1

I have a client with the strangest issue I’ve ever seen. One user, when accessing specific websites (Vebra Alto, Adobe, Fixflo) they are taking upwards of a minute to load after logging in, sometimes up to 5 minutes. The issue is completely intermittent, and has followed the user across 3 different PC’s, and 3 newly created user accounts. It’s worst on Edge/Chrome, and slightly better on Firefox. The other staff also use the same sites, and have no issues at all. Even when they use the PC’s the problem user has been on they have no issues. We’ve tried swapping the DNS servers to be the google DNS servers instead of our internal server, that’s not helped. Clearing cache, and signing out of Edge/Chrome/Firefox makes no difference.

If anyone can shed any light on this behaviour I’d be eternally grateful!

9 Spice ups
2

I’m actually fighting a very similar issue with a user right now. I’ve already cleared profile, have issued him a completely freshly-imaged PC and switched his network connection from end to end to rule that out as an issue. One even more bizarre thing I discovered while troubleshooting is if I minimize the browser that’s still trying to load the page and then maximize it again, it loads instantly. Every.single.time. Strangest thing ever! I’m curious if you’re seeing the same thing?

4 Spice ups
3

What about in-private browsing?

Any plugins/extensions on the browser, any proxy/VPN or Tor in the way?

7 Spice ups
4

@Ode2joy Minimising and restoring doesn’t appear to make any difference, still takes forever if that’s what it’s decided to do.
@Rod-IT In Private browsing made no difference, forgot to mention that as one of the things we tried previously. Completely fresh installs of Edge/Chrome/Firefox, no extensions, no VPN or TOR. For reference we’ve also tried disabling antivirus just in case, no difference there.

The Firefox developer tools sometimes list some of the individual files being accessed as blocked for nearly 20 seconds. I’ve read that this relates to not allowing too many requests to the same place, but raising the threshold in flags didn’t help.

Just trying turning off IPv6 based on something a colleague has found.

5 Spice ups
5

Have you thought about doing a pcap to see what’s happening in the background when this is occurring?

Does event viewer show any errors that could be related?

5 Spice ups
6

What DNS does this client use, have you confirmed there are no firewall rules on the corporate firewall restricting specific ports, it takes a while then falls back to a default port?

If the same user logs in to another device and it works, check the device the user uses against the firewall rules.

3 Spice ups
7

@aJason Event viewer doesn’t show anything that looks relevant. What pcap tool would you recommend?

@Rod-IT we normally use the internal DNS on our DC, which uses 8.8.8.8 and 8.8.4.4 as forwarders. No rules on the firewall to restrict DNS, and we have the same behaviour using internal and external on the affected PC’s. The same user on another device still gets the problem, but all other users are fine. We’ve even created 2 new user accounts for this staff member to try to rule out profile corruption, but the issue still returns just for this person.

4 Spice ups
8

I think most people use Wireshark, which is what I would recommend.

3 Spice ups
9

Then I would be looking at policies applying to this user since it’s not device specific.

FYI, I didn’t mean rules to restrict DNS, but rules specific to the user, what sites they can use, what ports etc.

4 Spice ups
10

That definitely sounds like a user-specific profile issue at the network or identity level, not a hardware or browser problem. Since it follows the user across different machines and accounts, I’d check for things like roaming profile corruption, cloud sync conflicts (OneDrive, Edge profile sync, etc), or even something odd in the user’s Azure AD or M365 profile. Also worth testing with all sync and extensions completely disabled, and checking if there’s any security software or web filtering applying different rules to that user specifically.

4 Spice ups
11

You’ve mentioned fresh user accounts on various devices. I’d look hard at user policies like @Rod-IT mentioned.

Also, depending upon your setup, is the user’s browser profile synced? We’ve run into issues with specific users where it turns out they’ve logged into their [organization] account on a personal device and turned on browser account syncing, which in turn syncs issues and conflicting policy information back to their non-personal computer, which causes the issue to follow them from device to device, even after fresh installs of everything.

Yes, I know you mentioned different browsers were tried, but some browsers (like chrome) can actually install stuff onto Windows 10 & 11 to affect the whole system (thereby defeating the troubleshooting steps of trying incognito/private browsing & alternate browsers).

3 Spice ups
12

try checking for excessive logging, e.g. perfmon settings or activity reporting in parental controls

1 Spice up
13

Is there any chance that any/all staff with a new user profile would be impacted, and the affected user has just been the first to encounter the issue?

Does the issue only occur when accessing websites that are Cloudflare-protected?

Does turning off the QUIC protocol in the browser settings/flags page help?

2 Spice ups
14

Also, stupid idea 42… have you tried changing user password? just to force authentication resync?

2 Spice ups
15

Thanks for all your suggestions, I’ll do my best to hit them all!
It appears that disabling IPv6 has helped; the issue is less frequent, but it does still happen. Makes no sense to me as that would be a device level issue, but I’m not complaining.
@aJason- I’ll give Wireshark a go when I can, probably looking at Monday now.
@Rod-IT - there are no rules restricting anyones web traffic at that client.
@it-monkey-mike - The browser profile issue did cross my mind; that’s the only thing I can think of that would be following her to all the new user accounts. Trouble is that’s where all the passwords are saved, but I suspect we can export them to notepad and try using the system without a browser profile. We’ll try taking chrome off as well.
@jamesclarkson - Can’t see anything in those areas but I’ll keep an eye on it
@greenbj - Multiple staff have joined since she started having the issue, and none of them get it. I’m not aware that the sites are cloud flare protected, I’ve never seen the verify you’re human or the delay page pop up on any; is there another way to check? We’ll try the QUIC protocol when we can next access the PC.
@somedude2 - There are no stupid ideas, we’ll give that a go if all else fails.

3 Spice ups
16

Most browser export/import to a csv file. Just keep in mind that it is a plain text document, so all those passwords would be exposed in that file.

3 Spice ups
17

Are you using an SSO to sign into these sites? I have seen similar issues in the past with Cyberark.

2 Spice ups
18

If Chrome is the browser that syncs profiles; try using a different browser first, and reject syncing when asked. You can also reject syncing with chrome initially, and then choose to sync later.

2 Spice ups
19

Just a quick update, will get to proper replies later; frequently the problem files appear to be javascript, in particular tag.js from cdn.optimizely.com and loader.js from gstatic.com. Any info on what these are?

3 Spice ups
20

I know gstatic is a legitimate Google server for their various apps/products/etc.

3 Spice ups