Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Slow browsing on HP ISA/VPN/Cache
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Slow browsing on HP ISA/VPN/Cache - 28.Feb.2006 3:00:38 AM
|
|
|
Lazyadmin
Posts: 8
Joined: 15.Feb.2005
Status: offline
|
Over the weekend we installed a new ISA 2004 SP2 server, and HP DL320 ISA/VPN/Cache device.
Web browsing is extremly slow via SecureNAT, Web Proxy and/or the Firewall Client. Download speeds via FTP transfer are the same as before (old firewall was a PIX 515e).
The outbound access rule is top of the list, and allows HTTP, HTTPS and DNS (Allow limited web access and ISP services). I also changed the binding order so that the internal NIC is top of the list and verfied the NIC configuration agains teh ISAServer.org article on ISA binding and IP configuration.
Not sure where to look next, I have set up a few ISA servers before, although not this particular HP device, and never encountered this before. I would expect a server with 3.2GHz/1GB RAM and only 100 users to perform much better than it is.
Any advice?
_____________________________
Rodney Buike
MVP - Directory Services
http://thelazyadmin.com
|
|
|
|
|
RE: Slow browsing on HP ISA/VPN/Cache - 28.Feb.2006 3:51:54 AM
|
|
|
Lazyadmin
Posts: 8
Joined: 15.Feb.2005
Status: offline
|
I did try that and with that checked in IE6, the page never loads. Also I have the cache enabled, currently set at 20GB.
_____________________________
Rodney Buike
MVP - Directory Services
http://thelazyadmin.com
|
|
|
|
|
RE: Slow browsing on HP ISA/VPN/Cache - 3.Mar.2006 12:09:25 AM
|
|
|
Jason Jones
Posts: 1782
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
20GB for 100 users is a bit OTT, normally best to use 20-50MB per user so 2GB-5GB cache should be fine. Also try changing the % or free RAM used for caching parameter, this may also help.
Have you changed the PMTUDiscovery parameter? Check out the ISA BPA for more info or do a search here...
Have you tried turning off virus throttle?
JJ
< Message edited by Jason Jones -- 3.Mar.2006 12:11:28 AM >
_____________________________
Jason Jones
Silversands Ltd
http://www.silversands.co.uk
View My Blog: http://blog.msfirewall.org.uk/
Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Slow browsing on HP ISA/VPN/Cache - 3.Mar.2006 12:14:28 AM
|
|
|
Lazyadmin
Posts: 8
Joined: 15.Feb.2005
Status: offline
|
Yeah I plan to lower the cache over the weekend and try a few other things including PMTUDiscovery.
"Also try changing the % or free RAM used for caching parameter" Can you explain? Do you mean cap the amount of memory MSDE can use?
How do I disable the virus throttle? Is it simply unchecking the box in the NIC properties?
I appreciate the suggerstions!
_____________________________
Rodney Buike
MVP - Directory Services
http://thelazyadmin.com
|
|
|
|
|
RE: Slow browsing on HP ISA/VPN/Cache - 3.Mar.2006 3:00:29 PM
|
|
|
Lazyadmin
Posts: 8
Joined: 15.Feb.2005
Status: offline
|
I have made some progress with this and have further narrowed it down. It is not so much a throughput issue as it is a response time issue. Getting the a webpage to connect is still slow, but once the data transfer begins the page loads quickly.
I reduced the cache size to 5GB (50MB per user), enabled PMTUDiscovery, and made thjs change as well http://support.microsoft.com/default.aspx?scid=kb;EN-US;839510
I also changed from logging to SQL/MSDE to flat file and will monitor that as well.
The only thing I am left with is limiting cache memory (found it in Tom's book) and disabling the HP Virus Throttle (still looking).
I'll keep you posted on progress! Thanks for the excellent suggestions!
< Message edited by Lazyadmin -- 3.Mar.2006 3:51:22 PM >
_____________________________
Rodney Buike
MVP - Directory Services
http://thelazyadmin.com
|
|
|
|
|
RE: Slow browsing on HP ISA/VPN/Cache - 5.Mar.2006 3:46:23 PM
|
|
|
tshinder
Posts: 46971
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Rodney,
There has to be something going on that's very off label to cause these problems.
What are the DNS settings on the ISA firewall's interfaces?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Slow browsing on HP ISA/VPN/Cache - 6.Mar.2006 5:40:55 PM
|
|
|
Lazyadmin
Posts: 8
Joined: 15.Feb.2005
Status: offline
|
Well I think I have it licked, seems to be much improved today, that or Iam getting used to the slowness :)
The Internal NIC has DNS pointing to the two internal DNS servers for the AD domain. The External NIC does not have any DNS settings configured.
I enabled PMTU and I also added a registry key:
HKLM\SOFTWARE\Microsoft\Fpc\Storage\Array-Root\Arrays\{GUID}\ArrayPolicy\WebProxy
REG_DWORD: msFPCSkipNameResolutionForAccessAndRoutingRules
Value: 1
I started logging to flatfile, dropped the cache to 5GB, dropped cache memory to 5% and dropped SQL memory limit to 128MB.
All in all it seems to have fixed things but I am monitoring it closely. I wish I could disable the MSDE services as I am no longer using it, but the MS Firewall Serivce depends on it. If all goes well, I may re-enable logging to MSDE and see what happens!
Thanks again for the suggestions!
_____________________________
Rodney Buike
MVP - Directory Services
http://thelazyadmin.com
|
|
|
|
|
RE: Slow browsing on HP ISA/VPN/Cache - 6.Mar.2006 6:03:36 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
Are you sure you really want msFPCSkipNameResolutionForAccessAndRoutingRules? That is usually reserved for situations where the ISA is the last hop in the chain.
MSDE is worth having. Just limit how much RAM it can use.
Did you disable virus throttling on the NIC?
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: Slow browsing on HP ISA/VPN/Cache - 6.Mar.2006 9:35:50 PM
|
|
|
Lazyadmin
Posts: 8
Joined: 15.Feb.2005
Status: offline
|
LLigetfa, I found that in a MS KB article which I will post when I can find it again.
spouseele, thanks I am going to give that a try first thing in the morning.
Once I get acceptable performance I am going to roll back some of these changes and see what happens.
_____________________________
Rodney Buike
MVP - Directory Services
http://thelazyadmin.com
|
|
|
|
|
RE: Slow browsing on HP ISA/VPN/Cache - 8.Mar.2006 4:00:53 AM
|
|
|
tshinder
Posts: 46971
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Rodney,
Disable Virus throttle and see if that makes a difference.
Les is correct, do not disable name resolution by the ISA firewall unless its the final upstream ISA firewall.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Slow browsing on HP ISA/VPN/Cache - 8.Mar.2006 4:18:18 AM
|
|
|
Lazyadmin
Posts: 8
Joined: 15.Feb.2005
Status: offline
|
Disabled the Virus Throttle this morning and rebooted and performance is back to what I expected. That did the trick.
In regards to the msFPCSkipNameResolutionForAccessAndRoutingRules registry key, the server is on the edge of the network. I found this in the following MS KB article
http://support.microsoft.com/default.aspx?scid=kb;en-us;839510
I am going to start rolling back the other changes I made prior to the disabling of the virus throttle and see what happens!!
I would be curious to know why the registry key should only be used on the edge ISA server?
_____________________________
Rodney Buike
MVP - Directory Services
http://thelazyadmin.com
|
|
|
|
|
RE: Slow browsing on HP ISA/VPN/Cache - 20.Jun.2006 4:02:34 PM
|
|
|
Novaryan
Posts: 2
Joined: 20.Jun.2006
Status: offline
|
I posted this question in a similar thread, but does anyone have documentation for turning off Virus Throttle on an HP DL320? I'm not even sure if it is installed on my machine, as this wasn't the packaged DL320 with ISA 04 installed and windows 2003 SP1 secured. I've been through the entire HP Network Configuration Utility, the Device Driver properties, and NIC properties and see nothing referencing virus throttle. Thanks,
Ryan
|
|
|
|
RE: Slow browsing on HP ISA/VPN/Cache - 7.Aug.2008 11:13:48 PM
|
|
|
lrdars
Posts: 8
Joined: 8.Apr.2008
Status: offline
|
Hello all,
I have the same issue with my ISA server.
Server settings:
HP DL320 G4
Windows 2003 SP2
ISA 2006
Trend Micro AV
GFI Web Monitor Using MSDE
This server is setup as a proxy only single NIC.
The issue that I’m having is that web pages take twice as long to load then if I just go via the firewall. As this is the first ISA server that I have installed I reloaded it thinking it may have been something I did but I still get the same issue.
I have looked for this HP Virus Throttle and I can’t fine it.
I have changed the following settings EnableTCPA dword:00000000, EnableRSS dword:00000000, EnableTCPChimney dword:00000000 and DisableTaksoffload dword:00000001.
This has not fixed the issue and I’m stuck and I just need some help.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
