IE Slow Behind Sophos

I can appreciate your frustration.   For the sake of those who might read your post and panic, I can say that I have not seen this problem during our two years running UTM, and we have used it with a mix of IE versions (and other browsers) during that time.

I assume that you have checked the dashboard and do not see a CPU, memory, or disk space problem.   If you had a CPU issue, it would seem that disabling those items would have resolved the problem by now.

You probably need to explain how your proxy is configured:   proxy script in browser, proxy redirect in browser, or in-line transparent proxy.  

• If you have transparent proxy enabled, you probably want to ensure that the browser is not also connecting directly using automatic configuration, proxy script, or proxy redirection (Internet Options... Connections... LAN Settings).   I don't know that redundant settings are a problem, but I can imagine that they might be.
  
  
• If your most important sites are also highly trusted, you could try bypassing the proxy for only those sites.  The problem may be specific to your target sites.
  • If you use a proxy script, put the exception sites into the script.
  • If you use transparent modes, put the exception sites into Web Protection... Misc... Transparent Mode (Destination) Skip List.

Then test to see if the less important sites behave comparably between IE and Chrome.

Hope that helps some.

Hello,

Thanks for the quick reply. 

I have tried running IE with auto config on/off - no difference. 

We don't run a proxy script. We try to keep things very simple here.

It occurs with all websites. Sometimes it even shows "Page cannot be displayed". I've tried windows "Fix connection issues" tool but its never able to see an issue. 

I can ping google just fine with quick responses but if I try to browse to google, IE hangs. 

Brandon

If the problem also occures when you disabled WebProtection, authentication or URL filtering could not be the problem. With disabled WebProtection the traffic goes straigth through the firewall.
BTW: How did you disabled WebProtection? With the "big" switch, or with an exception? If you use an exception, please be sure that it matched!

My first thought was DNS, but as you wrote other browsers on the same client are working, and they are using the same DNS settings.

I also thought about the proxy settings in IE, but you wrote that everything is disabled like here (but maybe in another language :) )

Change your tool, which needs the IE, something in the settings of IE? What happend when you trie to open the web page by IP address (like IBMs site: http://129.42.38.1 )? Is there a function in IE which analyze the URL in the cloud before loading it? Maybe this cloud service is blocked by your UTM. Then you should see blocked requests in the firewall log.

Another blind shoot: try to reset the websocket of your client. Open an administrative command line and execute

netsh winsock reset

Jas

To be clear, you will be your own hero here, and learn a lot in the process.   We are giving hints, but you will be doing the detective work.

You may find my post in this other thread useful for the section about using Live Log.   Your interest will be different, because you need to focus on the target URLs that are different between the two browsers, and especially for the URLs that had HTTP errors,   Look for log entries where ' status="code" ' has a value of 400 and higher representing errors.   A web search can give you thte text for each code.  There are also four time fields, which have never been very useful to me, but might be useful in your situation.   

https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/89746/setting-up-policy-from-block-all-to-allow-specific-sites-but-filter-them/326458#326458

The critical issue for your situation is: "What happens differently between IE and Chrome".   The logs should tell you that.  Are both browsers going through UTM?   Are both browsers authenticating to the same user?   Are both browsers resolving to the same Profile, FilterAction, and Exceptions?  Are both browsers going to the same list of URLs and obtaining the same status code?  Somewhere in this list, the answer is almost certainly no.

Also, it may be useful to note, as the logs will indicate, that when suggested sites are turned on, every keystroke creates a round-trip packet exchange to request and receive the current suggestion list.

Douglas,

he wrote that the issue also occures, when he disables WebProtection. Therefore I think he will not find any problem in the logs. It seems that the URL request is hold back by IE, or IE is waiting for something. And it must be something which is on all client the same, like a local AV scanner with HTTP scanning functions or another program.

Your idea to capture the traffic with Wireshark was good. I guess this can bring light into the darkness :)

Jas

Hello,

So I've tinkered with even more complex settings and reviewed additional logs on the UTM and it appears IPS was blocking some DNS requests from and to our local AD DNS servers. So i disabled IPS and it seems like the issue went away but now instead of IE displaying "Waiting for "Web Page Title", we receive a Sophos UTM page with the error message "Host cannot be found". It doesn't happen as often as the IE issue did but it is frequent. This is happening on ALL machines and ALL web browsers.

Below is a snap shot of whats currently turned on on the UTM.

At least now I'm getting an error message as compared to nothing! Any thoughts? 

Congratulations on your sleuthing.

Host not found means that DNS is not resolving the way you want.   I suspect that it is querying your internal DNS servers and getting an internal address, but it is trying to use it as an external address.

This link has Sophos recommendations for DNS configuration

https://community.sophos.com/kb/en-us/120283

The availability group adds some complexity, but the key issues are:

On the Network Services... DNS... "Forwarders' tab, you want to use an external DNS server, such as google's DNS at 8.8.8.8

On the Network Services... DNS... "Request Routing" tab, you want to configure an internal DNS server for each internal domain.

Google says that they set up their DNS because they have almost everything about DNS cached, so their servers can reply faster than the DNS servers offered by your ISP.   This performance benefit is why the Sophos document recommends using them.

Another option is Norton ConnectSafe DNS, which returns a dead-end DNS result if they have a DNS name on their blacklist.   More info at https://dns.norton.com/   For buisnesses, no-cost registration is required.

If you have enabled DNSSEC validation (on the UTM DNS global tab), try turning it off.   If you have DNSSEC enabled but use a DNS server that does not implement it fully, you could get non-existent host errors as a result.   Active Directory DNS servers have very limited support for DNS SEC.

Hello,

Thanks for the link tot he guide! I followed it to a T. I tested a few work stations and it appears the issue is gone but it's sporadic so it's possible that it's just not happening right now. I will let you all know what happens. We're a financial institution so I'd really like to be able to use IPS but the issues is was causing is far more concerning to users.

Thanks

Brandon

Hi Brandon,

nice to read that you found the issue. :)

But I'm wondering why the other WebBrowsers had not the same problem, because the DNS querys are using the same way, independently which browser you are using. I guess that IE makes something different because of some kind of protection.

I suggest that you check the IPS log to identify the reason for your issue, and try to solve it (e.g. disabling the DNS server pattern). Or create an exception for the AD DNS servers.

Jas

Hello,

I did turn off "Automatically Detect Settings" under connections and LAN settings in IE. Not sure if that changed anything or not. I know before it didn't seem to have any affect with the Waiting for Page issue. I did follow that guide for the best case DNS settings and I had my internal servers where I should've have forwarders and vice versa. 

After all seemed well, I turned IPS back on and we haven't had any issues yet *knock on wood*. I think it was a combination of the DNS settings, Web Protection settings, and IE settings. I wish I could say what exactly it was but I changed so much that I really can't say. I do know the issue persisted eve when completely disabling IPS, WebProtection, Application Control, etc. 

So currently, WebProtection is running in transparent mode (our tools run in IE with a few active X's and don't behave nicely when forcing IE to go thru a proxy and UTM in standard mode).

Application Control is running, blocking all Windows Updates

IPS is running with all defaults. 

Our workstations use our internal DNS servers to resolve them our servers use the UTM for DNS forwarding. The UTM uses Google DNS.

Our workstations all have Sophos Endpoint AV installed with web control active.

UTM is updated to the latest available packages.

I will be sure to update this thread if I come across a direct fix for my issue. Thanks everyone for you help!

Brandon 

Douglas, the DNS Best Practice article in the KnowledgeBase was copied from DNS best practice almost two years ago.  As you'll see in the Change Log in my post, I've added six improvements since the copy was taken.  If they're not going to maintain their article, they should delete the content and have it link instead to the post I improve based on comments made here.

Cheers - Bob

As DouglasFoster and Jas Man have said, Brandon, the entire problem was probably DNS.  As I mentioned above, there were some updates in DNS best practice that might be worth examining - I didn't look.

A look in the Web Filtering log would have told you if ports other than 80&443 were seen by the Proxy.  If so, then disabling 'Automatically Detect Settings' might have been important, too.  In fact, if the client sees that a proxy is active and sends to it, the UTM Web Filtering Profile handles the traffic as if it were in Standard mode.

Cheers - Bob

As DouglasFoster and Jas Man have said, Brandon, the entire problem was probably DNS.  As I mentioned above, there were some updates in DNS best practice that might be worth examining - I didn't look.

A look in the Web Filtering log would have told you if ports other than 80&443 were seen by the Proxy.  If so, then disabling 'Automatically Detect Settings' might have been important, too.  In fact, if the client sees that a proxy is active and sends to it, the UTM Web Filtering Profile handles the traffic as if it were in Standard mode.

Cheers - Bob

Hello everyone,

This issue has returned but it is only happening at the site that utilizes a RED to full tunnel back to our UTM. Our main site that has our UTM isn't having any issues. Any ideas?

RED Tunnel Compression is turned off.

I forgot to mention, the issue goes away if a machine at the RED site disconnects from our network and connects to a mobile hot spot.

Brian, do you mean the problem goes away for others at that site or that it goes away for the individual connected to a mobile hotspot?

Cheers - Bob

Issue is gone! I restarted the RED and the site's core switch. I started running wireshark connected to the hot spot then connected back to the site's network to test and it seems to be working okay now. I hope the issue is gone for good!

Yeah, that sounded like an Ethernet broadcast storm.  If the core switch you mentioned is at the site with the RED, you might want to keep an eye on the switch as it might be dying.

Cheers - Bob