This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Website is slow when put behind vm-series 300

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Website is slow when put behind vm-series 300

Tariq87
L1 Bithead

‎04-12-2021 11:12 AM

We have deployed vm-series 300 in AWS recently and put our production site behind it, but we are seeing a performance degradation, the website is taking around 2-3 mins to load for the first time which normally it didnt take, we have not put any url filtering profiles yet but yes we do have some security and nat profiles in place(which normal I believe), I just wanted to understand what could be the reason for the slowness and what all things can be checked in PA to troubleshoot.

 

PS: I am attaching a screenshot of developers tool console to show time it takes for the page to load first timeScreenshot 2021-04-12 at 11.29.58 PM.png

0 Likes Likes
14 REPLIES 14

rapatil
L3 Networker

‎04-12-2021 11:23 AM

Hi Tariq87, 

Can you please open a support case so we can look into this issue and help to troubleshoot it further?
 
Thank you.
0 Likes Likes

rapatil
L3 Networker

‎04-12-2021 11:23 AM

Hi Tariq87,
Can you please open a support case so we can look into this issue and help
to troubleshoot it further?
0 Likes Likes

jmeurer
L2 Linker

‎04-12-2021 11:25 AM

How are you directing traffic to the firewalls?  If you are using an ALB/NLB, ensure that your routing allows the firewalls to communicate with all of the LB Subnets via the same interface that is specified in the Target Group.   Similar question on the backend.  If the application is deployed across multiple subnets, ensure the firewall can route to all of the backend subnets via the SNAT interface.

0 Likes Likes

Tariq87
L1 Bithead
In response to jmeurer

‎04-12-2021 11:33 AM

Yes, we are using NLB, which is deployed in 2 subnets across 2 az's, the backed firewalls are also in the same AZ's. The backend to the firewall is an Haproxy which are also spread across the same az's.

What else can I check?

0 Likes Likes

jmeurer
L2 Linker
In response to Tariq87

‎04-12-2021 11:48 AM

There is a very good chance that your external interface cannot route to the NLB subnet in the other zone or that your Trust side interface cannot route to the other zone.  If you can post your subnet lists and your firewall VR "More Runtime Stats", we may be able to see the issue.  

 

Also watch that you do not have "Automatically create default route pointing to default gateway provided by server" enabled on both of your interfaces.

0 Likes Likes

Tariq87
L1 Bithead
In response to jmeurer

‎04-12-2021 07:45 PM

I am sure of the second point you have mentioned, no we did not do that.

For the first, I'll check and get back to u

0 Likes Likes

Tariq87
L1 Bithead
In response to rapatil

‎04-12-2021 07:54 PM

How can I do that?

0 Likes Likes

tostern
L3 Networker
In response to Tariq87

‎04-12-2021 08:04 PM

@Tariq87 

see below on the picture. You have to make sure that on the interface on the firewall are you not select "Automatically create default route....."

Screenshot 2021-04-13 at 05.02.25.png

"With unity we can do great things"

Tariq87
L1 Bithead
In response to tostern

‎04-12-2021 08:23 PM

Yes, we have not selected this for the trust interface

0 Likes Likes

jmeurer
L2 Linker
In response to Tariq87

‎04-13-2021 05:51 AM

Please see me earlier note about posting your resultant route table from the firewall and your subnet layout.

0 Likes Likes

Tariq87
L1 Bithead
In response to jmeurer

‎04-13-2021 06:12 AM

10.163.6. and 10.163.5 are untrust interfaces(subnets) and 10.163.11 and 10.163.15 are trust interfaces

 

Screenshot 2021-04-13 at 6.41.39 PM.png

 

Screenshot 2021-04-13 at 6.33.18 PM.pngScreenshot 2021-04-13 at 6.31.56 PM.png

0 Likes Likes

jmeurer
L2 Linker
In response to Tariq87

‎04-13-2021 09:12 AM

What subnets are your LB and back in?  The route that I question is the /22 on only one of the firewalls.  If you have backend traffic that is not in the same subnet as an interface, you could be routing it out Eth1/1 but snatting it to Eth1/2.  That will cause a timeout.  

 

On the flip side, you have a 10/8 route via eth1/2, this is going to prevent your LB health checks from return to the cross zone subnet via eth1/1.

 

You should have 0/0 via eth1/1 and static route for the NLB subnets also via eth1/1.  You can then use the 10.8 route to get to all other subnets via eth1/2.

 

0 Likes Likes

Tariq87
L1 Bithead
In response to jmeurer

‎04-13-2021 10:18 AM

i need some time to verify this, need to look into it tomorrow morning and will get back to you

0 Likes Likes

Tariq87
L1 Bithead
In response to jmeurer

‎04-14-2021 10:00 PM

We have found out that it is the decryption profile which is causing the slowness, I have opened a ticket with PA support

0 Likes Likes
  • 8837 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks