Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 1260 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Pages Slow to Load

Lonnie Thibodeaux

Referencing this previous post:  Webpages SLOW to load 

That post is over 7 years old and locked, so I am posting here.

I recently started having this same issue...Web pages take 30+ seconds to load for all users on network  A number of coincidental factors may have contributed to it. A bit of reference: 

  • My Windows domain controllers are in Azure. Been there for the last three months or so. For the last couple months, had not seen any issue with Internet performance. I am currently building other infrastructure in Azure, but at this time the only user access to Azure is being able to authenticate against these DCs.
    • I have a VPN between the site and Azure (set up with Sophos' Support assistance).
    • Up to a couple weeks ago there did not seem to be any issue with the setup as mentioned above.
    • In the midst of this issue surfacing, I received notice from my ISP about some maintenance that would affect my site. This may be coincidental, but it can be relative. I am working with them in attempt to resolve the issue. My biggest issue with them is: 
      • When I do a Tracert to a site, the 2nd hop (which should be an internet facing component as the traffic has left my router at Hop 1). Hop 2 always shows * for latency and Request Timed Out instead of the IP.  My understanding of Tracert, is that it uses Pings to get the latency numbers and that some servers can be set to not respond. Testing on other connections for the same ISP (although my connection is Fiber, other connections I tested on were not Fiber, but for the same ISP. On those other connections I always get a response and IP on the 2nd hop. So I asked ISP Fiber support if they can confirm that this response is normal.
  • I have done things like disabling the VPN between the site & Azure. No difference, web browsing still slow to load pages.

In the beginning of this post I referenced a 7 year old post with the same issue. My reason for my post here is in reference to the last post by Mike Carpio:

Problem ended up being in Configure > Network > DNS I entered internal AD DNS server addresses before I put in a public DNS address like 8.8.8.8.  Once I changed the first entry to a public DNS server things worked quick again.  Not sure why that would make any difference especially since I have my internal DNS servers entered first at my other 3 sites.

So I attempted what seemed to be the resolution for Mike. Normally in DNS I had my 2 DCs first & second, then 8.8.8.8 as the third DNS entry. Note; my DC's also have Forwarders setup (8.8.8.8 & 8.8.4.4) This is my typical setup in most cases. So I tried what Mike had done, I put 8.8.8.8 first. This did speed up the loading of web pages, but then I had issues when attempting to log in workstations, stating it could not reach my DCs.  A nslookup to the internal domain or DC results in a response from dns.google stating it could not find that address.

So this is my question for this post. Why is it not traversing to my DCs which are 2nd & 3rd on my DNS list in the XG (and being pushed to the workstation by DHCP?



This thread was automatically locked due to age.
Parents
  • 0

    Hello!

    Lonnie Thibodeaux said:
    So I tried what Mike had done, I put 8.8.8.8 first. This did speed up the loading of web pages, but then I had issues when attempting to log in workstations, stating it could not reach my DCs.  A nslookup to the internal domain or DC results in a response from dns.google stating it could not find that address.

    By default the second (and third) DNS server of the list is only used when the first one is unavailable.

    Adding to this, from the Sophos Docs: "The firewall considers an NXDOMAIN (domain doesn't exist) response valid and won't query the next server. Responses are cached until the time-to-live expires."

    One way to fix this, and the web page loading times is to use a public DNS as the first and second option. (Such as 8.8.8.8, 8.8.4.4), and create a DNS request route with your company domain - to the DC.

    You can find more information about this in here: Add a DNS request route - Sophos Firewall

    PS;Another way is to use the DC as the first DNS Server and also make it work as a forwarder for public domains. (Maybe i'm wrong on this one, if someone can correct me, please do.)

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • 0 in reply to Prism

    Hi Prism,

    I tried your suggestion. I put the google servers in DNS and added a DNS Request Route for my local domain to the DCs it. I tried both my local domain as: <xyz>.local and just as <xyz>, Web pages load almost instantly, but then I cannot resolve to my domain with nslookup, or if I reboot the machine and attempt to login, On the login screen I get the message that domain does not exist.

    So then I tried the inverse. I put my DCs in DNS 1 & 2 slots, and I created a DNS Request Route for dns.google, and put in the google servers. That allows for DNS resolution to my DCs, but web pages load slowly as before.

    So while this seemed as an appropriate solution, it did not work.

    And for the last part of your statement:

    Prism said:
    PS;Another way is to use the DC as the first DNS Server and also make it work as a forwarder for public domains. (Maybe i'm wrong on this one, if someone can correct me, please do.)

    Yes, you are correct, I put my DCs in the DNS list, and my DC's have forwarders to the Google DNS servers.

    I wonder if I should contact Sophos Support, since the DNS Request Route did not seem to change anything.

    Edit: Maybe I should try removing the forwarders in my DCs and put my local domain in the DNS Request Route.  I will try this tomorrow.

    Appreciate your help.

    Thanks

  • +1 in reply to Lonnie Thibodeaux

    As I stated in my previous message, I tested other scenarios by removing the forwarders from the Azure DCs, and attempting to rely on what I had put in the DNS Request Route, but non of that had any effect on browsing performance. I hope that someone from Sophos will chime in here, because the DSN Request Route entries do not seem to have any effect, no matter which way I set them up.

    So what I have done over the last couple days is: I have provisioned a third (new) domain controller and placed in onsite. So I now have a primary and secondary in Azure, and a tertiary DC onsite. I have change the DNS settings in the Sophos XG with these entries in this order: 1. DC3 (onsite), 2. AZ-DC1-Primary, 3. AZ-DC2-Secondary. Web pages are now loading as expected, and no issues with login of local workstations to the domain. Before I started on this journey of moving most of the infrastructure to Azure, I had it in the back of my mind that I would have to set it up this way...to satisfy local machine logins and other AD properties, and also have the DCs in the Azure infrastructure.

    I'm not sure if there is any other correct way to do this, but this does seem to be the answer. I hope this helps anyone else having do deal with on-prem & connected Azure cloud resources.

    Seems to be all good now.

    Lonnie

Reply
  • +1 in reply to Lonnie Thibodeaux

    As I stated in my previous message, I tested other scenarios by removing the forwarders from the Azure DCs, and attempting to rely on what I had put in the DNS Request Route, but non of that had any effect on browsing performance. I hope that someone from Sophos will chime in here, because the DSN Request Route entries do not seem to have any effect, no matter which way I set them up.

    So what I have done over the last couple days is: I have provisioned a third (new) domain controller and placed in onsite. So I now have a primary and secondary in Azure, and a tertiary DC onsite. I have change the DNS settings in the Sophos XG with these entries in this order: 1. DC3 (onsite), 2. AZ-DC1-Primary, 3. AZ-DC2-Secondary. Web pages are now loading as expected, and no issues with login of local workstations to the domain. Before I started on this journey of moving most of the infrastructure to Azure, I had it in the back of my mind that I would have to set it up this way...to satisfy local machine logins and other AD properties, and also have the DCs in the Azure infrastructure.

    I'm not sure if there is any other correct way to do this, but this does seem to be the answer. I hope this helps anyone else having do deal with on-prem & connected Azure cloud resources.

    Seems to be all good now.

    Lonnie

Children
No Data
Unfiltered HTML