• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Slow Web browsing / Time Outs

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> Slow Web browsing / Time Outs Page: [1]
Login
Message << Older Topic   Newer Topic >>
Slow Web browsing / Time Outs - 10.Jan.2006 5:19:04 PM   
poiuy

 

Posts: 82
Joined: 20.Oct.2005
Status: offline
We recently moved to and ISA 2004 Server and are having problems with the Web browsing being very slow to non existant (Time outs).  Here is the Network setup.

Cisco 2600 Router (ISP SBC, 2 T1's Bonded for 3Mbps Total)
Netgear FVX538 (Packet fileter NAT's to ISA Server)
ISA 2004 (HP Proliant DL320 P4 3.4 with 1Gig Ram)
2 Domain Controllors
VLAN'd Network with HP Switches
All clients configured for DNS to DC's
Default Gateway for clients is the Router (Switch) on their Subnet.
ISA is the last path out

Total Number of users on Network ~200
Totol number of current Client session ~25

Slow internet and Times did not occur prior to switching to ISA.

ISA Server does not show Excessive Processor, RAM or Network usage.

Let me know what else will be helpful in diagnosing the problem.

Thank you for your help.

< Message edited by poiuy -- 10.Jan.2006 5:22:06 PM >


_____________________________

poiuy the Nemisis of qwerty
Post #: 1
RE: Slow Web browsing / Time Outs - 11.Jan.2006 9:13:53 PM   
jbarsodi

 

Posts: 114
Joined: 10.Aug.2001
From: Sparks, NV
Status: offline
Same problem.  Are you running the DL320 VPN/Cache/Firewall appliance?

If so do you have the HP Virus Throttle enabled?

Thanks,
John

(in reply to poiuy)
Post #: 2
RE: Slow Web browsing / Time Outs - 11.Jan.2006 9:50:44 PM   
DBornack

 

Posts: 67
Joined: 8.Jan.2004
From: Chicago, IL
Status: offline
Man there are about 10 threads out there about this same problem, it'd be nice to have the collectively together, and for Tom to pay a visit.. 

(in reply to jbarsodi)
Post #: 3
RE: Slow Web browsing / Time Outs - 11.Jan.2006 10:25:20 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
...and there are probably different reasons for each one.  Seldom is there a one-fits-all solution.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to DBornack)
Post #: 4
RE: Slow Web browsing / Time Outs - 11.Jan.2006 11:26:22 PM   
ealdridge

 

Posts: 84
Joined: 15.Nov.2005
Status: offline
i too had the same issue..

i just told my users to quit bi*#hing...

no really... sometimes ive experienced this as well, sometimes - yahoo, google etc take a while to load... then once the site is loaded alll works as it should.. weird...

(in reply to LLigetfa)
Post #: 5
RE: Slow Web browsing / Time Outs - 11.Jan.2006 11:35:10 PM   
jbarsodi

 

Posts: 114
Joined: 10.Aug.2001
From: Sparks, NV
Status: offline
Sites that I can consistently get to load dog slow and even fail halfway through rendering the page are:
cnn.com
money.com
abcnews.com
slashdot.org

to name a few test sites.

(in reply to ealdridge)
Post #: 6
RE: Slow Web browsing / Time Outs - 11.Jan.2006 11:50:48 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
If it is consistently specific sites, I would check to make sure PMTUDiscovery is enabled.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to jbarsodi)
Post #: 7
RE: Slow Web browsing / Time Outs - 12.Jan.2006 12:05:24 AM   
jbarsodi

 

Posts: 114
Joined: 10.Aug.2001
From: Sparks, NV
Status: offline
Yup it is, I've run all the performance optimizing suggestions/guidelines from this site.

I switch to my ISA2000 proxy and those sites work just fine.  :(

(in reply to LLigetfa)
Post #: 8
RE: Slow Web browsing / Time Outs - 12.Jan.2006 12:33:25 AM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
1.Are you running any 3rd party software on isa???
2.Anything in your logs???
3.Have you created advanced monitoring for both your server hardware and also on isa it's self?

I have seen this problem a few times and most of the time it is caused by a overload on the cpu caused by
bad code on 3rd party software, such as web filtering software will use full cpu usage every time there is a
request made by a client.

I would suggest doing some monitoring as i said above.

(in reply to jbarsodi)
Post #: 9
RE: Slow Web browsing / Time Outs - 12.Jan.2006 1:15:22 AM   
jbarsodi

 

Posts: 114
Joined: 10.Aug.2001
From: Sparks, NV
Status: offline
We are running SmartFilter 4.1, however, this was occurring before the the software was installed.  Currently the filtering is disabled, I installed it to configure while monitoring the software.


I've watched the resource usage and nothing is killing the box.


I've:
-adjusted the MTU
-enabled RAM caching
-changed to All Users instead of Authenticating against my domain
-set the HTTP1.1 over Proxy in IE
-Check and rechecked the binding order of the NIC's
-Checked network and routing configurations
-spent 5 minutes banging my head on my desk
-tested with only Web Proxy Client
-test with only Firewall Client
-Test wtih both enabled
-created a wpad in DNS
-tested DNS queries from client and firewall - no problems
-Captured millions of packets to look for problems
-Checked DNS registration
-tested with an "All open"

During each check I verify that web surfing through our ISA 2000 production box is performing as expected, and it is.



I've just recently started having the Microsoft Firewall service crash:
c:\pro~etc\ISA\HttpFilter.dll generated an exception code C0000005 in address 60FF647F when function Complete SyncIO was called.

I added the WMF filters from Tom's blog yesterday, that is the only thing I can think of that would be causing this.  I have other filters for IM programs that I added from info found on the MS/ISA/Tech site.

I'm at a loss and my patience is wearing thin.....

(in reply to Sunny.C)
Post #: 10
RE: Slow Web browsing / Time Outs - 12.Jan.2006 4:41:54 AM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
Have you try doing performance check on isa instead of the server hardware??
If all the is ok i would look in to your dns configuration. How is your dns configured?

(in reply to jbarsodi)
Post #: 11
RE: Slow Web browsing / Time Outs - 12.Jan.2006 7:49:01 AM   
jbarsodi

 

Posts: 114
Joined: 10.Aug.2001
From: Sparks, NV
Status: offline
quote:

ORIGINAL: Sunny.C

Have you try doing performance check on isa instead of the server hardware??
If all the is ok i would look in to your dns configuration. How is your dns configured?


If by performance check you mean with the ISABA utility, yes I have.  Nothing came back wrong.

DNS is as follows, multihomed machine.  4 NICs total, 3 in use.

ISAEXT interface
Tried leaving the DNS blank and populating with DNS that matches the ISAInternal interface - same result.
|
|
ISAINT interface --- ISADMZ interface(Not in use at the moment, but DNS is blank.
DNS1(INT Domain Controller #1)
DNS2(INT Domain Controller #2)
|
|
Domain Controller #1 Win Svr 2003
Domain Controller #2 Win Svr 2003
(both have forwarders enabled to ISP's DNS.)
|
Client workstation NIC
DNS1(INT Domain Controller #1) Win Svr 2003
DNS2(INT Domain Controller #2) Win Svr 2003


I'm running a HP DL320 Firewall/VPN/Cache appliance, 3.4Ghz, 2 gigs of ram, SCSI drives.

There is a third domain controller on my network, a Windows 2000 Svr.  It current has all the FSMO roles.  This is the only thing that I'm questioning ATM, BUT here's what negates that thought - the slowness still occurs when I set the Web access rule to "All Users" vs. Domain Users.  It appears Authentication requests have little to no burden on the response time in my environment.

Thoughts?

(in reply to Sunny.C)
Post #: 12
RE: Slow Web browsing / Time Outs - 12.Jan.2006 8:15:05 PM   
poiuy

 

Posts: 82
Joined: 20.Oct.2005
Status: offline
I resolved my issue by adding Forwarders on my Internal DNS Servers.  The instant I did that then all of the problems with slow load or time outs were resolved. 

Here are screenshots of my DNS Server config and the IP settings on my DC / DNS Server



Domain Controllers / DNS are : .64 and .65  ISA is .1 and VLAN Network Router is .2

I have a Access rule to allow DNS from Internal to External from my Domain Controllers and Exchange Server.  All DNS requests from other devices is blocked by ISA.

I noticed before adding the forwarders that even the DC's were unable to resolve some external IP address.  Root Hints are up to date and there was no indication in ISA that DNS requests were being blocked.

I know that adding forwarders resolved my problem but I am not fully sure if this is correct.

Thoughts?

(in reply to jbarsodi)
Post #: 13
RE: Slow Web browsing / Time Outs - 12.Jan.2006 8:26:07 PM   
poiuy

 

Posts: 82
Joined: 20.Oct.2005
Status: offline
Here is the config for the IP interfaces on the ISA Server.
Virus Throttling is enabled.


(in reply to poiuy)
Post #: 14
RE: Slow Web browsing / Time Outs - 13.Jan.2006 4:28:50 AM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
Looks good to me, if your still getting poor performance you can try forwarding to a better dns server or configure the isa to host your own caching dns server without having to resolve from a outside dns.

(in reply to poiuy)
Post #: 15
RE: Slow Web browsing / Time Outs - 27.Jan.2006 7:25:35 PM   
mrmelton

 

Posts: 59
Joined: 19.Feb.2002
From: Portland, OR
Status: offline
Thought this might be a good place to put this as I have been experiencing very slow response time when browsing through a new ISA2004 Array as well.  After much troubleshooting and research, I contaced MS.  Listed below are a few articles that should help solve most of the slow Internet response issue.

- Article 905179: http://support.microsoft.com/?kbid=905179.  This will disable the key 'EnablePMTUDicsovery'.
- Article 837572: http://support.microsoft.com/default.aspx?kbid=837572&product=isas2004.  The only change recommended is the one under the heading 'Increase the TCP/IP buffer sizes in the registry'.  Keep in mind that this setting change will open a security hole that makes ISA vulnerable to a specific DOS attack.  Not a buffer overflow that can allow someone to take control of your system but one that will make the service unusable.

The last one applies specifically to having ISA enabled NLB on servers connected to a switch.  With NLB enabled, all servers advertise the same MAC which confuses a switch in unicast mode.  Statically adding the MAC to the switch makes it multicast to the servers, allowing them to decide who handles the traffic.
- Article 247297: http://support.microsoft.com/default.aspx?scid=kb;EN-US;247297

Hope this is helpful. 

Good luck -

mrm

(in reply to Sunny.C)
Post #: 16
RE: Slow Web browsing / Time Outs - 7.Feb.2006 9:10:12 PM   
poiuy

 

Posts: 82
Joined: 20.Oct.2005
Status: offline
Well, I believe that I have the problem solved.

As I have may have mentioned in another post my config is such.

Cisco Router with Bonded T1's = 3mbps
Netgear FVX538
ISA 2004

Using NAT from Netgear to ISA and NAT from ISA to Internal.

Web browsing worked fine except between 8:30am and 6:30pm.  I would have connection timeouts, slow connections and connection drops.

I have since setup another ISA 2004 Firewall directly connected to the Cisco Router.  It has no timeouts, slow connections or drops.

This is my theory.  The Netgear has a limeted 64Meg of RAM for maintaining table space.  Since I am using NAT between the Netgear and ISA the Netgear only sees one IP address coming from the ISA server.  This means that the PAT for the ISA is going be very very large since at any one time there can be 100 Plus user connections each going to multiple sites.  I believe that the Netgear is running out of table space and starts dropping connections.  Since the ISA is going through the netgear it receives a slow or no response from the netgear and relays a timeout to the client when in fact a time out to the website never occured.

So, I am going to redo my production ISA and make it the only firewall on the network.  I  had wanted to use the Netgear to do Packet filtering, VPN endpoint and since it had dual WAN ports could quickly change to use a secondary network connection with minimal loss of funcationality for internal users.  I can live without it doing initial packet filtering.  I can use the ISA as the VPN endpoint.  The only thing I am not sure how to do is to quickly change to a secondary connection if the primary fails.

If anybody else is having the same problems that I was and have another firewall infront of the ISA it may be worth trying another config of ISA as a stand alone and see if your problem is resolved.

Thank you to everyone that assisted me with this issue.

(in reply to mrmelton)
Post #: 17
RE: Slow Web browsing / Time Outs - 21.Feb.2006 6:50:40 PM   
poiuy

 

Posts: 82
Joined: 20.Oct.2005
Status: offline
Well, I built a new ISA sever, Recreated all rules, tested the config and had no issues with timeouts or problems.  This ISA is directly connected to the internet.  At switchover, I disconnected the Netgear from the network and transfered all IP's and traffic to the new ISA server.  Retested config.  then made a backup of the config and restored it onto my original production ISA server.  Then disconnnected the new ISA and transfered everything to the old ISA.  It was now running with a direct connection to the internet.  Everything seemed to be working fine.  (this was on a Friday night).  Came in monday moring and users were still complaining about slow internet connections and time outs!!!!! WTF.

After spending about 20 minutes with one of the problem computers I started to think about the differences in the two servers.  Other than hardware they both had identical configurations.  Why did one work and the other not?  Well, the production server is an HP DL320 and HP has a driver that is supposed to detect virus like activity and block traffic.  That was the ONLY thing different.  So, I disabled the Virus Throttle driver on all interfaces.  Guess what?  No more connection problems or timeouts.

I have a feeling that the Netgear Router was never an issue and that the Virus Throttle was causing all network traffic to slow.  I have not tested the config with the Netgear back in place.  I think I am going to leave the network config as it is now.

Is anyone else using a DL320 with Virus Throttle enabled?  Are you having simular problems?  Is there anyone at HP that we can drag out in the street and shoot?

(in reply to poiuy)
Post #: 18
RE: Slow Web browsing / Time Outs - 20.Jun.2006 1:53:23 AM   
Novaryan

 

Posts: 2
Joined: 20.Jun.2006
Status: offline
Do you have any documentation for the specifics on how to disable the Virus Throttle driver? I have a DL320, but I'm having a difficult time finding any kind of documentation concerning Virus Throttle, so I'm not even sure if this is installed on my HP DL320? I've looked under HP network configuration utility, and under the windows device driver and don't see anything referencing Virus Throttle. Thanks in advance for your help.
Ryan

(in reply to poiuy)
Post #: 19
RE: Slow Web browsing / Time Outs - 20.Jun.2006 10:32:29 PM   
poiuy

 

Posts: 82
Joined: 20.Oct.2005
Status: offline
If the Virus Throttle driver is installed it can be disabled from the Properties of the Network card.  There will be a connection listing for HP Virus Throttle Driver.  Uncheck the box and Virus Throttle is disabled.  You will need to do this for every Nic in the server.

_____________________________

poiuy the Nemisis of qwerty

(in reply to Novaryan)
Post #: 20

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> Slow Web browsing / Time Outs Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts