Troubleshoot network latency or performance issues in Cloud SWG
search cancel

Troubleshoot network latency or performance issues in Cloud SWG

book

Article ID: 169051

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

What data do I need to collect to troubleshoot latency or performance issues with Cloud SWG (formerly known as WSS)?

Cause

Common causes of performance issues (some of which may not be directly related to Cloud SWG) include the following: 

  • Route latency
  • Packet loss
  • Peering point congestion
  • Issues specific to your firewall or network

Resolution

Supplying the information below provides insight into where a possible performance issue originates and helps to quantify the slowness experienced.

If you do not provide this information in advance, the Support Engineer will request this information before further troubleshooting, causing the resolution of the case to be delayed.

Please gather the following before creating your case with Symantec Support: 

(1) The Cloud SWG access method (e.g. VPN/IPSec tunnel, explicit proxy, proxy forwarding, WSS Agent, etc.)

(2) The egress IP (the router/firewall's public IP) address of the location experiencing latency, as defined in Cloud SWG Portal

(3) The specific data pod and SG serving your requests (click the "more" link), from: http://pod.threatpulse.com

Please note the difference between the data center, the data pod and the proxy.  For example: "DP2-GUSDM1-3"

"GUSDM1" is the data center, "DP2" is pod #2, and "3" references ProxySG #3 within that pod. Support requires the full proxy code.


(4) Two screenshots of your download test results from: fast.com

a. With your access method ENABLED (protected), and
b. With your access method DISABLED (going direct, NOT protected).

This is used to establish a baseline result of the direct versus proxied speeds.


(5) The "http-ping" results to google.com:​ 

a. Go to: http://www.coretechnologies.com/products/http-ping/
b. Download the latest version of: http-ping.exe
c. From the command line, run the "http-ping" tool with the following command: http-ping google.com

This metric is important to establish the complete round-trip time from your client to the OCS (website), and back, while traversing through the Cloud SWG service.  This applies to any Access Method.

 

(6) ​​​A traceroute (tracert in Windows) to the data center VIP IP, with the IP from this: Data center IP addresses for Cloud SWG

(7) An ICMP ping to the data center VIP IP

(8) A WinMTR trace to the data center VIP IP (this also handles the ping and traceroute requirements)


Note: If using WSS Agent, please gather a SymDiag from an affected machine while reproducing the issue. 

Symantec does not have influence/ownership of the above-mentioned 3rd-party tools and other alternatives may be available.

Note: For proxy forward connections, ensure that the following changes have been made on the proxy in Steps 5 & 6 in the Proxy Forward WebGuide. These changes are necessary for connectivity to Cloud SWG.