Thanks for all who replied with their test results. Those with XP Pro and NT4 were able so see the same symptoms as I noted.
The servers you checked are all on the DMZ, and have inbound tunnels to allow them to be visible from the external network. The servers giving the problem have "hide source address" set on their inbound tunnels (for reasons of convenience to the internal routing). At the time you tested the site http://www.jjays1.com worked correctly because it did not have "hide source" on its inbound tunnel. The external connection is a 2Mb/sec line provided by VIO, who provide a router at our site. GB-support suggested the problem was with the VIO router, and indeed, when VIO changed the configuration of their router the problem went away. It appears that this has to do with packet fragmentation. There is a protocol to allow the end computers (our server and the client on the internet, in this case) to determine the MTU. Test packets are sent with the DF (Do not Fragment) bit set, and intermediate routers will drop the packet and return ICMP messages noting "packet too big" and showing the maximum MTU if the packet is too large. When the inbound tunnel has "hide source" set something goes wrong in the HA firewall and this fails to work properly - presumably because either the ICMP messages are not passed to the server, or the proxy in the firewall does not operate this protocol correctly. While reconfiguration of the VIO router has temporarily solved the problem, it is apparent that ANY router on the internet is entitled to use this protocol; and thus the HA firewall should handle it properly. We therefore expect a revision to correct the issue. There is a possibly related issue. There is a feature to email the GNATbox configuration. If the target email address is on the PROtected or DMZ network this works correctly. However, for the MASTER firewall in the HA pair if the target email address is on the internet, the message is not sent, and its failure is logged. By contrast, the SLAVE firewall CAN email its configuration to an address on the internet. Remember that these are identical firewalls with identical configurations: it's just that one happens to be the master, the other is the slave. At our site we also have a 4Mb/sec line provided by Wam!Net. If we set the default route for the HA firewall to point to the Wam!Net connection rather than VIO, then the HA master can email its configuration correctly. So it seems that some aspect of the VIO network provokes the problem. Traceroutes show substantially the same paths once the packet leaves the VIO or Wam!Net networks. Has anybody else experienced similar problems? Regards, -- Graham Jones [EMAIL PROTECTED] 01953 717605 or 077 74 894200 www.linnetsol.co.uk > -----Original Message----- > From: Graham Jones [mailto:[EMAIL PROTECTED] > Sent: 26 September 2003 17:09 > To: [EMAIL PROTECTED] > Subject: [gb-users] Help with performance problem > > > We have a performance problem we are attempting to resolve with > GB support. > > However, it would be useful to get some more information about the > performance as seen by different users. This relates to three websites > behind a HA pair of GB-1000 firewalls. > > Viewing the sites from a Windows 2000 workstation gives adequate > performance. > > However we find that viewing from a Linux workstation or a Win XP machine > with ICS enabled gives abysmal performance - the browser often appears to > hang. > > The sites are: > > http://www.jjays1.com > > http://proofing.jjays1.com - this will ask for a password so is not very > representative > > http://future.jjays1.com > > Could you try for yourselves please, and email me if you see any > performance > failure, noting: > > Operating System; > Browser; > Speed and method of internet connection. > > Thanks. > > Regards, > > -- Graham Jones > [EMAIL PROTECTED] > 01953 717605 or 077 74 894200 > www.linnetsol.co.uk > > ------------------------------------------------------ > To unsubscribe: [EMAIL PROTECTED] > For additional commands: [EMAIL PROTECTED] > Archive: http://www.mail-archive.com/[EMAIL PROTECTED] ------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://www.mail-archive.com/[EMAIL PROTECTED]
