Welcome to ISAserver.org

still performance problems isa server 2004

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> General >> still performance problems isa server 2004

Page: [1] 2 next > >>

Message

<< Older Topic Newer Topic >>

still performance problems isa server 2004 - 28.Jun.2005 10:34:00 AM

watts3000

Posts: 115
Joined: 27.Jun.2004
Status: offline

What next anyone I'm still having horrible performance problems with isa 2004. I read this link http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=35;t=000170. He suggested that performance problems are dns or duplex setting. I change all the damn duplex setting on the external nic and it still did not help. I've posted about this several times before I have a 3meg cable pipe after I installk isa 2004 it drops to 1200. Maybe I missed something when doing the duplex settings. ISA is the only firewall that does this on my lan I've installed astaro security linux, sonicwalls, netgears,linksys, monowall, checkpoint. None had this problem but isa.

Post #: 1

Featured Links*

RE: still performance problems isa server 2004 - 28.Jun.2005 2:54:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi watts3000,

if you think your DNS and adapters are perfectly configured, than I suggest you take some network monitoring traces to find out what is going on on the wire.

HTH,
Stefaan

(in reply to watts3000)

Post #: 2

RE: still performance problems isa server 2004 - 28.Jun.2005 5:15:00 PM

watts3000

Posts: 115
Joined: 27.Jun.2004
Status: offline

I remember runnning a trace a while back and I saw lots of retramsmissions basically what you spoke of in your article. This may sound stupind but how can I be sure that I'm using the right duplex speeeds. All of my switches are 10/100 and I have a 3meg down pipe. Do you think the problem is on the wan side or lan side the nic that the cable modem runs to what duplex speed should that be running at.

(in reply to watts3000)

Post #: 3

RE: still performance problems isa server 2004 - 29.Jun.2005 7:02:00 AM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi watts3000,

tha value as such is not the most important thing. What is important is that both sides, that is the switch and the adapter, have *exact* the same fixed settings.

If you see a lot of retransmissions on the internal interface, then you should investigate that subnet and every thing behind it (internal network). If you see them on the external interface, then you should look at that part of the network.

HTH,
Stefaan

HTH,
Stefaan

(in reply to watts3000)

Post #: 4

RE: still performance problems isa server 2004 - 29.Jun.2005 8:33:00 AM

watts3000

Posts: 115
Joined: 27.Jun.2004
Status: offline

So basically you are saying if the switch is set for 100mbs than the nic needs to be set for 100mbs. My question is how does one properly inspect the wan side of things since I have a cable connection? I'm still wonderign though what speed does a cable modem diplex at if there is such a thing on a cable modem. Also as far as network monitoring is there an article here that expalins how to read whats going on with network monitor? Sorry if that was a stupid question but normally our network guys would do all of that. Also what are some good packages for network monitoring.

(in reply to watts3000)

Post #: 5

RE: still performance problems isa server 2004 - 29.Jun.2005 3:32:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi watts3000,

yes, everything must match exactly! Also, try to avoid auto settings and don't forget to check the cabling too. Updating the NIC drivers is also good practice.

For the cabling modem, you'll probably have to call the installer to find out how that box is configured.

My favorite network monitor is Ethereal. It is for free! You can download it at http://www.ethereal.com . To understand network traces you have to first understand the in and out of the protocols used. For some good info, check out:
- http://www.microsoft.com/technet/itsolutions/network/evaluate/technol/tcpipfund/tcpipfund.mspx
- http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/networking/tcpip03.mspx
- http://www.networksorcery.com/enp/default0401.htm

HTH,
Stefaan

(in reply to watts3000)

Post #: 6

RE: still performance problems isa server 2004 - 29.Jun.2005 4:52:00 PM

watts3000

Posts: 115
Joined: 27.Jun.2004
Status: offline

How am I suppose to know what speed is on the cable company's side. I assume that since its a 3meg pipe that is 10mbs full duplex. What do you think?

(in reply to watts3000)

Post #: 7

RE: still performance problems isa server 2004 - 29.Jun.2005 5:13:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi watts3000,

call them and they should be able to give you that info. [Big Grin]

Tip: to test the connection I use either Iperf ( http://dast.nlanr.net/Projects/Iperf/ ) or a simple FTP. For Iperf you need the cooperation of your ISP. For FTP, transfer a big file (upload and download) to your ISP FTP server. As FTP client I use the standard Microsoft FTP client and enable hash mark printing (command hash). By watching the hash marks you can immediately see if the transfer goes well or not.

HTH,
Stefaan

(in reply to watts3000)

Post #: 8

RE: still performance problems isa server 2004 - 30.Jun.2005 7:18:00 AM

watts3000

Posts: 115
Joined: 27.Jun.2004
Status: offline

I'm going to try to dig up a 10 meg hub. I will put the cable into that hub and than run it to the isa box and play with the duplex settings. I also plain on taking those network captures tonight. What do you think about bumping the cable down to a 10meg hub basically taking a 10/100 switch out the picture.

(in reply to watts3000)

Post #: 9

RE: still performance problems isa server 2004 - 30.Jun.2005 10:10:00 AM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi watts3000,

that won't help you! You need to know how the LAN interface of the cable modem is configured. Moreover, with a hub the duplex setting is by definition half-duplex. Only a switch can work half or full-duplex.

HTH,
Stefaan

(in reply to watts3000)

Post #: 10

RE: still performance problems isa server 2004 - 30.Jun.2005 12:51:00 PM

watts3000

Posts: 115
Joined: 27.Jun.2004
Status: offline

I called a cable tech last night and he acted like he did not know. So basically I need to know if the cable connection if full duplex or half or whatever?

(in reply to watts3000)

Post #: 11

RE: still performance problems isa server 2004 - 30.Jun.2005 3:29:00 PM

watts3000

Posts: 115
Joined: 27.Jun.2004
Status: offline

I spoke to some charter cable guys they say that its just coax for the wan side of the modem. The lan side run at 100mbs from what they say.

(in reply to watts3000)

Post #: 12

RE: still performance problems isa server 2004 - 30.Jun.2005 5:05:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi watts3000,

there are 5 possible settings, Auto, 10 half, 10 full, 100 half and 100 full duplex. Without *exact* info you'll have to determine the correct setting by trial and error.

What you can do is first set the ISA external interface to 10 fixed. Check if you have a connection (linkbit). Then set the ISA external adapter to 100 fixed. If you still have a connection (linkbit), it is very likely that the cable modem is configured for auto-negotiation. In that case, set the ISA external adapter also in auto.

If it is determined that the setting must be 10 or 100 (not auto), then you have to test with the half or full duplex setting. If there is a mismatch you will have a lot of collisons and a lot of retransmissions when the traffic level increases.

In any case, you'll have to create a lot of traffic. As mentioned before, downloading/uploading big files is a good method to create a lot of traffic. If you can, do the download and upload simultaneously.

BTW --- with FTP command hash and the command 'netstat -s' you can quickly see if there are a lot of retransmissions.

HTH,
Stefaan

(in reply to watts3000)

Post #: 13

RE: still performance problems isa server 2004 - 30.Jun.2005 6:44:00 PM

LLigetfa

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline

Have you tried a different NIC or updating the driver on the NIC?

(in reply to watts3000)

Post #: 14

RE: still performance problems isa server 2004 - 1.Jul.2005 7:13:00 AM

watts3000

Posts: 115
Joined: 27.Jun.2004
Status: offline

Yes I have tried different nics I also tried all duplex speeds and I still had performance problems. I'm going to check our dns setup next if that does not fix it I'm putting in a call to microsoft. I have been dealing with this for months. Also is there a way to use isa 2004 without using it as a internet gateway. I know I can put it in a dmz with a single nic to provide protection for exchange servers, but I would also like to use it for vpn. I trying to come up with a design so I can get the full benefits of the product but I will not use it for lan clients to proxy there web request through.

(in reply to watts3000)

Post #: 15

RE: still performance problems isa server 2004 - 1.Jul.2005 9:50:00 AM

LLigetfa

Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline

Have you tried enabling PMTUDiscovery?

(in reply to watts3000)

Post #: 16

RE: still performance problems isa server 2004 - 1.Jul.2005 10:59:00 AM

watts3000

Posts: 115
Joined: 27.Jun.2004
Status: offline

That reg key tweak was one of the first things I tried. This is really begining to piss me off because know one seems to know he answer to my problem. If thi sis not figured out by Tuesday I'm going to be forced to pay microsoft the 250.00 for a tech call.

(in reply to watts3000)

Post #: 17

RE: still performance problems isa server 2004 - 2.Jul.2005 6:10:00 AM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi watts3000,

such kind of problems can be very hard to debug. [Wink]

Not so long ago I helped a friend to solve a performance issue. It took us a couple of weeks before we could prove it was somewhere upstream. Two ISPs where involved and the hardest part was to get all the parties involved together to diagnoses the problem. At last we found that the cause was a bad patch cable between our 10 Mbps connection managed by one ISP and the backbone switch of the other ISP.

To faciltate the testing we did place a W2K3 server outside the firewall in the folllowing way:

code:

LAN --- [Firewall] --- [Switch] --- ISP1 (10 Mbps) --- ISP2 (backbone switch)
                          !                        ^^^
                          !                   bad patch cable
                       [Server]

First, we tested the performance between the LAN and the Server and could therefore rule out any problems with the firewall. Next, we tested from the LAN and the Server to the ISP's and the ISP's were able to test from their side to the Server without any restrictions. We used Iperf, FTP and Ethereal to diagnoses the problem. With the Ethereal traces at hand we could prove that the problem must be somewhere upstream to the firewall.

HTH,
Stefaan

[ July 02, 2005, 06:27 AM: Message edited by: spouseele ]

(in reply to watts3000)

Post #: 18

RE: still performance problems isa server 2004 - 2.Jul.2005 8:19:00 AM

watts3000

Posts: 115
Joined: 27.Jun.2004
Status: offline

Can you explain one more time how you do your testing. I know you use Ethereal for the packet tracing. But how exactly do you use Iperf, FTP. I'm going to spend some time on testing this today. How should I go about using Ethereal do I put it on a workstation or do I put it on a laptop what the best method of using it?

(in reply to watts3000)

Post #: 19

RE: still performance problems isa server 2004 - 2.Jul.2005 9:23:00 AM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi watts3000,

I will try... If you have no experience with Iperf yet, I suggest you use the standard Microsoft FTP command line client and some big files. Use at least a file the size equals the speed of the line but in MBytes.

1. Place a switch on the external subnet. By doing that you can separate the link settings 10/100 and half/full from your cable modem. I suggest you set the link ISA external <-> switch to 100 full and the link switch <-> cable modem to whatever you think it should be.

2. Place a W2K3 server with IIS (FTP server) on that switch and again I suggest you set the link W2K3 server <-> switch to 100 full. Of course the W2K3 server should be on the same subnet as the ISA external interface. Also, install Ethereal on this server or activate Network Monitor on it. Pick the one you are the most familiar with.

3. Create an access rule on the ISA to allow the FTP protocol (don't forget to uncheck the read only flag) from Internal and Localhost (ISA itself) to the W2K3 FTP server.

4. Now we are ready to test the performance with an FTP upload and download from the ISA itself to the W2K3 FTP server, and next from an internal host to the W2K3 FTP server. Both should perform optimal, otherwise you have a problem with your network configuration.

For the FTP commands, this is the recommended sequence:
- login to the FTP server
- put the transfer mode in binary (bin command)
- enable the printing of the hash marks (hash command)
- upload and download a big file (put and get command)

During the transfer the printing of the hash marks should be smoothly. Also, with the 'netstat -s' command you can monitor the TCP counters. If you don't see a good performance, you'll have to analyse the network trace taken at the FTP server. If that does not give you enough information, take also simultaneously a network trace at the ISA external interface and compare the two traces. You should analyze the TCP flow and pay very close attention to the packet/ack sequences.

5. If all is working perfectly, you can repeat the tests but now from an outside client to the W2K3 FTP server. If that isn't possible, use the W2K3 as an FTP client and test against a known good FTP server, preferrable an FTP server at your ISP. Again, if something isn't working as it should, thoroughly analyse the network traces at the TCP level.

HTH,
Stefaan

[ July 02, 2005, 09:41 AM: Message edited by: spouseele ]

(in reply to watts3000)

Post #: 20