 0.13 seconds later the client 10.88.129.45 sends his HTTP request to the proxy at 10.0.88.112 (tcp.stream == 9). The traffic between them is fine. No big delays. The issue here is that the client hasn't been authenticated at the proxy. You should have seen this message:
Access Denied Your credentials could not be authenticated: "The specified Client-ID Agent session does not exist.". You will not be permitted access until your credentials can be verified. This is typically caused by an incorrect username and/or password, but could also be caused by network problems.
Does this happens all the time, only for this URL or as the same times as ...(more)
Hey @balcee, where you been able to solve the issue?