I have a client that came to be with a system where every initial connection was very slow. if you load the web server it can take a while to load. If you SSH into the server it seems to hang as well. My initial assumption was that it was DNS related. I checked DNS and it looks OK. The dig command get's back a response right away. Memory, CPU, Load, Disk etc. all look OK. While on the box I noticed that every time I did a connection for a host the first time it was very slow and then every time there after it was fast. For instance if I did curl cnn.com. It took a few seconds. The next time it happened real fast. I suspected DNS so I did it to an IP and got the same result. It was not session specific since looking at the traffic with tcpdump showed a new source port. What I noticed over and over was that it had to do with the destination IP. Once there was a connection to that IP all other connections to the same IP went fast. Looking at a capture of the network traffic there were multiple re-transmissions before we got a response. Any idea what would cause this? You can see the traffic captured here https://ufile.io/f/taoop
1 Answer
This issue occurs because the DNS provider returned a low-quality IP node for that domain.
The IP node is geographically very far from the client’s network, which causes the long connection delay on the first attempt.
To resolve this, you can use the DNS provider’s Anycast nodes (usually available through a paid plan), which will route the connection to the nearest and fastest IP node automatically.
New contributor
revesis is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
traceroutecommand which can use tcp rather than icmp and a higher number of queries than normal might give some insight. I haven't looked at your pcap files (sorry) - they might show pmtu discovery,