This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow loading specific web page

Hi there,

I have a weird problem with loading time on a specific site (http://www.mednet.gr).

The site makes a php GET call for a gzipped css file (http://www.mednet.gr/application/css.php?request=application/themes/mednet/theme.css&c=46) which takes about a minute to complete.

The weird thing is that I get this delay only through Sophos! Not with a direct connection or an obsolete TMG Proxy server that i tried.

I bypassed any checks on the site and used the browser developer tools to verify that I get no error on loading.

Bypass content scanning is enabled (if that makes any difference).

Any ideas??



This thread was automatically locked due to age.
  • Hi,

    Just tried running it thru the filter here, and it loads within 2 seconds.

    I has a few errors and resources not found along with a certificate error, but nothing that major.

    Tried with and without filter having no issues, so I can't replicate the behavior.

     

    Any errors in the web protection log regarding the css  url ?

    What is your setting in : Web Protection -> Filtering Options -> Misc ; Web Caching  ?

  • No errors in web protection log:
    dstip="144.76.186.178" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="23080" request="0x1817d200" url="www.mednet.gr/.../css.php referer="" error="" authtime="0" dnstime="104817" cattime="0" avscantime="0" fullreqtime="246139" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:51.0) Gecko/20100101 Firefox/51.0" exceptions="auth,content,url" content-type="text/css"

    Web Caching is disabled since I had an other issue with enabling it (https://community.sophos.com/products/unified-threat-management/f/hardware-installation-up2date-licensing/76131/sg330-unresponsive-for-a-couple-of-minutes-with-postgres-4267-error)

  • The only thing that strikes me here is that the request for the css only takes about 0,24 seconds to finish, even dns does not look alarming.

    The time in the logs are microseconds.

     

    So... if the proxy fetches in 0,24 seconds, where does the remaining 59 seconds go ? ( time between proxy and client ? or ? )

    Is it the same with all clients behind the proxy ?

     

    Sorry, I dont have any bright ideas at the moment.

    By the way, I use cache on the proxy - not because of bandwidth but because of speed.

  • Same behavior on any client.

    In my firefox I can see the css file fully loaded on the browser but the tab is stuck at loading for the rest 59 secs.

  • Was able to replicate on a remote UTM 120...

     

    Seems it is all of the external referenced content that is taking for ever to get fetched and dragged thru the filter ( fonts, css references, google stuff etc etc )

    Only difference I can see between the remote and the SG230 here is a regex block list I put into a block web adds policy.

    Will have to test some more to be sure though.

     

     

    The list contain ( delim is space )

    ^https?://([A-Za-z0-9.-]*\.)?clicks\.beap\.bc\.yahoo\.com/
    ^https?://([A-Za-z0-9.-]*\.)?secure\.footprint\.net/
    ^https?://([A-Za-z0-9.-]*\.)?match\.com/
    ^https?://([A-Za-z0-9.-]*\.)?clicks\.beap\.bc\.yahoo(\.\w{2}\.\w{2}|\.\w{2 ,4})/
    ^https?://([A-Za-z0-9.-]*\.)?sitescout(\.\w{2}\.\w{2}|\.\w{2,4})/
    ^https?://([A-Za-z0-9.-]*\.)?appnexus(\.\w{2}\.\w{2}|\.\w{2,4})/
    ^https?://([A-Za-z0-9.-]*\.)?evidon(\.\w{2}\.\w{2}|\.\w{2,4})/
    ^https?://([A-Za-z0-9.-]*\.)?mediamath(\.\w{2}\.\w{2}|\.\w{2,4})/
    ^https?://([A-Za-z0-9.-]*\.)?scorecardresearch(\.\w{2}\.\w{2}|\.\w{2,4})/
    ^https?://([A-Za-z0-9.-]*\.)?doubleclick(\.\w{2}\.\w{2}|\.\w{2,4})/
    ^https?://([A-Za-z0-9.-]*\.)?flashtalking(\.\w{2}\.\w{2}|\.\w{2,4})/
    ^https?://([A-Za-z0-9.-]*\.)?turn(\.\w{2}\.\w{2}|\.\w{2,4})/
    ^https?://([A-Za-z0-9.-]*\.)?mathtag(\.\w{2}\.\w{2}|\.\w{2,4})/
    ^https?://([A-Za-z0-9.-]*\.)?googlesyndication(\.\w{2}\.\w{2}|\.\w{2,4})/
    ^https?://([A-Za-z0-9.-]*\.)?s\.yimg\.com/cv/ae/us/audience/
    ^https?://([A-Za-z0-9.-]*\.)?clicks\.beap/
    ^https?://([A-Za-z0-9.-]*\.)?.doubleclick(\.\w{2}\.\w{2}|\.\w{2,4})/
    ^https?://([A-Za-z0-9.-]*\.)?yieldmanager(\.\w{2}\.\w{2}|\.\w{2,4})/
    ^https?://([A-Za-z0-9.-]*\.)?w55c(\.\w{2}\.\w{2}|\.\w{2,4})/
    ^https?://([A-Za-z0-9.-]*\.)?adnxs(\.\w{2}\.\w{2}|\.\w{2,4})/
    ^https?://([A-Za-z0-9.-]*\.)?advertising\.com/
    ^https?://([A-Za-z0-9.-]*\.)?evidon\.com/
    ^https?://([A-Za-z0-9.-]*\.)?scorecardresearch\.com/
    ^https?://([A-Za-z0-9.-]*\.)?flashtalking\.com/
    ^https?://([A-Za-z0-9.-]*\.)?turn\.com/
    ^https?://([A-Za-z0-9.-]*\.)?mathtag\.com/
    surveylink.yahoo.com
    ^https?://([A-Za-z0-9.-]*\.)?surveylink/
    ^https?://([A-Za-z0-9.-]*\.)?info\.yahoo\.com/
    ^https?://([A-Za-z0-9.-]*\.)?ads\.yahoo\.com/
    ^https?://([A-Za-z0-9.-]*\.)?global\.ard\.yahoo\.com/
    googlesyndication.com

  • I removed everything from my blocking list.

    No change whatsoever :(

  • I tried messing around with the remote UTM - no joy.

     

    I loads at blank page to this point , then just hangning for a looooong time..

    I do have to clear webbrowser cache every time to replicate.

    request="0x2bc9f600" url="www.mednet.gr/.../logo-ygeia-gia-olous_210x74.jpg" referer="http://www.mednet.gr/" error="" authtime="0" dnstime="502" cattime="231" avscantime="0" fullreqtime="53602" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36" exceptions="ssl" category="108,119" reputation="neutral" categoryname="Public Information,Health" content-type="image/jpeg"

     
    The next thing that comes is google analytics referred by mednet
     
    size="16007" request="0x2bc38a00" url="www.google-analytics.com/ga.js" referer="http://www.mednet.gr/" error="" authtime="0" dnstime="1550" cattime="170" avscantime="0" fullreqtime="6555" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36" exceptions="ssl" category="178" reputation="neutral" categoryname="Internet Services" content-type="text/javascript"
    2017:03:09-14:16:05 firewall httpproxy[2620]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.248.2.2" dstip="92.246.5.15" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="12156" request="0x2bde6600" url="www.google-analytics.com/analytics.js" referer="http://www.mednet.gr/" error="" authtime="0" dnstime="485" cattime="160" avscantime="0" fullreqtime="5116" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36" exceptions="ssl" category="178" reputation="neutral" categoryname="Internet Services" content-type="text/javascript"
    2017:03:09-14:16:05 firewall httpproxy[2620]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.*******" dstip="144.76.186.178" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="878" request="0x2bc38400" url="www.mednet.gr/.../loading.gif" referer="http://www.mednet.gr/" error="" authtime="0" dnstime="350" cattime="166" avscantime="0" fullreqtime="54732" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36" exceptions="ssl" category="108,119" reputation="neutral" categoryname="Public Information,Health" content-type="image/gif"
    2017:03:09-14:16:05 firewall httpproxy[2620]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.******" dstip="172.217.17.66" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1163" request="0x2bde7800" url="www.googletagservices.com/.../gpt.js" referer="http://www.mednet.gr/" error="" authtime="0" dnstime="1405" cattime="131" avscantime="0" fullreqtime="30732" device="0" auth="0"
     
     
    My bet is still that its the referrer links that takes the time.
    Nothing in the log on fullreqtime is alarming and dns also looks fine.
     
    Will keep one playing around with is as I have time and follow the thread, but no golden solution at the moment.
  • Hi Ilias,

    Turn OFF the IPS and see the effects. If that doesn't help, show us a tracert output.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • IPS is already disabled.

    Traceroute:

    traceroute to mednet.gr (144.76.186.178), 30 hops max, 40 byte packets using UDP
     1  195.167.62.65 (195.167.62.65)  0.429 ms   0.432 ms   0.425 ms
     2  peir-louiscruises.customers.otenet.gr (195.167.103.41)  2.634 ms   3.782 ms   2.716 ms
     3  athe-crsb-klmk7609a-1.backbone.otenet.net (79.128.240.137)  1.975 ms 79.128.241.13 (79.128.241.13)  1.386 ms   1.416 ms
     4  kolasr02-hu-0-8-0-0.ath.OTEGlobe.gr (62.75.3.17)  1.251 ms 62.75.3.157 (62.75.3.157)  2.083 ms kolasr02-hu-0-8-0-0.ath.OTEGlobe.gr (62.75.3.17)  12.467 ms
     5  * * *
     6  decix-gw.hetzner.de (80.81.192.164)  52.073 ms   53.166 ms   52.306 ms
     7  core23.hetzner.de (213.239.203.154)  53.410 ms   53.036 ms   52.934 ms
     8  ex9k1.rz20.hetzner.de (213.239.203.146)  53.305 ms   52.195 ms   53.043 ms
     9  * * *
    10  * * *
    11  * * *
    12  * * *
    13  * * *
    14  * * *
  • Hi Ilias,

    As you can see the delay is observed through the next hop routers, which clearly makes us doubtful that the issue is on the ISP side. 

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.