Symptom:
Some websites load very slowly via the ProxySG, but quickly when accessed directly (e.g. when proxySG is bypassed)
Problem:
Some DNS servers respond slowly or not at all. This is most often an issue when queried for IPv6 (AAAA) records, but can be an issue for other queries sent from a ProxySG.
Solution>
See http://forums.bluecoat.com/viewtopic.php?f=1&t=7301&p=23377
In some cases this may slow down your SG considerably.
To fix this login on the serial console or telnet/ssh to the unit and switch it off:
- Code:
enable
conf t
ipv6 diable
exit
exit
If this does not resolve the problem, the next thing to do is to configure the ProxySG to no longer do it’s own DNS lookups, but rather to use the destination IP address supplied by the client (assuming inline/transparent proxy, such as with WCCP).
This is done by configuring ‘trust-destination-ip enable’ in the ProxySG. First, check the current setting by entering ‘show trust-destination-ip’ in the CLI, and if this is not enabled, enter ‘trust-destination-ip enable’.
With ‘trust-destination-ip’, the ProxySG will no longer do it’s own DNS lookups, but will use the IP the client was originally trying to connect to before the traffic was intercepted with WCCP. This was needed to resolve the http://www.website.com problem. The primary drawback to enabling ‘trust-destination-ip’ is that it trusts the user workstation; enabling this can allow savvy users to bypass URL filtering and access prohibited websites.
Leave A Comment?
You must be logged in to post a comment.