How to determine reasons for slow Internet/network performance

asked 2020-05-15 10:36:40 +0000

balcee
1 ●2 ●6 ●5

Hi team

I hope someone is able to help me out with a problem that's beginning to generate more and more noise.

We have an office in Hong Kong. Internet traffic goes out via a local Bluecoat proxy and out through local Internet breakout. For the past 7 days, they are reporting that Internet has been very slow between the hours of 2pm-6pm HK time - that's 7am-11am UK time.

I've checked with the ISP and carried out thorough checks on the Bluecoat and everthing appears to be ok. I downloaded some packet captures from the Bluecoat itself but cannot see anything obvious (I'm fairly new to Wireshark). Would you be kind enough to have a look through and see if there's any clue as to what may be causing these issues please?

Many thanks in advance.

Comments

Capture can be found here: https://www.dropbox.com/s/tbzdkyb19zk...

balcee ( 2020-05-15 10:39:50 +0000 )edit

Is that going through a web proxy?
If so, have you check the logs/statistics on it?

Chuckc ( 2020-05-15 15:37:23 +0000 )edit

The responses from 10.0.88.100 (Bluecoat proxy?) to HTTP requests are very slow (up to 25 seconds). Everything else like the 3-way-handshake and TLS communication is fast and looks fine.

Have you checked the availability and the response time of the DNS resolvers that are configured in the Bluecoat settings during the issue?

JasMan ( 2020-05-15 15:47:29 +0000 )edit

Many thanks for your replies. I will check the DNS server now but then also early Monday morning as that's when the issue is likely to occur. Many thanks for your opinions. Hopefully I will have good news on Monday. By the way JasMan, yes the Bluecoat proxy is 10.0.88.100.

balcee ( 2020-05-15 17:34:37 +0000 )edit

Hi guys. I'm looking at performance issues again. Below is the link to the packet capture, filtered just on the DNS server 10.88.20.200 - do you see anything suspect in here?

https://www.dropbox.com/s/smrdc8252aa...

I'm still seeing very slow Internet performance so I've asked the server guys to log on to the server and check there's nothing wrong from a hardware/memory perspective.

balcee ( 2020-05-18 06:49:50 +0000 )edit

see more comments

answered 2020-05-19 11:37:44 +0000

JasMan

81 ●1 ●21 ●11

Hey @balcee, Thank you for the captures. Due to the fact that the delay tooks mostly about 15-25 seconds, and the capture itself contains only 20 seconds of traffic, it was a little bit difficult to find a conversation, which outbound (WAN) and inbound (LAN) traffic is included in the capture. But I've found one :)

The file HK_Bluecoat_190520_0845.cap contains a HTTP request from the client 10.88.129.242 for www.gstatic.com in TCP stream 399. The proxy receives the request and ACKs it immediatly. But it tooks about 17 seconds until the client receives the HTTP response from the proxy.

When we look onto the WAN side, we will find the outgoing traffic for www.gstatic.com in TCP stream 1950. Due to the frame time it was send out 17 seconds later as the request was received on the LAN side. The HTTP response from gstatic.com comes immediatly, so the WAN line is not the issue here. The frame time of the external HTTP response from gstatic.com is nearly the same, as the frame time of the internal HTTP response that the client 10.88.129.242 receives from the proxy. That means the way back is also fine.

The captures of the DNS traffic are from another time range, so I was not able to find the matching DNS request for this connection. But all DNS responses are more or less fast, so I don't think that this is the cause for the delays.

In my opinion the Bluecoat proxy is the cause, because he delayed the outgoing request for unknown reason. I recommend to check the logs again. There must be a hint why the proxy delayed the outgoing request.

edit flag offensive delete link

Comments

Wow, that is amazing. I would never have seen that! I'm looking at 399 but cannot see www.gstatic.com - where would I see that?

I will run further logs. Are there any specific filters that could help?

balcee ( 2020-05-19 12:02:29 +0000 )edit

You can see the requested URL in the details of the packet, or by adding a colume "http.host or tls.handshake.extensions_server_name".

If possible I would search in the logs for the named request from 10.88.129.242.

I've found another hint: right after the proxy received the query from the client, he tries to connect to 165.160.13.20 and 165.160.15.20 without success (only SYN, no SYN/ACK). The queries fit in the timerange of the delay. Maybe coincidence, or maybe a Bluecoat server for further checks.

JasMan ( 2020-05-19 12:28:05 +0000 )edit

165 address is interesting. Ok thanks, I will go back and investigate further. This is our Hong Kong office so I will have to wait another 10 hours before users are back in the office. Thank you

balcee ( 2020-05-19 12:39:43 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

How to determine reasons for slow Internet/network performance

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

How to determine reasons for slow Internet/network performance edit

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

How to determine reasons for slow Internet/network performance