cancel
Showing results for 
Search instead for 
Did you mean: 

Intermittent connection issues loading/changing site- secure connection failed/site can't be reached

EDIflyer
Involved

Is anyone else occasionally getting a 'connection down' error from Chrome (or 'Secure Connection Failed' from Firefox) when changing page - if I hit refresh it works fine. At first I wondered if it was the site I was using but have noticed it on multiple different major websites over the past couple of months and not noticed it from other locations where I don't use Three Broadband so does seem to be related to the router/connection (this is via wired Ethernet too, so not a WiFi problem).  I've tried changing DNS server in case that helps but no difference.

It mainly seems to happen when trying to first load a site or (annoyingly) at checkout when a different site is being loaded as part of the checkout process.  It certainly doesn't happen everytime but does happen with reasonable frequency.  I've also noticed I often get it when trying to pull/push from/to Github too and have to do so a number of times for it to work (browsing the Github website works fine).

 
I'm using a NR5103E with Firmware Version V1.00(ACBJ.0)b14 - I tried rebooting it but to no effect.

EDIflyer_0-1697984212494.pngEDIflyer_1-1697984219294.png

 
 

EDIflyer_4-1697984241361.png

 

525 REPLIES 525
wgen
Regular

The issue occurs for me with websites also hosted via AWS and other cloud providers, so it's nothing to do with Akamai. (Have checked for Akamai routing in traceroute also)

AkiTaiyo
Active

New information.. Looks like the problem exisits somewhere between Three and Akamai..

If I manually change my DNS entry for visualstudio.microsoft.com to a different Akamai server (104.123.88.60), I can repeat the abolve connection test repeatedly, with ZERO errors..

Difference being that IP-Geolocation shows the new IP to be at a UK based Akamai datacentre, rather than the Ireland based datacentre..

Because of the way these CDNs work, I don't think theres a nice way to change from one to another.  Maybe using a purely UK based DNS resolver.. I'll try this next, currently I run my own resolver based in Iceland.

EDIflyer
Involved

Good detective work, @AkiTaiyo! Presumably this is why using a VPN is helping too as the routing to Akamai is being tunnelled and occurring elsewhere rather than between Three and Akamai.

@JonathanB hopefully your senior technical folk can look into this additional info???

AkiTaiyo
Active

Failed to load their own f'in website..
AkiTaiyo_0-1713887320149.png

 

AkiTaiyo
Active

With visualstudio.microsoft.com, the failure rate is almost 1 in 5 attempts, which is terrible..
Three needs to fix this ASAP..

AkiTaiyo_1-1713885999533.png

 

 

AkiTaiyo
Active

Another failure, this time at visualstudio.microsoft.com..  Once again, served from Akamai..

AkiTaiyo_0-1713883602302.png

AkiTaiyo_1-1713883626632.png

 

AkiTaiyo
Active

Just had it happen again.. This time on sky.com.

AkiTaiyo_0-1713873145489.png

Now there is an interesting coincidence here..
The IP address for inews (2.19.176.162) and the one for sky (23.57.166.79) are both served from an Akamai data centre. 
Does that mean that Three's network doesn't play nicely with Akamai's infrastructure?

AkiTaiyo_1-1713873276907.png

 

AkiTaiyo
Active

Sadly it was just coincidence..   After spam loading a bunch of pages I started getting some failures again.

Whats interesting is there doesn't seem to be any suitable explanation for it from the wireshark logs..
Here's a side-by-side of a connection to inews, one fails and one works.

AkiTaiyo_0-1713871394954.png

The first picture shows the log from the failed attempt.  The curious part of this is that at *exactly* the same time as the 'window update', a FIN is sent from the server to close the connection.
Compare this to refreshing the page, which loads correctly

AkiTaiyo_1-1713871568142.png

The opening sequence is identical... Except that WireShark identifies the working session 'Hello' as TLS v1.3, where as the failed session it identified as TLS v1.  I suspect this is a identification discrepancy with wireshark.  The details both show the same version IDs. 
Not sure from here, if anyone has any more insight on this I can provide these two sessions as wireshark files. 
The oddity for me is the FIN coming in, initiated by the server end.



AkiTaiyo
Active

After a bit of playing around in Wireshark with some sites that were intermittent..
It looks like the issue might be related to sites that use the QUIC protocol.  This is a UDP based transport on port 443, as apposed to the usual TCP based.
As an experiment, I've configured my firewall to block all UDP traffic on 443..  So far, no more 'end of file' errors..
Will see how it goes, or maybe just a coincidence. 

fashric
Active

Interesting, could you keep us updated on how that goes.