Case study on troubleshooting URL access lag issues for terminals via F1000-AI-65 device at a specific site

The device side configures domain-based security policies for access control. After configuration, terminal access to URLs fails. After adding DNS snooping configuration, terminals can successfully access but experience lag.

When using curl https:// for access, the terminal cannot load immediately and lags for about half a minute:

The successfully accessed part is displayed as follows:

Before the terminal starts accessing, check the device-side entry resolution table to confirm there is no URL entry. When the terminal begins accessing, check again to find the corresponding entry already exists:

After the terminal successfully accesses, check the entry results again, which remain consistent with the previous state:

Then perform packet capture and message tracing on the device

Packet capture reveals TCP retransmission:

However, message tracing shows this data flow was initially rejected but later passed:

The lag is suspected to be caused by abnormal rejections of initial packets. Contact the second-line research & development (R&D) team to resolve the rejection reason. The conclusion is that the time under the address object group does not match the DNS resolve change time.

R&D recommends increasing the age time via the command object-group dns-aging time. After configuring object-group dns-aging time 2880 on-site, the lag disappeared during testing.

Increase the age time using object-group dns-aging time

//After increasing the object-group dns-aging time, the IP addresses resolved by domain name resolution under the address object group will not change frequently, thus avoiding frequent policy acceleration triggers and reducing acceleration instances.

The working mechanism is as follows:

After enabling this function, the address object group will maintain an IP address group for each host name

1. When the IP address obtained by resolving the host name through DNS is not within the address group, the new IP address will be added to the group, and the new IP address range of the group will be notified to the relevant policies. The age time of the new IP address in the object group is the age time configured by this command.

2. When the obtained IP address is within the group, the relevant policies will not be notified, and the age time of the IP in the object group will be updated.

3.If an IP address in the group reaches the age time, it will be removed from the group and relevant policies will be notified, thereby reducing the acceleration count of related policies and lowering device memory usage.