标签:getting issue dns str enabled sts 访问 previous policy
问题起因:
部分内网服务器调用外网站点抓取图片时出现缓慢及超时现象。
由于是由内向外方向的访问,且通过的应用层设备只有防火墙;而且用其他网段测试机测试的时候发现并没有上述访问缓慢或超时。
从防火墙抓包发现并没有drop包,但是在transmit、firewall、received中均发现有大量的re-transmission报文。
问题处理:
代理商给不出合理解释,只是判断上述故障现象不是防火墙导致的。应用同事在修改故障服务器的DNS后发现解决故障。
而防火墙上的re-transmission仍然存在。此时需要弄清re-transmission的产生原因以及是否会对网络环境产生影响。
问题解决:
给原厂tech报case后,给出的解释如下。
So what is happening is that packets are coming out of order from server side, In such case firewall holds that packet until all the previous packets have arrived. then it combines the data and does layer7 on it.
Becuase packet arriving out of order, and becuase fiewall holding the packet, client is not getting ack in time and restranmists packets.
OK, if you trusted then we can enabled DSRI on the security policy, firewall will stop inspection of traffic from it and as such will not hold up the packets
So looking into all of this, we have following ways to get rid of retransmission: 1) Identify why packets arriving out of order on firewall, this is happening from Server side 2) We can do appoverride for http traffic so that no layer7 is performed on it,
firewall will not hold the packets. But as you can see firewall stops doing laye 7 inspection. 3) Ignore the re-transmissions if there is no issue happening because of it.
即,由于外网server在回应http的请求时顺序是乱的,而防火墙要对这些7层报文进行安全检查然后在转给访问源,此时访问源没有及时收到ack报文。
同理,https就没有上述。防火墙上额https的访问抓包也佐证了这一点。
PS:英文熟练度还是需要多加练习啊,尤其是在写和讲方面。
PA防火墙抓包结果显示重传(re-transmission)
标签:getting issue dns str enabled sts 访问 previous policy
原文地址:https://www.cnblogs.com/xinghen1216/p/11063695.html