- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-05-2013 07:37 AM
I recently installed a PA-200 and many websites are either very slow to load or have to be refreshed multiple times in the browser. Tried multiple browsers so not browser specific. Running a PA-200 with DHCP to Time Warner on the Untrusted interface. PA support had me change the MTU size on the untrusted interface to 1452 and also check "Adjust TCP MSS" but I am still seeing the issue. I'm on 5.05 and have url filtering turned off. Any ideas?
thanks
07-15-2013 03:40 PM
DanLukas
Do you have a 1 or more routes pointing 0.0.0.0 to your next hop router?
In other words, I have seen people program their own 0.0.0.0/0 route, pointing to their ISP's router.
I am curious if you did the same?
07-05-2013 08:35 AM
Hi,
Have you directly connected the PA-200 to the cable modem or is there a switch in between ? If there is a switch in between please check the interface configuration on the
palo alto device to be auto auto auto. If there is a mismatch on the switch port to which the PA-200 is connected to you might see this issue. Doing a packet capture on the
firewall and looking at the MSS negotiation will shed more light on this issue.
Deepak
07-05-2013 10:01 AM
it is directly connected to the cable modem. I had a ASA connected in the same manner and just swapped it with the PAN about a week ago. The trust interrface is connected to a cat 3560.
07-05-2013 10:06 AM
As a test ping a dns server from the untrust interface, ping from the trust interface on the firewall and then from a host on the internal network.
Compare the ping result to check for discrepancy.
07-05-2013 02:55 PM
Hi,
Could you please take a chapter on your laptop and firewall ingress interface. Compare both the captures and check if there are any TCP re-transmission/TCP NACK.
Thanks
Subhankar
07-06-2013 12:51 AM
Can you paste the o/p of the following CLI command:
> show interface all
> show running nat-policy
Is Zone-protection enabled on the inside interface?
07-07-2013 12:10 PM
Here are the 2 outputs:
admin@PA-200> show interface all
total configured hardware interfaces: 5
name id speed/duplex/state mac address
--------------------------------------------------------------------------------
ethernet1/1 16 100/full/up b4:0c:25:22:fa:10
ethernet1/2 17 1000/full/up b4:0c:25:22:fa:11
vlan 1 [n/a]/[n/a]/up b4:0c:25:22:fa:01
loopback 3 [n/a]/[n/a]/up b4:0c:25:22:fa:03
tunnel 4 [n/a]/[n/a]/up b4:0c:25:22:fa:04
aggregation groups: 0
total configured logical interfaces: 5
name id vsys zone forwarding tag address
------------------- ----- ---- ---------------- ------------------------ ------ ------------------
ethernet1/1 16 1 untrust vr:Internal 0 65.30.22.29/19
ethernet1/2 17 1 trust vr:Internal 0 10.1.99.1/24
vlan 1 1 N/A 0 N/A
loopback 3 1 N/A 0 N/A
tunnel 4 1 N/A 0 N/A
admin@PA-200> show running nat-policy
Internet-NAT {
from trust;
source any;
to untrust;
to-interface ethernet1/1 ;
destination any;
service any/any/any;
translate-to "src: ethernet1/1 65.30.22.29(*) (dynamic-ip-and-port) (pool idx: 1)";
terminal no;
}
07-07-2013 02:29 PM
How may entries do you see in the arp table from ethernet1/1-65.30.22.29/19 ?
Execute CLI command : > show arp ethernet1/1
Check " total ARP entries shown : "
07-08-2013 06:47 AM
I see that the speed on the eth1/1 is 100 Mbps. Is that the right setting, or can it be hard coded to 1000?
Can you also verify the DNS server settings on the firewall? Is it being inherited from the DHCP server on the modem? If so, can you try with an internal DNS server or a global DNS server like 4.2.2.2 or 8.8.8.8 to see if it makes a difference?
Device---> setup--> services.
BR,
Karthik RP
07-08-2013 07:09 AM
The cable modem is 10/100 and can't do a 1000. In services I did change DNS to an internal 10. dns server and have the same issue.Support had me change mtu to 1360 but am still showing the same signs. Sites with either a lot of graphics or links are hit and miss like cnn.com. I've even changed the mtu on a couple of mac's with the same results. If i look at the eth1/1 interface it does grab a dns server from the upstream time warner router. I don't know how i can hard code that since it is configed as a dhcp client. Here is the screen shot of that.
07-08-2013 08:18 AM
The DNS server settings configured under the Device---> setup--> services. , super cedes the DNS server settings received from the DHCP server on the untrust interface.
So you could try with these sever settings to see if it makes a difference ( you can configured your internal DNS server or use the public DNS servers 4.2.2.2 or 8.8.8.8)
07-08-2013 08:34 AM
I would recommend keeping the MSS to 1360, only if the default route points out on a tunnel interface (accessing internet through an ipsec tunnel, terminating on anther firewall, which then routes the traffic to internet) and users are complaining about slowness in connectivity through the tunnel. Lowering the MSS also affects the traffic, if not flowing through a tunnel. If the default route points out on an ethernet interface, which in our case does on the eth1/1 interface, its recommended that we use MTU as 1500 and MSS as 1460.
BR,
Karthik
07-11-2013 08:57 AM
I have been seeing a fair amount of errors on the trusted interface eth1/2. A lot of "arp not found" "packets dropped" and "recieved errors". They increment when websites hang.
admin@PA-200> show interface ethernet1/2
--------------------------------------------------------------------------------
Name: ethernet1/2, ID: 17
Link status:
Runtime link speed/duplex/state: 1000/full/up
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address b4:0c:25:22:fa:11
Operation mode: layer3
Untagged sub-interface support: no
--------------------------------------------------------------------------------
Name: ethernet1/2, ID: 17
Operation mode: layer3
Virtual router Internal
Interface MTU 1500
Interface IP address: 10.1.99.1/24
Interface management profile: N/A
Service configured:
Zone: trust, virtual system: vsys1
Adjust TCP MSS: no
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Physical port counters read from MAC:
--------------------------------------------------------------------------------
rx-broadcast 0
rx-bytes 1689996865
rx-multicast 0
rx-unicast 9681331
tx-broadcast 10843
tx-bytes 8607553337
tx-multicast 0
tx-unicast 10973532
--------------------------------------------------------------------------------
Hardware interface counters read from CPU:
--------------------------------------------------------------------------------
bytes received 1651271541
bytes transmitted 8563280129
packets received 9681331
packets transmitted 10973532
receive errors 122909
packets dropped 0
--------------------------------------------------------------------------------
Logical interface counters read from CPU:
--------------------------------------------------------------------------------
bytes received 1647143807
bytes transmitted 8563280129
packets received 9614787
packets transmitted 10973532
receive errors 0
packets dropped 355102
packets dropped by flow state check 0
forwarding errors 0
no route 17
arp not found 263223
neighbor not found 0
neighbor info pending 0
mac not found 0
packets routed to different zone 0
land attacks 0
ping-of-death attacks 0
teardrop attacks 0
ip spoof attacks 0
mac spoof attacks 0
ICMP fragment 0
layer2 encapsulated packets 0
layer2 decapsulated packets 0
--------------------------------------------------------------------------------
07-11-2013 01:26 PM
Hi,
Could you please update below mentioned command o/p,
admin@55-PA> show arp ethernet1/2
A sample o/p mentioned below:
maximum of entries supported : 32000 >>>>>>>>>>>>>>>>>> please check max supported
default timeout: 1800 seconds
total ARP entries in table : 0 >>>>>>>>>>>>>>>>>>>>>>>> current entries in table
total ARP entries shown : 0 >>>>>>>>>>>>>>> verify it it is close to max value supported
status: s - static, c - complete, e - expiring, i - incomplete
interface ip address hw address port status ttl
--------------------------------------------------------------------------------
Thanks
Subhankar
07-15-2013 03:40 PM
DanLukas
Do you have a 1 or more routes pointing 0.0.0.0 to your next hop router?
In other words, I have seen people program their own 0.0.0.0/0 route, pointing to their ISP's router.
I am curious if you did the same?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!