Delay when visiting sites hosted at Cloudflare

JasMan

Hi all,

I noticed that some of the websites that I visit daily need a very long time until the first content shows up in the browser. I run a tcpdump on my client, the LAN and the WAN site of our perimeter firewall to analyze the cause of the delay.

The SYN packet from my client hits the LAN interface of the firewall after 1-3ms. But the outgoing SYN on the WAN site of our firewall appears 5-6 seconds later.
The logs in the SmartConsole draws a different picture: the incoming and outgoing SYN appear in the log at the same second, which is exactly the time where the outgoing SYN appears in the packet capture on the WAN interface.

This happens for all tested sites

which are located at Cloudflare
which are not excluded from HTTPS inspection
which haven't been visited in the last hour

The CA list on the gatewway is up to date and complete.

Any thoughts what or which blade could cause the delay?

Could a WSTLSD daemon debug help?

Jas Man

Timothy_Hall

Verify that all the DNS servers defined in the gateway's Gaia OS are correct and responding promptly using nslookup or dig.
Try temporarily disabling Anti-bot on the gateway. If the problem goes away, it is likely due to the new DNS protections that I've seen cause delays like this.
Make sure the "HTTP/HTTPS Proxy Server" feature is not enabled on the "HTTP/HTTPS Proxy" screen of the gateway
object.
This can also be caused by OSCP/CRL retrieval failures or delays, see here: https://community.checkpoint.com/t5/Maestro/Unreached-OCSP-causes-serious-lag/m-p/245427#M3265
Are you using DNS over HTTPS, especially in Firefox? sk183628: HTTPS Inspection is slow when using the Firefox web browser with DoH enabled

If still no joy, please post the output of enabled_blades run from the gateway along with your code and JHFA level.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

JasMan

The defined DNS sever are responding immediatly and correct.
HTTP/HTTPS Proxy is disabled.
The delay is not caused by any TLS-related issue, because the delay happens during the first SYN.

Enabled blades: fw vpn urlf av appi ips identityServer SSL_INSPECT anti_bot mon

I'll try to disable the AntiBot blade later. It's currently not possible.

the_rock

Is it same on every browser? If so, you can always try use secure DNS setting, see if it makes any difference. I believe in every browser, there are few options, ie google dns, cloud flare, etc.

Andy

the_rock

I did more checking into this and saw case I had with customer and what I attached turned out to tbe the issue, it was on hold and when we changed to background, all worked well. Might be worth checking.

Andy

JasMan

Yes it happens in all browsers. DNS seems to be fine, because the delay happens during the SYN at the perimeter firewall on the outgoing interface.
"Unfortunately" categorization is already set to "Background".

the_rock

K, then maybe disabling AB blade is not a bad idea.

Andy

PhoneBoy

It's not clear if wstlsd is relevant here since this problem is happening on the SYN (which has no data for wstlsd to work with).
I would get TAC involved.

Are you a member of CheckMates?

Delay when visiting sites hosted at Cloudflare