I got a new internet connection. Suddenly, some sites show slow performance or failures.
One is my own private site which does not have a categorization nor a verified reputation. This site is really slow when MWG uses the new internet connection.
The other one is Google+ (plus.google.com). It is a bit slower than usual, but the main problem is the part on the right side, where Google Hangouts is located. This part often says "server failed" or "Oops, something went wrong".
I tcpdump'ed around a bit and I found something interesting: when the client asks MWG for my private site, I do not see a SYN packet to my site being sent from MWG outside for several seconds. To me this looks like MWG sits on the request for a while and "thinks" about it before actually trying to connect to the site.
Unfortunately, there seems to be some kind of caching mechanism, because after some minutes, the problems mostly vanish. If I try it an hour later, they reappear.
My speculation is that with the new internet connection some DNS requests made for reputation scoring do fail. But how should I approach that? Is there some logging for the reputation scoring and its timing behavior?
in the past days I have delays of around 6 seconds caused by GTI lookups done by the AV engine. If you like you can try those off and see if the problem goes away. We were not yet able to find out what exactly caused those problems.
If you watch our for DNS packets in your tcpdumps, do you see DNS is working quick and reliable, or do you see any instances of delayed responses here?
We do have a couple of debug logs but those will cause a ton of data to be written to the disk. I would recommend to first try disabling some of the cloud lookups to rule out what exactly causes the delays. If we know what goes wrong we can turn on the piece of logging that will catch the required debug details and see what is going on exactly.
whatever that was, meanwhile it seems to be sorted out. I do no longer see delays, performance problems or "server failed".