"web problems" "ssl issues"
Not sure if others are running into this or not, but we had a few vague support calls come in at once about browser 'ssl problems' and some issues with some websites 'taking forever to come up'... It looks like the common problem is bringing up pages that have src="https://siteseal.thawte.com/cgi/server/thawte_seal_generator.exe"> embedded in the web page the end user goes to. Depending on how the page is written, it can seem (to the end user anyways) as if the page is taking for ever to come up. The browser is blocking on talking to the site seal server. e.g. from the first syn, it was almost 25 seconds before the verisign/thawte server responded. 10:37:18.894068 IP 199.212.134.18.65064 > 65.205.248.240.443: S 2515327385:2515327385(0) win 64240 <mss 1460,nop,wscale 0,nop,nop,sackOK> 10:37:21.860159 IP 199.212.134.18.65064 > 65.205.248.240.443: S 2515327385:2515327385(0) win 64240 <mss 1460,nop,wscale 0,nop,nop,sackOK> 10:37:27.794374 IP 199.212.134.18.65064 > 65.205.248.240.443: S 2515327385:2515327385(0) win 64240 <mss 1460,nop,wscale 0,nop,nop,sackOK> 10:37:39.865205 IP 199.212.134.18.62217 > 65.205.248.242.443: S 3464052443:3464052443(0) win 64240 <mss 1460,nop,wscale 0,nop,nop,sackOK> 10:37:42.881109 IP 199.212.134.18.62217 > 65.205.248.242.443: S 3464052443:3464052443(0) win 64240 <mss 1460,nop,wscale 0,nop,nop,sackOK> 10:37:42.961994 IP 65.205.248.242.443 > 199.212.134.18.62217: S 3993252659:3993252659(0) ack 3464052444 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 2> 10:37:42.962311 IP 199.212.134.18.62217 > 65.205.248.242.443: . ack 1 win 64240 10:37:42.962799 IP 199.212.134.18.62217 > 65.205.248.242.443: P 1:103(102) ack 1 win 64240 10:37:43.035470 IP 65.205.248.242.443 > 199.212.134.18.62217: . ack 103 win 1460 10:37:43.037779 IP 65.205.248.242.443 > 199.212.134.18.62217: . 1:1461(1460) ack 103 win 1460 10:37:43.041639 IP 65.205.248.242.443 > 199.212.134.18.62217: . 1461:2921(1460) ack 103 win 1460 10:37:43.042292 IP 199.212.134.18.62217 > 65.205.248.242.443: . ack 2921 win 64240 10:37:43.118203 IP 65.205.248.242.443 > 199.212.134.18.62217: P 2921:3967(1046) ack 103 win 1460 10:37:43.119345 IP 199.212.134.18.62217 > 65.205.248.242.443: P 103:285(182) ack 3967 win 63194 network connectivity to 65.205.248.0/24 is fine for me. It looks to be at the application layer at verisign ? Just a heads up in case your helpdesk runs into this issue as well as it seems to be a rather obscure problem that sent us on a wild goose chase at first. Some browsers deal with it differently. on IE, most of the page does not display until the seal comes up or times out. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
I hadn't thought about this until now, when I had to use our SPKI account with Thawte. It's painfully slow processing anything. I doesn't seem that anything's amiss with latency or network otherwise, but we're noticing this impact. I'm also just West of you, so I'm curious if it's slightly geographic in nature, as nobody else has noted similar that I've seen here. On Thu, 5 Mar 2009, Mike Tancsa wrote:
Not sure if others are running into this or not, but we had a few vague support calls come in at once about browser 'ssl problems' and some issues with some websites 'taking forever to come up'... It looks like the common problem is bringing up pages that have
src="https://siteseal.thawte.com/cgi/server/thawte_seal_generator.exe">
embedded in the web page the end user goes to.
Depending on how the page is written, it can seem (to the end user anyways) as if the page is taking for ever to come up. The browser is blocking on talking to the site seal server.
<judicious snippage>
Just a heads up in case your helpdesk runs into this issue as well as it seems to be a rather obscure problem that sent us on a wild goose chase at first. Some browsers deal with it differently. on IE, most of the page does not display until the seal comes up or times out.
---Mike
-------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
On Thu, Mar 5, 2009 at 2:20 PM, <nanog@namor.ca> wrote:
I hadn't thought about this until now, when I had to use our SPKI account with Thawte. It's painfully slow processing anything.
I doesn't seem that anything's amiss with latency or network otherwise, but we're noticing this impact.
I'm also just West of you, so I'm curious if it's slightly geographic in nature, as nobody else has noted similar that I've seen here.
doubtful it's GEO related from both ATL and SAC and IAD I get the same dns mappings: ;; ANSWER SECTION: siteseal.thawte.com. 900 IN A 65.205.248.247 siteseal.thawte.com. 900 IN A 65.205.248.251 siteseal.thawte.com. 900 IN A 65.205.248.236 siteseal.thawte.com. 900 IN A 65.205.248.240 siteseal.thawte.com. 900 IN A 65.205.248.242 siteseal.thawte.com. 900 IN A 65.205.248.246 I don't, however, get any reasonable response on port 443 to these ips... (they all seem to be in SJC-area fyi) Perhaps Thawte/VS is experiencing some LB or load issues? -Chris
On Thu, 5 Mar 2009, Mike Tancsa wrote:
Not sure if others are running into this or not, but we had a few vague support calls come in at once about browser 'ssl problems' and some issues with some websites 'taking forever to come up'... It looks like the common problem is bringing up pages that have
src="https://siteseal.thawte.com/cgi/server/thawte_seal_generator.exe">
embedded in the web page the end user goes to.
Depending on how the page is written, it can seem (to the end user anyways) as if the page is taking for ever to come up. The browser is blocking on talking to the site seal server.
<judicious snippage>
Just a heads up in case your helpdesk runs into this issue as well as it seems to be a rather obscure problem that sent us on a wild goose chase at first. Some browsers deal with it differently. on IE, most of the page does not display until the seal comes up or times out.
---Mike
-------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
participants (3)
-
Christopher Morrow -
Mike Tancsa -
nanog@namor.ca