This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Website is slow when put behind vm-series 300

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Website is slow when put behind vm-series 300

Tariq87
L1 Bithead

‎04-12-2021 11:12 AM

We have deployed vm-series 300 in AWS recently and put our production site behind it, but we are seeing a performance degradation, the website is taking around 2-3 mins to load for the first time which normally it didnt take, we have not put any url filtering profiles yet but yes we do have some security and nat profiles in place(which normal I believe), I just wanted to understand what could be the reason for the slowness and what all things can be checked in PA to troubleshoot.

 

PS: I am attaching a screenshot of developers tool console to show time it takes for the page to load first timeScreenshot 2021-04-12 at 11.29.58 PM.png

0 Likes Likes
14 REPLIES 14

rapatil
L3 Networker

‎04-12-2021 11:23 AM

Hi Tariq87, 

Can you please open a support case so we can look into this issue and help to troubleshoot it further?
 
Thank you.
0 Likes Likes

rapatil
L3 Networker

‎04-12-2021 11:23 AM

Hi Tariq87,
Can you please open a support case so we can look into this issue and help
to troubleshoot it further?
0 Likes Likes

jmeurer
L2 Linker

‎04-12-2021 11:25 AM

How are you directing traffic to the firewalls?  If you are using an ALB/NLB, ensure that your routing allows the firewalls to communicate with all of the LB Subnets via the same interface that is specified in the Target Group.   Similar question on the backend.  If the application is deployed across multiple subnets, ensure the firewall can route to all of the backend subnets via the SNAT interface.

0 Likes Likes

Tariq87
L1 Bithead
In response to jmeurer

‎04-12-2021 11:33 AM

Yes, we are using NLB, which is deployed in 2 subnets across 2 az's, the backed firewalls are also in the same AZ's. The backend to the firewall is an Haproxy which are also spread across the same az's.

What else can I check?

0 Likes Likes

jmeurer
L2 Linker
In response to Tariq87

‎04-12-2021 11:48 AM

There is a very good chance that your external interface cannot route to the NLB subnet in the other zone or that your Trust side interface cannot route to the other zone.  If you can post your subnet lists and your firewall VR "More Runtime Stats", we may be able to see the issue.  

 

Also watch that you do not have "Automatically create default route pointing to default gateway provided by server" enabled on both of your interfaces.

0 Likes Likes

Tariq87
L1 Bithead
In response to jmeurer

‎04-12-2021 07:45 PM

I am sure of the second point you have mentioned, no we did not do that.

For the first, I'll check and get back to u

0 Likes Likes

Tariq87
L1 Bithead
In response to rapatil

‎04-12-2021 07:54 PM

How can I do that?

0 Likes Likes

tostern
L3 Networker
In response to Tariq87

‎04-12-2021 08:04 PM

@Tariq87 

see below on the picture. You have to make sure that on the interface on the firewall are you not select "Automatically create default route....."

Screenshot 2021-04-13 at 05.02.25.png

"With unity we can do great things"

Tariq87
L1 Bithead
In response to tostern

‎04-12-2021 08:23 PM

Yes, we have not selected this for the trust interface

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2022 - Palo Alto Networks