I have a network that has 3 subnets, 10.1.4.0/24, 10.1.5.0/24, 10.1.9.0/24. They are all routed using an IBM Proventia Firewall. The firewall is fairly straight forward and everything seems to be working fine.
However, if I try to contact a web server on 10.1.9.xxx from 10.1.4.xxx the page takes 5+ minutes to load, and often does not load all of the images completely.
If I contact that same web server from 10.1.5.xxx it loads instantly on any PC.
I can ping the web server from the 10.1.4.x network. I can port scan the server and see that traffic on 80 is free flowing from the 10.1.4.x network. The firewall is setup and allowing traffic.
So I took a wireshark capture of the traffic and filtered on ip.src == 10.1.9.xxx or ip.dst 10.1.9.xxx. The capture is strange, there are many packets that seem to be missing from the HTTP transaction. Many warnings from wireshark regarding TCP Retransmissions. Almost every packet after the first 3-5 during initial contact are retransmitted. I captured a good HTTP transaction (to the same server) from my desktop and compared. It's almost like the firewall or something is dropping packets. This device has an IPS and AV system built in, I have tried disabling them both. (even both at the same time). The two subnets in question are wired locally no WAN links or VPNs. The 10.1.9.xxx subnet goes though a managed switch. Maybe the switch is dropping something?
Best Answer
Problem resolved!
Turns out that another one of our Admins had setup the server demonstrating problems on a multihomed platform, and it had two default gateways. Wasn't the firewalls fault after all.
Thanks