This problem is pretty fantastic - and is driving me nuts. We have a server in a farm up at an ISP that that recently moved from old to new hardware to bring it into line with other identical servers in the farm. After the hardware move we checked everything was OK with being able to upload files up via HTTPS to this server - and all was good. The work was performed at the weekend so all these checks were being done from home. So Monday comes around, and we notice that in the Office, when we're trying to upload files to this server using HTTPs, it's excruciatingly slow, but for some reason, only on PCs. Macs are not affected! Also - HTTP (not secure) uploads were fine so the issue only affects HTTPS. Other servers in the farm are fine, the problem is only with this one upgraded server. If the people with PCs switch to a dongle and get out on the Internet through that - it's fine, so it's not something on their PCs. Then the other office, up north, reports the exact same problem. We used Wireshark, but really it's just re-affirmed that there is a problem, I don't think it's able to tell us why. When using a dongle to get Internet, the packet trace is fine, we see the TLS handshake, no problems. And then on the very same PC, when using their office Internet connection, we see Duplicate Acks, Fast Retransmissions, and many 'Ignored unknown record' instances. TLS handshake is still there, it's just surrounded by the bad packets. The upload does work, it's just very slow. We have checked for dropped packets on the office firewall, dropped packets on the firewall up at the farm, dropped packets on the web server in question, and dropped packets on the switch port that the server is connected to - nothing. Does anyone have any ideas as to what could be the main culprits with this one? In summary: One web server - hardware upgraded, was working fine before upgrade. Other web servers in the same farm, working fine for everyone. After upgrade, HTTPS is very slow inside the office. However, it's fine for everyone outside the office. Problem only occurs with HTTPS, HTTP is fine. Macs working fine inside the office PCs uploading SLOW in the office, but same PCs upload FAST 'outside' PCs in a completely different office also uploading SLOW. Is this a strange one or what?!!? Any ideas? JD asked 26 Jan '13, 01:23  jdamnation showing 5 of 7 show 2 more comments |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
Hard to say without having traces of both situations - I'm not sure if you could post examples at http://www.cloudshark.org, but if you can it would help looking at things.
Where are you capturing your traces? ON the PCs that are affected? Or do you use a SPAN/TAP setup? It might explain some of the strange things happening when you're doing the trace on the affected PC, but it is still, without a sample, hard to tell.
And what do you mean by a dongle? Are you physically changing cables (two different network)? And "outside" is PCs coming into the server directly (like in a DMZ?)
Also, who handles the certificates? Are they self-signed certs, or are you using Verisign (or the like). Is it possible that certificate on the PCs are out of date? Or the CA is out of date and does not have the server listed?
Could you take a look at this screenshot:
http://dl.dropbox.com/u/15190347/PCAPS/HTTPS-3G-VS-OFFICE.png
The connection the left is the fast one (using a 3G WiFI dongle), the right is the slow one (via office WIFI).
The last two digits of the server IP is '65' (as destination)
There is a clear difference in TLS behaviour here, dependent on whether you are going out via the 3G dongle (which works fine) versus using the office Internet connection which is slow.
Why would this be the case? Why are the Macs not affected? Why might migrating the webserver to new hardware cause the problem?
JD
Of particular interest, the slower office connection - there is a 'Client Key Exchange' going on, which doesn't appear to show up when using the 3G Wifi dongle. Also in the 'Server Hello', when using the 3G dongle, the HandShake Protocol is showing as 'Server Hello' whereas on the office connection it's showing as 'Multiple Handshake Messages' , in addition to the Server Hello there are Certificate and Certificate Status messages.
The Screenshots don't provide the needed facts to help you without just guessing what might be the problem. Like Jasper stated, try to grab some non-critical-payload traces and share those
Thanks guys - there is no possibility of me posting up any type of payload as this is a very sensitive setup. I wasn't really hoping for someone to point out 'the problem' but actually perhaps just suggest what sort of problem might occur, based on my particular 'symptoms'.
Thanks anyway!
JD
Hello, Did you ever resolve this problem? We are experiencing very similar symptoms.