Slow browsing on HP ISA/VPN/Cache

Slow browsing on HP ISA/VPN/Cache (Full Version)

All Forums >> [ISA Server 2004 Misc.] >> ISA Firewall Appliances

Message

Lazyadmin -> Slow browsing on HP ISA/VPN/Cache (28.Feb.2006 3:00:38 AM)
Over the weekend we installed a new ISA 2004 SP2 server, and HP DL320 ISA/VPN/Cache device. Web browsing is extremly slow via SecureNAT, Web Proxy and/or the Firewall Client. Download speeds via FTP transfer are the same as before (old firewall was a PIX 515e). The outbound access rule is top of the list, and allows HTTP, HTTPS and DNS (Allow limited web access and ISP services). I also changed the binding order so that the internal NIC is top of the list and verfied the NIC configuration agains teh ISAServer.org article on ISA binding and IP configuration. Not sure where to look next, I have set up a few ISA servers before, although not this particular HP device, and never encountered this before. I would expect a server with 3.2GHz/1GB RAM and only 100 users to perform much better than it is. Any advice?

tshinder -> RE: Slow browsing on HP ISA/VPN/Cache (28.Feb.2006 3:49:21 AM)
Hi Rodney, Are the clients configured to use HTTP 1.1 through proxy connections? Thanks! Tom

Lazyadmin -> RE: Slow browsing on HP ISA/VPN/Cache (28.Feb.2006 3:51:54 AM)
I did try that and with that checked in IE6, the page never loads. Also I have the cache enabled, currently set at 20GB.

Jason Jones -> RE: Slow browsing on HP ISA/VPN/Cache (3.Mar.2006 12:09:25 AM)
20GB for 100 users is a bit OTT, normally best to use 20-50MB per user so 2GB-5GB cache should be fine. Also try changing the % or free RAM used for caching parameter, this may also help. Have you changed the PMTUDiscovery parameter? Check out the ISA BPA for more info or do a search here... Have you tried turning off virus throttle? JJ

Lazyadmin -> RE: Slow browsing on HP ISA/VPN/Cache (3.Mar.2006 12:14:28 AM)
Yeah I plan to lower the cache over the weekend and try a few other things including PMTUDiscovery. "Also try changing the % or free RAM used for caching parameter" Can you explain? Do you mean cap the amount of memory MSDE can use? How do I disable the virus throttle? Is it simply unchecking the box in the NIC properties? I appreciate the suggerstions!

Jason Jones -> RE: Slow browsing on HP ISA/VPN/Cache (3.Mar.2006 12:33:33 AM)
No, there is a specific setting somewhere in the cache settings that states how much free RAM to use for RAM caching, the deafult being 10%. The MSDE limit is also worth changing anyhow...but I guess you know about this [;)] As for virus throttle, I am not sure I don't use the HP kit, but just remember reading that this helped a few people out with browsing performance... JJ

Lazyadmin -> RE: Slow browsing on HP ISA/VPN/Cache (3.Mar.2006 3:00:29 PM)
I have made some progress with this and have further narrowed it down. It is not so much a throughput issue as it is a response time issue. Getting the a webpage to connect is still slow, but once the data transfer begins the page loads quickly. I reduced the cache size to 5GB (50MB per user), enabled PMTUDiscovery, and made thjs change as well http://support.microsoft.com/default.aspx?scid=kb;EN-US;839510 I also changed from logging to SQL/MSDE to flat file and will monitor that as well. The only thing I am left with is limiting cache memory (found it in Tom's book) and disabling the HP Virus Throttle (still looking). I'll keep you posted on progress! Thanks for the excellent suggestions!

tshinder -> RE: Slow browsing on HP ISA/VPN/Cache (5.Mar.2006 3:46:23 PM)
Hi Rodney, There has to be something going on that's very off label to cause these problems. What are the DNS settings on the ISA firewall's interfaces? Thanks! Tom

Lazyadmin -> RE: Slow browsing on HP ISA/VPN/Cache (6.Mar.2006 5:40:55 PM)
Well I think I have it licked, seems to be much improved today, that or Iam getting used to the slowness :) The Internal NIC has DNS pointing to the two internal DNS servers for the AD domain. The External NIC does not have any DNS settings configured. I enabled PMTU and I also added a registry key: HKLM\SOFTWARE\Microsoft\Fpc\Storage\Array-Root\Arrays\{GUID}\ArrayPolicy\WebProxy REG_DWORD: msFPCSkipNameResolutionForAccessAndRoutingRules Value: 1 I started logging to flatfile, dropped the cache to 5GB, dropped cache memory to 5% and dropped SQL memory limit to 128MB. All in all it seems to have fixed things but I am monitoring it closely. I wish I could disable the MSDE services as I am no longer using it, but the MS Firewall Serivce depends on it. If all goes well, I may re-enable logging to MSDE and see what happens! Thanks again for the suggestions!

LLigetfa -> RE: Slow browsing on HP ISA/VPN/Cache (6.Mar.2006 6:03:36 PM)
Are you sure you really want msFPCSkipNameResolutionForAccessAndRoutingRules? That is usually reserved for situations where the ISA is the last hop in the chain. MSDE is worth having. Just limit how much RAM it can use. Did you disable virus throttling on the NIC?

spouseele -> RE: Slow browsing on HP ISA/VPN/Cache (6.Mar.2006 8:04:37 PM)
Hi Rodney, we have disabled the HP Virus Throttle by unbinding that driver from the adapters. Never had a problem again! [:)] HTH, Stefaan

Lazyadmin -> RE: Slow browsing on HP ISA/VPN/Cache (6.Mar.2006 9:35:50 PM)
LLigetfa, I found that in a MS KB article which I will post when I can find it again. spouseele, thanks I am going to give that a try first thing in the morning. Once I get acceptable performance I am going to roll back some of these changes and see what happens.

tshinder -> RE: Slow browsing on HP ISA/VPN/Cache (8.Mar.2006 4:00:53 AM)
Hi Rodney, Disable Virus throttle and see if that makes a difference. Les is correct, do not disable name resolution by the ISA firewall unless its the final upstream ISA firewall. HTH, Tom

Lazyadmin -> RE: Slow browsing on HP ISA/VPN/Cache (8.Mar.2006 4:18:18 AM)
Disabled the Virus Throttle this morning and rebooted and performance is back to what I expected. That did the trick. In regards to the msFPCSkipNameResolutionForAccessAndRoutingRules registry key, the server is on the edge of the network. I found this in the following MS KB article http://support.microsoft.com/default.aspx?scid=kb;en-us;839510 I am going to start rolling back the other changes I made prior to the disabling of the virus throttle and see what happens!! I would be curious to know why the registry key should only be used on the edge ISA server?

spouseele -> RE: Slow browsing on HP ISA/VPN/Cache (8.Mar.2006 7:56:00 PM)
Hi Rodney, glad to hear that disabling the HP Virus Throttle solves the performance problem! [:)] Thanks, Stefaan

Novaryan -> RE: Slow browsing on HP ISA/VPN/Cache (20.Jun.2006 4:02:34 PM)
I posted this question in a similar thread, but does anyone have documentation for turning off Virus Throttle on an HP DL320? I'm not even sure if it is installed on my machine, as this wasn't the packaged DL320 with ISA 04 installed and windows 2003 SP1 secured. I've been through the entire HP Network Configuration Utility, the Device Driver properties, and NIC properties and see nothing referencing virus throttle. Thanks, Ryan

ked -> RE: Slow browsing on HP ISA/VPN/Cache (27.Jun.2006 8:46:52 PM)
[:)] In the properties of the NIC deselect option for HP virus throttle driver. I have same problem 2 weeks ago. No problems since then.

lrdars -> RE: Slow browsing on HP ISA/VPN/Cache (7.Aug.2008 11:13:48 PM)
Hello all, I have the same issue with my ISA server. Server settings: HP DL320 G4 Windows 2003 SP2 ISA 2006 Trend Micro AV GFI Web Monitor Using MSDE This server is setup as a proxy only single NIC. The issue that I�m having is that web pages take twice as long to load then if I just go via the firewall. As this is the first ISA server that I have installed I reloaded it thinking it may have been something I did but I still get the same issue. I have looked for this HP Virus Throttle and I can�t fine it. I have changed the following settings EnableTCPA dword:00000000, EnableRSS dword:00000000, EnableTCPChimney dword:00000000 and DisableTaksoffload dword:00000001. This has not fixed the issue and I�m stuck and I just need some help.

Page: [1]