Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Websites Timing Out - Single NIC mode

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Cache] >> General >> Websites Timing Out - Single NIC mode Page: [1]
Login
Message << Older Topic   Newer Topic >>
Websites Timing Out - Single NIC mode - 27.Feb.2006 10:09:57 PM   
dlitwin

 

Posts: 4
Joined: 22.Nov.2005
Status: offline 		Hello,

I've got ISA 2004 w/SP2 installed in single NIC mode to allow authentication/proxy/reporting.  We do not use the full firewall capability because we have another corporate firewall in place.  Since this ISA has been in place (8 mos), we have noticed a slowdown in general web surfing.  Also, there are some websites which do not come up:  they just sit there trying to load, but never fully resolve, or some of the graphics do not appear.  bypassing the ISA 2004 server and going out through the firewall results in no slowdown and the specific site work and resolve fully.

we have 4 firewall policy rules:
1. Filtering software (allow) (new protocol we created), (local host), (all networks and local host), (all users)
2. filtering software admin (allow) (another new protocol we created), (internal), (local host), (all users)
3. web access (allow) (ftp, HTTP, HTTPS), (internal), (all networks and local host), (all authenticated users)
4. last default rule  (deny) (all traffic), (all networks), (all networks and local host), (all users)

for NETWORKS, since we are unihomed, the only active network is INTERNAL.  it has address ranges: 10.0.0.0-10.255.255.255, 0.0.0.1-126.255.255.255, 128.0.0.0-233.255.255.255, 240.0.0.0-255.255.255.254.  our internal network is represented by the 10.0.x.x range

properties for INTERNAL network:
ADDRESSES: IP ranges listed as above
DOMAINS: nothing listed
WEB BROWSER: nothing listed
AUTO DISCOVERY: nothing listed
FIREWALL CLIENT:  (unchecked)
WEB PROXY: enable web proxy client checked, enable HTTP checked with 8080 listed in port box.  Authentication method is INTEGRATED, BASIC and "require all users to authenticate" is UNCHECKED.

Anyone care to look this over and see if I have a mistake anywhere.  We are starting to think about dumping the ISA server because of the slowness and timeouts, but I still like the reporting features.  I also have access to ISAINFO and can post/email a log if needed.

Dan
Post #: 1
RE: Websites Timing Out - Single NIC mode - 27.Feb.2006 11:59:06 PM   
LLigetfa

 

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline 		Is PMTUDiscovery enabled?

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to dlitwin)
Post #: 2
RE: Websites Timing Out - Single NIC mode - 28.Feb.2006 12:30:26 AM   
ClintD

 

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline 		What Filtering Software are you using?
Are you certain that the ISA Server service itself is the cause of the delay? In other words, is it possible that ISA is just a symptom of slow performance on that box?
Have you considered removing the filtering add-on to see if that isolates the problem?

(in reply to LLigetfa)
Post #: 3
RE: Websites Timing Out - Single NIC mode - 28.Feb.2006 4:05:36 AM   
dlitwin

 

Posts: 4
Joined: 22.Nov.2005
Status: offline 		PMTU Discovery is enabled.  I found that post a while ago, enabled, and rebooted the ISA server.  no difference.

The filtering software we use is SmartFilter 4.1 from Secure Computing.  We have the ISA specific pluggin of this software and requires that it be installed on the ISA server.  The admin portion/reporting software is installed on another server.

Other than Server 2003, these are the only 2 pieces of software on the server and is this server's only role.

other suggestions?

(in reply to dlitwin)
Post #: 4
RE: Websites Timing Out - Single NIC mode - 28.Feb.2006 5:04:15 AM   
ClintD

 

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline 		Have you considered removing the filtering add-on to see if that isolates the problem?

Have you taken network captures from the ISA Server to 'time' when ISA receives the request and how long it takes to return the page to the client? Specifically, once ISA receives the request, how long does it take for the DNS name to be resolved and once it has that, how long does it take to connect to he external server?

Break the problem into its constituent parts and determine where the delay is coming from. I have my ISA Server setup at work and at home and never see delays.

< Message edited by ClintD -- 28.Feb.2006 5:07:32 AM >

(in reply to dlitwin)
Post #: 5
RE: Websites Timing Out - Single NIC mode - 1.Mar.2006 11:30:13 PM   
dlitwin

 

Posts: 4
Joined: 22.Nov.2005
Status: offline 		this is a copy of my log...





Destination Host Name

Transport

MIME Type

Object Source

Source Proxy

Destination Proxy

Bidirectional

Client Host Name

Filter Information

Network Interface

Raw IP Header

Raw Payload

Source Port

Processing Time

Bytes Sent

Bytes Received

Result Code

HTTP Status Code

Cache Information

Error Information

Log Record Type

Log Time

Destination IP

Destination Port

Protocol

Action

Rule

Client IP

Client Username

Source Network

Destination Network

HTTP Method


www.duluthsuperior.com

TCP







-

-




-




-

-

-

9091

9293

4573

510




12209

0x0

0x0

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

8080

http

Denied Connection

web access

10.0.15.10

anonymous

Internal

External

GET


www.duluthsuperior.com

TCP







-

-




-




-

-

-

154155

156157

563

615




164165

0x0

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

8080

http

Failed Connection Attempt

web access

10.0.15.10

anonymous

Internal

External

GET


www.yahoo.com

TCP

image/gif

Internet

-

-




-




-

-

-

218219

220221

261

713




228229

0x41040000

0x480

Web Proxy Filter

2/28/2006 14:29

216.109.118.66

240241

http

Allowed Connection

web access

10.0.15.10

DULUTH\djlitw

Internal

Internal

GET


www.duluthsuperior.com

TCP

text/css

Not Modified

-

-




-




-

-

-

282283

284285

286287

595




292293

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

304305

http

Allowed Connection

web access

10.0.15.10

DULUTH\djlitw

Internal

External

GET


www.duluthsuperior.com

TCP

text/css

Not Modified

-

-




-




-

-

-

346347

348349

350351

577




356357

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

368369

http

Allowed Connection

web access

10.0.15.10

DULUTH\djlitw

Internal

External

GET


www.duluthsuperior.com

TCP

application/x-javascript

Not Modified

-

-




-




-

-

-

410411

412413

414415

571




420421

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

432433

http

Allowed Connection

web access

10.0.15.10

DULUTH\djlitw

Internal

External

GET


www.duluthsuperior.com

TCP

image/jpeg

Not Modified

-

-




-




-

-

-

474475

476477

478479

645




484485

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

496497

http

Allowed Connection

web access

10.0.15.10

DULUTH\djlitw

Internal

External

GET


www.duluthsuperior.com

TCP

image/gif

Not Modified

-

-




-




-

-

-

538539

540541

542543

627




548549

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

560561

http

Allowed Connection

web access

10.0.15.10

DULUTH\djlitw

Internal

External

GET


ad.doubleclick.net

TCP







-

-




-




-

-

-

602603

604605

606607

608609




12210

0x0

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

624625

http

Failed Connection Attempt

10.0.15.10

DULUTH\djlitw




GET


ad.doubleclick.net

TCP







-

-




-




-

-

-

662663

664665

4573

668669




12209

0x0

0x0

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

8080

http

Denied Connection

web access

10.0.15.10

anonymous

Internal

External

GET


ad.doubleclick.net

TCP







-

-




-




-

-

-

726727

728729

730731

732733




736737

0x0

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

8080

http

Failed Connection Attempt

web access

10.0.15.10

anonymous

Internal

External

GET


ad.doubleclick.net

TCP







-

-




-




-

-

-

790791

792793

794795

796797




12210

0x0

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

812813

http

Failed Connection Attempt

10.0.15.10

DULUTH\djlitw




GET


www.duluthsuperior.com

TCP







-

-




-




-

-

-

850851

852853

4573

856857




12209

0x1002

0x0

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

8080

http

Denied Connection

web access

10.0.15.10

anonymous

Internal

External

GET


www.belleville.com

TCP







-

-




-




-

-

-

914915

916917

4573

920921




12209

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

8080

http

Denied Connection

web access

10.0.15.10

anonymous

Internal

External

GET


www.duluthsuperior.com

TCP







-

-




-




-

-

-

978979

980981

4573

984985




12209

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

8080

http

Denied Connection

web access

10.0.15.10

anonymous

Internal

External

GET


www.duluthsuperior.com

TCP







-

-




-




-

-

-

10421043

10441045

4573

10481049




12209

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

8080

http

Denied Connection

web access

10.0.15.10

anonymous

Internal

External

GET


www.duluthsuperior.com

TCP







-

-




-




-

-

-

11061107

11081109

4573

11121113




12209

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

8080

http

Denied Connection

web access

10.0.15.10

anonymous

Internal

External

GET


www.duluthsuperior.com

TCP







-

-




-




-

-

-

11701171

11721173

4573

11761177




12209

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

8080

http

Denied Connection

web access

10.0.15.10

anonymous

Internal

External

GET


www.duluthsuperior.com

TCP







-

-




-




-

-

-

12341235

12361237

4573

12401241




12209

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

8080

http

Denied Connection

web access

10.0.15.10

anonymous

Internal

External

GET


www.duluthsuperior.com

TCP







-

-




-




-

-

-

12981299

13001301

13021303

13041305




13081309

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

8080

http

Failed Connection Attempt

web access

10.0.15.10

anonymous

Internal

External

GET


www.duluthsuperior.com

TCP

application/x-shockwave-flash

Not Modified

-

-




-




-

-

-

13621363

13641365

13661367

13681369




13721373

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

13841385

http

Allowed Connection

web access

10.0.15.10

DULUTH\djlitw

Internal

External

GET


www.duluthsuperior.com

TCP

text/html

Internet

-

-




-




-

-

-

14261427

14281429

63426

14321433




14361437

0x632c0000

0x580

Web Proxy Filter

2/28/2006 14:29

216.251.177.54

14481449

http

Allowed Connection

web access

10.0.15.10

DULUTH\djlitw

Internal

External

GET


www.duluthsuperior.com

TCP

image/gif

Not Modified

-

-




-




-

-

-

14901491

14921493

14941495

14961497




15001501

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

15121513

http

Allowed Connection

web access

10.0.15.10

DULUTH\djlitw

Internal

External

GET


www.duluthsuperior.com

TCP

application/x-shockwave-flash

Not Modified

-

-




-




-

-

-

15541555

15561557

15581559

15601561




15641565

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

15761577

http

Allowed Connection

web access

10.0.15.10

DULUTH\djlitw

Internal

External

GET


www.duluthsuperior.com

TCP

image/jpeg

Not Modified

-

-




-




-

-

-

16181619

16201621

16221623

16241625




16281629

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

16401641

http

Allowed Connection

web access

10.0.15.10

DULUTH\djlitw

Internal

External

GET


www.belleville.com

TCP

image/jpeg

Not Modified

-

-




-




-

-

-

16821683

16841685

16861687

16881689




16921693

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

17041705

http

Allowed Connection

web access

10.0.15.10

DULUTH\djlitw

Internal

External

GET


www.duluthsuperior.com

TCP

image/gif

Not Modified

-

-




-




-

-

-

17461747

17481749

17501751

17521753




17561757

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

17681769

http

Allowed Connection

web access

10.0.15.10

DULUTH\djlitw

Internal

External

GET


www.duluthsuperior.com

TCP

image/jpeg

Not Modified

-

-




-




-

-

-

18101811

18121813

18141815

18161817




18201821

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

18321833

http

Allowed Connection

web access

10.0.15.10

DULUTH\djlitw

Internal

External

GET


www.duluthsuperior.com

TCP

image/jpeg

Not Modified

-

-




-




-

-

-

18741875

18761877

18781879

18801881




18841885

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

18961897

http

Allowed Connection

web access

10.0.15.10

DULUTH\djlitw

Internal

External

GET


www.duluthsuperior.com

TCP

application/x-javascript

Not Modified

-

-




-




-

-

-

19381939

19401941

19421943

19441945




19481949

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

19601961

http

Allowed Connection

web access

10.0.15.10

DULUTH\djlitw

Internal

External

GET


www.duluthsuperior.com

TCP

image/gif

Not Modified

-

-




-




-

-

-

20022003

20042005

20062007

20082009




20122013

0x1002

0x80

Web Proxy Filter

2/28/2006 14:29

10.0.10.3

20242025

http

Allowed Connection

web access

10.0.15.10

DULUTH\djlitw

Internal

External

GET


www.duluthsuperior.com

TCP

image/jpeg

Not Modified

-

-




-




-

-

-

20662067

20682069

20702071

20722073




20762077

0x1002

0x80

Web Proxy Filter

2/28/2006 14