Symantec Web Gateway (SWG) 4.5.x adds more than 2ms latency to an internet connection while in inline mode
|Article:TECH96939|||||Created: 2009-01-21|||||Updated: 2009-01-30|||||Article URL http://www.symantec.com/docs/TECH96939|
While directing traffic through SWG 4.5.x in inline mode, you notice that you have slow connectivity. You seek steps to troubleshoot and resolve this behavior.
Slow surfing or other slow network communications from end users to the internet
- On the case of SWG 4.5 Appliance, the bypass mode light is not lit.
- In the web interface, on Administration> Configuration> Network, "Service Enabled" is checked.
- SWG is in inline mode.
- SWG has at least one policy with an action of Block, or SWG's default mode is Blocking.
- If slow connection symptoms affect all users and all sites, troubleshoot for all users and all sites.
- If slow connection symptoms affect only some users and/or some sites, troubleshoot for some users and/or some sites. Then, if symptoms persist, troubleshoot as if connections are slow for all users and all sites.
To troubleshoot slow connectivity for all users and all sites
- On the left pane of the web interface, under Administration, click Configuration.
- At the top, click Operating Mode.
- Uncheck "Service Enabled".
If symptoms persist, stop here. SWG is not responsible for the slow connectivity. You will need to examine other environmental factors.
- On the left pane, under Administration, click System Status.
If you see CPU utilization over 80%, please contact support for further assistance.
- On the left pane, under Administration, click Configuration.> Network. Scroll down to "Ethernet Port Configuration".
Confirm with your network administrator that the Speed and Duplex for each interface matches the Speed and Duplex of the network device to which you connect.
- If necessary, force network speed for one or more interfaces (see below)
- Under "Static Route Configuration", check static routes to confirm that you have the correct static route for each subnet in your environment.
If necessary, confirm with your network administrator that the static routes as they appear in the web interface are correct and complete for the location where you have deployed the SWG Appliance.
To troubleshoot slow connectivity for some users and/or some sites
- On the web interface, click Policy> Whitelist
- Click Add a Whitelist Entry
- If connections are slow for a user, type the IP address of the end user's computer.
- If connections are slow for some users, type a CIDR notation for the subnet which contains the end users' computers.
- If connections are slow for a site, type the IP address or domain name of the target site.
- If connections are slow for multiple sites, type a CIDR notation for the subnet which contains those sites.
- Under Comment, type a label for your later reference
- Click Save.
- Re-test network connectivity. If symptoms persist, SWG is not responsible. Further troubleshooting should focus on the end user's computer or the target website.
- Ping from the end user's computer to SWG
- Ping from SWG to the end user's computer
- Ping from SWG to the target site.
- Traceroute from the end user's computer to SWG
- Traceroute from SWG to the end user's computer
- Traceroute from SWG to the target site
To force network negotiation to 100MB and Full Duplex
- Change Auto-negotiate to "Off", then specify the speed and duplex.
- In web interface, on the left pane, click Administration> Configuration
- At the top, click Network
- Scroll down to the section "Ethernet Port Configuration"
- For the port you seek to change, on the Auto-Negotiation column, select "Off" in the dropdown box.
- --- the Duplex and Speed values become selectable
- On the Duplex column, select "Full"
- On the Speed column, select "100Mb/s"
- Click Save.
About CPU usage statistics
The web interface updates the CPU usage statistic once every 60 seconds.
About auto-negotiation for SWG
Currently, SWG 4.5.x auto-negotiates 100MB/sec speeds as half duplex. If the web interface show a Speed of "100Mb/s" and Duplex of "N/A", and the switch is set to auto-negotiate a 100Mb/s speed, SWG will negotiate a half duplex connection.
Article URL http://www.symantec.com/docs/TECH96939