Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

website slowness with DHCP Cable Modem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

website slowness with DHCP Cable Modem

Not applicable

I recently installed a PA-200 and many websites are either very slow to load or have to be refreshed multiple times in the browser.  Tried multiple browsers so not browser specific.  Running a PA-200 with DHCP to Time Warner on the Untrusted interface.  PA support had me change the MTU size on the untrusted interface to 1452 and also check "Adjust TCP MSS" but I am still seeing the issue.  I'm on 5.05 and have url filtering turned off.  Any ideas?

thanks

1 accepted solution

Accepted Solutions

L4 Transporter

DanLukas

Do you have a 1 or more routes pointing 0.0.0.0 to your next hop router?

In other words, I have seen people program their own 0.0.0.0/0 route, pointing to their ISP's router.

I am curious if you did the same?

View solution in original post

16 REPLIES 16

L3 Networker

Hi,

Have you directly connected the PA-200 to the cable modem or is there a switch in between ? If there is a switch in between please check the interface configuration on the

palo alto device to be auto auto auto. If there is a mismatch on the switch port to which the PA-200 is connected to you might see this issue. Doing a packet capture on the

firewall and looking at the MSS negotiation will shed more light on this issue.

Deepak

it is directly connected to the cable modem.  I had a ASA connected in the same manner and just swapped it with the PAN about a week ago.  The trust interrface is connected to a cat 3560.

L3 Networker

As a test ping a dns server from the untrust interface, ping from the trust interface on the firewall and then from a host on the internal network.

Compare the ping result to check for discrepancy. 

L7 Applicator

Hi,

Could you please take a chapter on your laptop and firewall ingress interface. Compare both the captures and check if there are any TCP re-transmission/TCP NACK.

Thanks

Subhankar

L5 Sessionator

Can you paste the o/p of the following CLI command:

> show interface all

> show running nat-policy

Is Zone-protection enabled on the inside interface?

Here are the 2 outputs:

admin@PA-200> show interface all

total configured hardware interfaces: 5

name                    id    speed/duplex/state        mac address      

--------------------------------------------------------------------------------

ethernet1/1             16    100/full/up               b4:0c:25:22:fa:10

ethernet1/2             17    1000/full/up              b4:0c:25:22:fa:11

vlan                    1     [n/a]/[n/a]/up            b4:0c:25:22:fa:01

loopback                3     [n/a]/[n/a]/up            b4:0c:25:22:fa:03

tunnel                  4     [n/a]/[n/a]/up            b4:0c:25:22:fa:04

aggregation groups: 0

total configured logical interfaces: 5

name                id    vsys zone             forwarding               tag    address                                       

------------------- ----- ---- ---------------- ------------------------ ------ ------------------

ethernet1/1         16    1    untrust          vr:Internal              0      65.30.22.29/19   

ethernet1/2         17    1    trust            vr:Internal              0      10.1.99.1/24     

vlan                1     1                     N/A                      0      N/A              

loopback            3     1                     N/A                      0      N/A              

tunnel              4     1                     N/A                      0      N/A         

admin@PA-200> show running nat-policy

Internet-NAT {

        from trust;

        source any;

        to untrust;

        to-interface ethernet1/1 ;

        destination any;

        service  any/any/any;

        translate-to "src: ethernet1/1 65.30.22.29(*) (dynamic-ip-and-port) (pool idx: 1)";

        terminal no;

}

How may entries do you see in the arp table from  ethernet1/1-65.30.22.29/19   ?

Execute CLI command : > show arp ethernet1/1   

Check    " total ARP entries shown : "

L5 Sessionator

I see that the speed on the eth1/1 is 100 Mbps. Is that the right setting, or can it be hard coded to 1000?

Can you also verify the DNS server settings on the firewall? Is it being inherited from the DHCP server on the modem? If so, can you try with an internal DNS server or a global DNS server like 4.2.2.2 or 8.8.8.8 to see if it makes a difference?

Device---> setup--> services.

BR,

Karthik RP

The cable modem is 10/100 and can't do a 1000.  In services I did change DNS to an internal 10. dns server and have the same issue.Support had me change mtu to 1360 but am still showing the same signs.  Sites with either a lot of graphics or links are hit and miss like cnn.com.   I've even changed the mtu on a couple of mac's with the same results.  If i look at the eth1/1 interface it does grab a dns server from the upstream time warner router.  I don't know how i can hard code that since it is configed as a dhcp client.  Here is the screen shot of that.

Screen Shot 2013-07-08 at 9.02.35 AM.png

The DNS server settings configured under the Device---> setup--> services. , super cedes the DNS server settings received from the DHCP server on the untrust interface.

dns server.JPG

So you could try with these sever settings to see if it makes a difference ( you can configured your internal DNS server or use the public DNS servers 4.2.2.2 or 8.8.8.8)

I would recommend keeping the MSS to 1360, only if the default route points out on a tunnel interface (accessing internet through an ipsec tunnel, terminating on anther firewall, which then routes the traffic to internet)  and users are complaining about slowness in connectivity through the tunnel. Lowering the MSS also affects the traffic, if not flowing through a tunnel. If the default route points out on an ethernet interface, which in our case does on the eth1/1 interface, its recommended that we use MTU as 1500 and MSS as 1460.

BR,

Karthik

I have been seeing a fair amount of errors on the trusted interface eth1/2.  A lot of "arp not found" "packets dropped" and "recieved errors".  They increment when websites hang.

admin@PA-200> show interface ethernet1/2

--------------------------------------------------------------------------------

Name: ethernet1/2, ID: 17

Link status:

  Runtime link speed/duplex/state: 1000/full/up

  Configured link speed/duplex/state: auto/auto/auto           

MAC address:

  Port MAC address b4:0c:25:22:fa:11

Operation mode: layer3

Untagged sub-interface support: no

--------------------------------------------------------------------------------

Name: ethernet1/2, ID: 17

Operation mode: layer3

Virtual router Internal

Interface MTU 1500

Interface IP address: 10.1.99.1/24

Interface management profile: N/A

Service configured:

Zone: trust, virtual system: vsys1

Adjust TCP MSS: no

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

Physical port counters read from MAC:

--------------------------------------------------------------------------------

rx-broadcast                  0

rx-bytes                      1689996865

rx-multicast                  0

rx-unicast                    9681331

tx-broadcast                  10843

tx-bytes                      8607553337

tx-multicast                  0

tx-unicast                    10973532               

--------------------------------------------------------------------------------

Hardware interface counters read from CPU:

--------------------------------------------------------------------------------

bytes received                           1651271541

bytes transmitted                        8563280129

packets received                         9681331

packets transmitted                      10973532

receive errors                           122909

packets dropped                          0       

--------------------------------------------------------------------------------

Logical interface counters read from CPU:

--------------------------------------------------------------------------------

bytes received                           1647143807

bytes transmitted                        8563280129

packets received                         9614787

packets transmitted                      10973532

receive errors                           0

packets dropped                          355102

packets dropped by flow state check      0

forwarding errors                        0

no route                                 17

arp not found                            263223

neighbor not found                       0

neighbor info pending                    0

mac not found                            0

packets routed to different zone         0

land attacks                             0

ping-of-death attacks                    0

teardrop attacks                         0

ip spoof attacks                         0

mac spoof attacks                        0

ICMP fragment                            0

layer2 encapsulated packets              0

layer2 decapsulated packets              0

--------------------------------------------------------------------------------

Hi,

Could you please update below mentioned command o/p,

admin@55-PA> show arp ethernet1/2

A sample o/p mentioned below:

maximum of entries supported :      32000  >>>>>>>>>>>>>>>>>> please check max supported

default timeout:                    1800 seconds

total ARP entries in table :        0  >>>>>>>>>>>>>>>>>>>>>>>> current entries in table

total ARP entries shown :           0  >>>>>>>>>>>>>>> verify it it is close to max value supported

status: s - static, c - complete, e - expiring, i - incomplete

interface         ip address      hw address        port         status   ttl

--------------------------------------------------------------------------------

Thanks

Subhankar

L4 Transporter

DanLukas

Do you have a 1 or more routes pointing 0.0.0.0 to your next hop router?

In other words, I have seen people program their own 0.0.0.0/0 route, pointing to their ISP's router.

I am curious if you did the same?

  • 1 accepted solution
  • 6016 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!