1. Home
  2. Cisco Systems
  3. delayed http lookups

delayed http lookups

Hi,

I have recently replaced a netgear firewall for an ASA5505. Below is my config. My problem is that when I browse the web from my linux box, anytime I hit a new site, it seems to take about 30 seconds to a minute to do the lookup before I can actually get the page. The DNS entries are correct, so I don't really know why else it takes so long.

Anyone have ideas?

# sh run : Saved : ASA Version 7.2(3) ! hostname wink domain-name network.local enable password A9//BHKKLSDsdXgm7 encrypted names name 192.168.1.0 INSIDE ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd A9//BHDasSDSXgm7 encrypted ftp mode passive dns domain-lookup inside dns server-group DefaultDNS name-server 73.214.34.205 name-server 68.87.85.98 domain-name network.local pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-523.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat

0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute http server enable http INSIDE 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 192.168.1.11 255.255.255.255 inside telnet timeout 10 ssh INSIDE 255.255.255.0 inside ssh timeout 10 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.20-192.168.1.40 inside dhcpd enable inside !

! ! username pinky password /lqtasdfdsdfruk encrypted privilege 15 prompt hostname context Cryptochecksum:170961d3152868491bba5137e1295291 : end

Reply to
Jake
Loading thread data ...

Sounds like some kind of timeout. Is your ASA set as your dns server? Do you have a secondary? Could the ASA not be responding and the timeout on the nix box is 30 seconds? What happens if you change your dns to a public one on the nix box, like 4.2.2.2.

Reply to
Trendkill

Use a sniffer to see what is happening on the wire.

Best Regards, News Reader

Reply to
News Reader

And what exactly would I be looking for after starting up a sniffer.

Reply to
Jake

You would examine the DNS queries and responses. Typically you'd sniff both the WAN and LAN side of the ASA.

It would allow you to confirm the order in which the DNS servers were being queried, which of the DNS servers were responding, whether each was responding in a timely fashion, and whether your host or ASA were part of the issue.

You have a gross performance issue that should be very evident when you examine whats happening on the wire.

If you're not that familiar with sniffers, now might be a good time to start. It is often the fastest way to identify the root cause, or at least prove/disprove theories.

E.g.:

Retrieving e-mail via an authenticated connection takes a long time. You capture a trace file for analysis and determine that the TCP connection is responsive, but there is an abnormal 10 sec. delay from the time your client offers up a password, and the server responds with authorization.

With information like this, you can eliminate your host, and perhaps some of the infrastructure (depending on where the trace was taken), and maybe you quickly identify a performance issue with an authentication server.

If you don't have it, consider getting Wireshark. Its free, its multi-platform, and its better than most you'll pay for.

formatting link

Best Regards, News Reader

Reply to
News Reader

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.