Country Blocking causing slow internet/name resolution

Solved
DrewC86
Just browsing

Country Blocking causing slow internet/name resolution

We have an issue where when we enable A layer 7 firewall rule blocking traffic from all but a handful of countries (see image) there is a very long load time for websites, as if DNS resolution is being impacted somehow (we use 1.1.1.1/1.0.0.1). When we remove the firewall rule the issue goes away. We have other client locations with the same rule and CloudFlare DNS. Has anyone else encountered this?

DrewC86_0-1712866765011.png

Edit: We have an MX75 running MX 18.107.2 firmware. Our other locations have MX64s, could that have something to do with it?

 

 

 

1 Accepted Solution
AlexP
Meraki Employee
Meraki Employee

The root of all the problems you're likely facing is that many, many websites cross-load content from other domains, and won't render properly until everything is done loading. If it happens that one or more of these domains are blocked by an L7 rule, you'll see things appear to load slowly because the request is being retried (and blocked) until eventually the page decides to let the request time out.

A few years ago, I published a case study on how to more clearly identify and resolve these sorts of issues: https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_HAR_Files_to...

With that being said however, ultimately what our Support Teams have been saying is correct. We don't control the updates we get from Maxmind, or why they render the verdicts they do, and this can make these rules fragile because of cross-loaded content.

View solution in original post

12 Replies 12
Bonzo
Comes here often

 

 

Our org has reached out to Meraki and have been given no more guidance on the issue or acknowledgement of it's relation to Meraki geoblocking. It has been more or less a rhetorical loop with Meraki support stating they have nothing to do with the issue, despite knowing that Meraki hands off it's geolocating to MaxMind. 

Meraki's response after I reopened a ticket they closed:  

There have been no updates on our end because this issue is not related to Meraki. We are unable to address this matter from our end as it pertains to MaxMind, and they will need to resolve it on their end if you're still encountering any issues on your end.

Bonzo
Comes here often

There are several reports on this. Temp work around is to remove the l7 rules.

Thanks for the quick reply. Yeah we already had to do that. We put in another rule only blocking the countries notorious for bad sites/actors (Russia, Brazil, Nigeria, etc) and aren't having an issue, so its probably a random country Cloudflare routes through being blocked somewhere that they haven't figured out yet.

 

alemabrahao
Kind of a big deal
Kind of a big deal

Are you simply blocking the country where most sites are hosted (in this case the USA) and hoping not to have a problem?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

The screenshot is the countries he IS allowing access to not blocking. I had to re-read it three times myself to make sure I was understanding it correctly. 

Sorry, the rule in question is to block traffic NOT from the listed countries. Most of our clients have no reason to go to any sites outside of the countries in the rule, so we like to have things as locked down as possible (I have cleaned up after a prior IT person who didn't harden the company's network, and their main file server got infected with ransomware).

 

BlakeRichardson
Kind of a big deal
Kind of a big deal

1. Where are you located 

2. Is all traffic affected or just some

I would say services like Cloud flare are seeing your IP and trying to route using the shortest path BUT then if you have blocked the country that is part of the shortest path that is where things are falling apart. 

Unless you are being attacked by every single country apart from those listed then I would suggest going about it the other way and blocking those that are the greatest risk to your business. 

 

Thanks. We are in the US and all traffic appears to be affected. Most of our clients have no reason to go to any sites outside the countries in the rule, so we like to have things as locked down as possible. Looks like that is becoming less and less viable as more software providers and sites set up servers all over the planet.

 

PhilipDAth
Kind of a big deal
Kind of a big deal

This will probably depend on the latency of your Internet circuit to the geo-lookup service Cisco Meraki is using.  Unless you have an option to get a lower latency circuit you'll probably have to tolerate it (or disable this feature, or use this feature in a different way).

GIdenJoe
Kind of a big deal
Kind of a big deal

Funny part is that if you block the US, most DNS providers no longer work ;p.

It would have been handy if you could limit the scope of the layer 7 rules to a specific L3/4 rule.

AlexP
Meraki Employee
Meraki Employee

The root of all the problems you're likely facing is that many, many websites cross-load content from other domains, and won't render properly until everything is done loading. If it happens that one or more of these domains are blocked by an L7 rule, you'll see things appear to load slowly because the request is being retried (and blocked) until eventually the page decides to let the request time out.

A few years ago, I published a case study on how to more clearly identify and resolve these sorts of issues: https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Using_HAR_Files_to...

With that being said however, ultimately what our Support Teams have been saying is correct. We don't control the updates we get from Maxmind, or why they render the verdicts they do, and this can make these rules fragile because of cross-loaded content.

EasleyGa
Conversationalist

Hello - we have seen this issue across multiple locations.  We have a combination of MX68s (approx. 100) and an MX450 across multiple circuits, providers, etc.  We had the same L7 country code block list for all locations but not all experience the issue making it harder to troubleshoot.  In general, I understand other countries might be involved in Internet traffic but we have not updated these rules in years and the issue seems to have surfaced over the past few months.  The fix was to delete the L7 rules from the affected firewalls and I have slowly been adding back countries to the block list.  Also, it would be nice to be able to report what rule is blocking traffic but apparently (according to Meraki support) we are not able to get granular detail.    The MX68s are generally at MX 18.107.7 and the MX450 is at MX 18.107.9.

 

I should also mention that one of the sites inbiz.in.gov did fully load after about 4 minutes.  Once we removed the L7 rule it loaded in about 1-2 seconds.  The HAR file did not indicate any sites external to the US that I  could find.

Get notified when there are additional replies to this discussion.