Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Slow Web browsing / Time Outs
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Slow Web browsing / Time Outs - 10.Jan.2006 5:19:04 PM
|
|
|
poiuy
Posts: 50
Joined: 20.Oct.2005
Status: offline
|
We recently moved to and ISA 2004 Server and are having problems with the Web browsing being very slow to non existant (Time outs). Here is the Network setup.
Cisco 2600 Router (ISP SBC, 2 T1's Bonded for 3Mbps Total)
Netgear FVX538 (Packet fileter NAT's to ISA Server)
ISA 2004 (HP Proliant DL320 P4 3.4 with 1Gig Ram)
2 Domain Controllors
VLAN'd Network with HP Switches
All clients configured for DNS to DC's
Default Gateway for clients is the Router (Switch) on their Subnet.
ISA is the last path out
Total Number of users on Network ~200
Totol number of current Client session ~25
Slow internet and Times did not occur prior to switching to ISA.
ISA Server does not show Excessive Processor, RAM or Network usage.
Let me know what else will be helpful in diagnosing the problem.
Thank you for your help.
< Message edited by poiuy -- 10.Jan.2006 5:22:06 PM >
_____________________________
poiuy the Nemisis of qwerty
|
|
|
|
|
RE: Slow Web browsing / Time Outs - 11.Jan.2006 9:13:53 PM
|
|
|
jbarsodi
Posts: 114
Joined: 10.Aug.2001
From: Sparks, NV
Status: offline
|
Same problem. Are you running the DL320 VPN/Cache/Firewall appliance?
If so do you have the HP Virus Throttle enabled?
Thanks,
John
|
|
|
|
|
RE: Slow Web browsing / Time Outs - 11.Jan.2006 9:50:44 PM
|
|
|
DBornack
Posts: 67
Joined: 8.Jan.2004
From: Chicago, IL
Status: offline
|
Man there are about 10 threads out there about this same problem, it'd be nice to have the collectively together, and for Tom to pay a visit..
|
|
|
|
|
RE: Slow Web browsing / Time Outs - 11.Jan.2006 10:25:20 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
...and there are probably different reasons for each one. Seldom is there a one-fits-all solution.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: Slow Web browsing / Time Outs - 11.Jan.2006 11:26:22 PM
|
|
|
ealdridge
Posts: 84
Joined: 15.Nov.2005
Status: offline
|
i too had the same issue..
i just told my users to quit bi*#hing...
no really... sometimes ive experienced this as well, sometimes - yahoo, google etc take a while to load... then once the site is loaded alll works as it should.. weird...
|
|
|
|
|
RE: Slow Web browsing / Time Outs - 11.Jan.2006 11:35:10 PM
|
|
|
jbarsodi
Posts: 114
Joined: 10.Aug.2001
From: Sparks, NV
Status: offline
|
Sites that I can consistently get to load dog slow and even fail halfway through rendering the page are:
cnn.com
money.com
abcnews.com
slashdot.org
to name a few test sites.
|
|
|
|
|
RE: Slow Web browsing / Time Outs - 11.Jan.2006 11:50:48 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
If it is consistently specific sites, I would check to make sure PMTUDiscovery is enabled.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: Slow Web browsing / Time Outs - 12.Jan.2006 12:05:24 AM
|
|
|
jbarsodi
Posts: 114
Joined: 10.Aug.2001
From: Sparks, NV
Status: offline
|
Yup it is, I've run all the performance optimizing suggestions/guidelines from this site.
I switch to my ISA2000 proxy and those sites work just fine. :(
|
|
|
|
|
RE: Slow Web browsing / Time Outs - 12.Jan.2006 12:33:25 AM
|
|
|
Sunny.C
Posts: 800
Joined: 5.Apr.2005
From: sydney
Status: offline
|
1.Are you running any 3rd party software on isa???
2.Anything in your logs???
3.Have you created advanced monitoring for both your server hardware and also on isa it's self?
I have seen this problem a few times and most of the time it is caused by a overload on the cpu caused by
bad code on 3rd party software, such as web filtering software will use full cpu usage every time there is a
request made by a client.
I would suggest doing some monitoring as i said above.
|
|
|
|
|
RE: Slow Web browsing / Time Outs - 12.Jan.2006 1:15:22 AM
|
|
|
jbarsodi
Posts: 114
Joined: 10.Aug.2001
From: Sparks, NV
Status: offline
|
We are running SmartFilter 4.1, however, this was occurring before the the software was installed. Currently the filtering is disabled, I installed it to configure while monitoring the software.
I've watched the resource usage and nothing is killing the box.
I've:
-adjusted the MTU
-enabled RAM caching
-changed to All Users instead of Authenticating against my domain
-set the HTTP1.1 over Proxy in IE
-Check and rechecked the binding order of the NIC's
-Checked network and routing configurations
-spent 5 minutes banging my head on my desk
-tested with only Web Proxy Client
-test with only Firewall Client
-Test wtih both enabled
-created a wpad in DNS
-tested DNS queries from client and firewall - no problems
-Captured millions of packets to look for problems
-Checked DNS registration
-tested with an "All open"
During each check I verify that web surfing through our ISA 2000 production box is performing as expected, and it is.
I've just recently started having the Microsoft Firewall service crash:
c:\pro~etc\ISA\HttpFilter.dll generated an exception code C0000005 in address 60FF647F when function Complete SyncIO was called.
I added the WMF filters from Tom's blog yesterday, that is the only thing I can think of that would be causing this. I have other filters for IM programs that I added from info found on the MS/ISA/Tech site.
I'm at a loss and my patience is wearing thin.....
|
|
|
|
|
RE: Slow Web browsing / Time Outs - 12.Jan.2006 4:41:54 AM
|
|
|
Sunny.C
Posts: 800
Joined: 5.Apr.2005
From: sydney
Status: offline
|
Have you try doing performance check on isa instead of the server hardware??
If all the is ok i would look in to your dns configuration. How is your dns configured?
|
|
|
|
|
RE: Slow Web browsing / Time Outs - 12.Jan.2006 7:49:01 AM
|
|
|
jbarsodi
Posts: 114
Joined: 10.Aug.2001
From: Sparks, NV
Status: offline
|
quote:
ORIGINAL: Sunny.C
Have you try doing performance check on isa instead of the server hardware??
If all the is ok i would look in to your dns configuration. How is your dns configured?
If by performance check you mean with the ISABA utility, yes I have. Nothing came back wrong.
DNS is as follows, multihomed machine. 4 NICs total, 3 in use.
ISAEXT interface
Tried leaving the DNS blank and populating with DNS that matches the ISAInternal interface - same result.
|
|
ISAINT interface --- ISADMZ interface(Not in use at the moment, but DNS is blank.
DNS1(INT Domain Controller #1)
DNS2(INT Domain Controller #2)
|
|
Domain Controller #1 Win Svr 2003
Domain Controller #2 Win Svr 2003
(both have forwarders enabled to ISP's DNS.)
|
Client workstation NIC
DNS1(INT Domain Controller #1) Win Svr 2003
DNS2(INT Domain Controller #2) Win Svr 2003
I'm running a HP DL320 Firewall/VPN/Cache appliance, 3.4Ghz, 2 gigs of ram, SCSI drives.
There is a third domain controller on my network, a Windows 2000 Svr. It current has all the FSMO roles. This is the only thing that I'm questioning ATM, BUT here's what negates that thought - the slowness still occurs when I set the Web access rule to "All Users" vs. Domain Users. It appears Authentication requests have little to no burden on the response time in my environment.
Thoughts?
|
|
|
|
|
RE: Slow Web browsing / Time Outs - 13.Jan.2006 4:28:50 AM
|
|
|
Sunny.C
Posts: 800
Joined: 5.Apr.2005
From: sydney
Status: offline
|
Looks good to me, if your still getting poor performance you can try forwarding to a better dns server or configure the isa to host your own caching dns server without having to resolve from a outside dns.
|
|
|
|
|
RE: Slow Web browsing / Time Outs - 27.Jan.2006 7:25:35 PM
|
|
|
mrmelton
Posts: 59
Joined: 19.Feb.2002
From: Portland, OR
Status: offline
|
Thought this might be a good place to put this as I have been experiencing very slow response time when browsing through a new ISA2004 Array as well. After much troubleshooting and research, I contaced MS. Listed below are a few articles that should help solve most of the slow Internet response issue.
- Article 905179: http://support.microsoft.com/?kbid=905179. This will disable the key 'EnablePMTUDicsovery'.
- Article 837572: http://support.microsoft.com/default.aspx?kbid=837572&product=isas2004. The only change recommended is the one under the heading 'Increase the TCP/IP buffer sizes in the registry'. Keep in mind that this setting change will open a security hole that makes ISA vulnerable to a specific DOS attack. Not a buffer overflow that can allow someone to take control of your system but one that will make the service unusable.
The last one applies specifically to having ISA enabled NLB on servers connected to a switch. With NLB enabled, all servers advertise the same MAC which confuses a switch in unicast mode. Statically adding the MAC to the switch makes it multicast to the servers, allowing them to decide who handles the traffic.
- Article 247297: http://support.microsoft.com/default.aspx?scid=kb;EN-US;247297
Hope this is helpful.
Good luck -
mrm
|
|
|
|
|
RE: Slow Web browsing / Time Outs - 7.Feb.2006 9:10:12 PM
|
|
|
poiuy
Posts: 50
Joined: 20.Oct.2005
Status: offline
|
Well, I believe that I have the problem solved.
As I have may have mentioned in another post my config is such.
Cisco Router with Bonded T1's = 3mbps
Netgear FVX538
ISA 2004
Using NAT from Netgear to ISA and NAT from ISA to Internal.
Web browsing worked fine except between 8:30am and 6:30pm. I would have connection timeouts, slow connections and connection drops.
I have since setup another ISA 2004 Firewall directly connected to the Cisco Router. It has no timeouts, slow connections or drops.
This is my theory. The Netgear has a limeted 64Meg of RAM for maintaining table space. Since I am using NAT between the Netgear and ISA the Netgear only sees one IP address coming from the ISA server. This means that the PAT for the ISA is going be very very large since at any one time there can be 100 Plus user connections each going to multiple sites. I believe that the Netgear is running out of table space and starts dropping connections. Since the ISA is going through the netgear it receives a slow or no response from the netgear and relays a timeout to the client when in fact a time out to the website never occured.
So, I am going to redo my production ISA and make it the only firewall on the network. I had wanted to use the Netgear to do Packet filtering, VPN endpoint and since it had dual WAN ports could quickly change to use a secondary network connection with minimal loss of funcationality for internal users. I can live without it doing initial packet filtering. I can use the ISA as the VPN endpoint. The only thing I am not sure how to do is to quickly change to a secondary connection if the primary fails.
If anybody else is having the same problems that I was and have another firewall infront of the ISA it may be worth trying another config of ISA as a stand alone and see if your problem is resolved.
Thank you to everyone that assisted me with this issue.
|
|
|
|
|
RE: Slow Web browsing / Time Outs - 21.Feb.2006 6:50:40 PM
|
|
|
poiuy
Posts: 50
Joined: 20.Oct.2005
Status: offline
|
Well, I built a new ISA sever, Recreated all rules, tested the config and had no issues with timeouts or problems. This ISA is directly connected to the internet. At switchover, I disconnected the Netgear from the network and transfered all IP's and traffic to the new ISA server. Retested config. then made a backup of the config and restored it onto my original production ISA server. Then disconnnected the new ISA and transfered everything to the old ISA. It was now running with a direct connection to the internet. Everything seemed to be working fine. (this was on a Friday night). Came in monday moring and users were still complaining about slow internet connections and time outs!!!!! WTF.
After spending about 20 minutes with one of the problem computers I started to think about the differences in the two servers. Other than hardware they both had identical configurations. Why did one work and the other not? Well, the production server is an HP DL320 and HP has a driver that is supposed to detect virus like activity and block traffic. That was the ONLY thing different. So, I disabled the Virus Throttle driver on all interfaces. Guess what? No more connection problems or timeouts.
I have a feeling that the Netgear Router was never an issue and that the Virus Throttle was causing all network traffic to slow. I have not tested the config with the Netgear back in place. I think I am going to leave the network config as it is now.
Is anyone else using a DL320 with Virus Throttle enabled? Are you having simular problems? Is there anyone at HP that we can drag out in the street and shoot?
|
|
|
|
|
RE: Slow Web browsing / Time Outs - 20.Jun.2006 1:53:23 AM
|
|
|
Novaryan
Posts: 2
Joined: 20.Jun.2006
Status: offline
|
Do you have any documentation for the specifics on how to disable the Virus Throttle driver? I have a DL320, but I'm having a difficult time finding any kind of documentation concerning Virus Throttle, so I'm not even sure if this is installed on my HP DL320? I've looked under HP network configuration utility, and under the windows device driver and don't see anything referencing Virus Throttle. Thanks in advance for your help.
Ryan
|
|
|
|
|
RE: Slow Web browsing / Time Outs - 20.Jun.2006 10:32:29 PM
|
|
|
poiuy
Posts: 50
Joined: 20.Oct.2005
Status: offline
|
If the Virus Throttle driver is installed it can be disabled from the Properties of the Network card. There will be a connection listing for HP Virus Throttle Driver. Uncheck the box and Virus Throttle is disabled. You will need to do this for every Nic in the server.
_____________________________
poiuy the Nemisis of qwerty
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
