We recently moved to and ISA 2004 Server and are having problems with the Web browsing being very slow to non existant (Time outs). Here is the Network setup.
Cisco 2600 Router (ISP SBC, 2 T1's Bonded for 3Mbps Total) Netgear FVX538 (Packet fileter NAT's to ISA Server) ISA 2004 (HP Proliant DL320 P4 3.4 with 1Gig Ram) 2 Domain Controllors VLAN'd Network with HP Switches All clients configured for DNS to DC's Default Gateway for clients is the Router (Switch) on their Subnet. ISA is the last path out
Total Number of users on Network ~200 Totol number of current Client session ~25
Slow internet and Times did not occur prior to switching to ISA.
ISA Server does not show Excessive Processor, RAM or Network usage.
Let me know what else will be helpful in diagnosing the problem.
Thank you for your help.
< Message edited by poiuy -- 10.Jan.2006 5:22:06 PM >
1.Are you running any 3rd party software on isa??? 2.Anything in your logs??? 3.Have you created advanced monitoring for both your server hardware and also on isa it's self?
I have seen this problem a few times and most of the time it is caused by a overload on the cpu caused by bad code on 3rd party software, such as web filtering software will use full cpu usage every time there is a request made by a client.
I would suggest doing some monitoring as i said above.
We are running SmartFilter 4.1, however, this was occurring before the the software was installed. Currently the filtering is disabled, I installed it to configure while monitoring the software.
I've watched the resource usage and nothing is killing the box.
I've: -adjusted the MTU -enabled RAM caching -changed to All Users instead of Authenticating against my domain -set the HTTP1.1 over Proxy in IE -Check and rechecked the binding order of the NIC's -Checked network and routing configurations -spent 5 minutes banging my head on my desk -tested with only Web Proxy Client -test with only Firewall Client -Test wtih both enabled -created a wpad in DNS -tested DNS queries from client and firewall - no problems -Captured millions of packets to look for problems -Checked DNS registration -tested with an "All open"
During each check I verify that web surfing through our ISA 2000 production box is performing as expected, and it is.
I've just recently started having the Microsoft Firewall service crash: c:\pro~etc\ISA\HttpFilter.dll generated an exception code C0000005 in address 60FF647F when function Complete SyncIO was called.
I added the WMF filters from Tom's blog yesterday, that is the only thing I can think of that would be causing this. I have other filters for IM programs that I added from info found on the MS/ISA/Tech site.
I'm at a loss and my patience is wearing thin.....
Have you try doing performance check on isa instead of the server hardware?? If all the is ok i would look in to your dns configuration. How is your dns configured?
If by performance check you mean with the ISABA utility, yes I have. Nothing came back wrong.
DNS is as follows, multihomed machine. 4 NICs total, 3 in use.
ISAEXT interface Tried leaving the DNS blank and populating with DNS that matches the ISAInternal interface - same result. | | ISAINT interface--- ISADMZ interface(Not in use at the moment, but DNS is blank. DNS1(INT Domain Controller #1) DNS2(INT Domain Controller #2) | | Domain Controller #1 Win Svr 2003 Domain Controller #2 Win Svr 2003 (both have forwarders enabled to ISP's DNS.) | Client workstation NIC DNS1(INT Domain Controller #1) Win Svr 2003 DNS2(INT Domain Controller #2) Win Svr 2003
I'm running a HP DL320 Firewall/VPN/Cache appliance, 3.4Ghz, 2 gigs of ram, SCSI drives.
There is a third domain controller on my network, a Windows 2000 Svr. It current has all the FSMO roles. This is the only thing that I'm questioning ATM, BUT here's what negates that thought - the slowness still occurs when I set the Web access rule to "All Users" vs. Domain Users. It appears Authentication requests have little to no burden on the response time in my environment.
I resolved my issue by adding Forwarders on my Internal DNS Servers. The instant I did that then all of the problems with slow load or time outs were resolved.
Here are screenshots of my DNS Server config and the IP settings on my DC / DNS Server
Domain Controllers / DNS are : .64 and .65 ISA is .1 and VLAN Network Router is .2
I have a Access rule to allow DNS from Internal to External from my Domain Controllers and Exchange Server. All DNS requests from other devices is blocked by ISA.
I noticed before adding the forwarders that even the DC's were unable to resolve some external IP address. Root Hints are up to date and there was no indication in ISA that DNS requests were being blocked.
I know that adding forwarders resolved my problem but I am not fully sure if this is correct.
Looks good to me, if your still getting poor performance you can try forwarding to a better dns server or configure the isa to host your own caching dns server without having to resolve from a outside dns.
From: Portland, OR
Thought this might be a good place to put this as I have been experiencing very slow response time when browsing through a new ISA2004 Array as well. After much troubleshooting and research, I contaced MS. Listed below are a few articles that should help solve most of the slow Internet response issue.
The last one applies specifically to having ISA enabled NLB on servers connected to a switch. With NLB enabled, all servers advertise the same MAC which confuses a switch in unicast mode. Statically adding the MAC to the switch makes it multicast to the servers, allowing them to decide who handles the traffic. - Article 247297: http://support.microsoft.com/default.aspx?scid=kb;EN-US;247297
As I have may have mentioned in another post my config is such.
Cisco Router with Bonded T1's = 3mbps Netgear FVX538 ISA 2004
Using NAT from Netgear to ISA and NAT from ISA to Internal.
Web browsing worked fine except between 8:30am and 6:30pm. I would have connection timeouts, slow connections and connection drops.
I have since setup another ISA 2004 Firewall directly connected to the Cisco Router. It has no timeouts, slow connections or drops.
This is my theory. The Netgear has a limeted 64Meg of RAM for maintaining table space. Since I am using NAT between the Netgear and ISA the Netgear only sees one IP address coming from the ISA server. This means that the PAT for the ISA is going be very very large since at any one time there can be 100 Plus user connections each going to multiple sites. I believe that the Netgear is running out of table space and starts dropping connections. Since the ISA is going through the netgear it receives a slow or no response from the netgear and relays a timeout to the client when in fact a time out to the website never occured.
So, I am going to redo my production ISA and make it the only firewall on the network. I had wanted to use the Netgear to do Packet filtering, VPN endpoint and since it had dual WAN ports could quickly change to use a secondary network connection with minimal loss of funcationality for internal users. I can live without it doing initial packet filtering. I can use the ISA as the VPN endpoint. The only thing I am not sure how to do is to quickly change to a secondary connection if the primary fails.
If anybody else is having the same problems that I was and have another firewall infront of the ISA it may be worth trying another config of ISA as a stand alone and see if your problem is resolved.
Thank you to everyone that assisted me with this issue.
Well, I built a new ISA sever, Recreated all rules, tested the config and had no issues with timeouts or problems. This ISA is directly connected to the internet. At switchover, I disconnected the Netgear from the network and transfered all IP's and traffic to the new ISA server. Retested config. then made a backup of the config and restored it onto my original production ISA server. Then disconnnected the new ISA and transfered everything to the old ISA. It was now running with a direct connection to the internet. Everything seemed to be working fine. (this was on a Friday night). Came in monday moring and users were still complaining about slow internet connections and time outs!!!!! WTF.
After spending about 20 minutes with one of the problem computers I started to think about the differences in the two servers. Other than hardware they both had identical configurations. Why did one work and the other not? Well, the production server is an HP DL320 and HP has a driver that is supposed to detect virus like activity and block traffic. That was the ONLY thing different. So, I disabled the Virus Throttle driver on all interfaces. Guess what? No more connection problems or timeouts.
I have a feeling that the Netgear Router was never an issue and that the Virus Throttle was causing all network traffic to slow. I have not tested the config with the Netgear back in place. I think I am going to leave the network config as it is now.
Is anyone else using a DL320 with Virus Throttle enabled? Are you having simular problems? Is there anyone at HP that we can drag out in the street and shoot?
Do you have any documentation for the specifics on how to disable the Virus Throttle driver? I have a DL320, but I'm having a difficult time finding any kind of documentation concerning Virus Throttle, so I'm not even sure if this is installed on my HP DL320? I've looked under HP network configuration utility, and under the windows device driver and don't see anything referencing Virus Throttle. Thanks in advance for your help. Ryan
If the Virus Throttle driver is installed it can be disabled from the Properties of the Network card. There will be a connection listing for HP Virus Throttle Driver. Uncheck the box and Virus Throttle is disabled. You will need to do this for every Nic in the server.