Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
troubles in multiple vlan (42) setup
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
troubles in multiple vlan (42) setup - 15.Feb.2007 2:38:50 PM
|
|
|
arthurw
Posts: 23
Joined: 2.Feb.2005
From: Amsterdam
Status: offline
|
Hi,
I’m using isa2006 to give multiple companies in one office building access to the internet. I’m using a tagged vlan configuration.
We now have around 40 vlan’s defined on an intel nic. The vlans are setup as different subnets in ISA. It worked fine.
After adding number 30 or so ISA started to give problems. First I lost my remote desktop connection to isa and the internal networks; rpc problems. Now after adding vlan number 42 my vpn configurations stopped working. I’m not able to initiate any client vpn connections anymore and also the site-2-site connections stopped working.
Did I reach the boundaries of isa here? Are there ways to optimize vlan configurations or am I doing something wrong.
All the companies still have internet access but I don’t feel very comfortable with the situation.
Thanks,
Arthur
|
|
|
|
|
RE: troubles in multiple vlan (42) setup - 18.Feb.2007 12:33:13 PM
|
|
|
arthurw
Posts: 23
Joined: 2.Feb.2005
From: Amsterdam
Status: offline
|
yes!! Only remote management and vpn sessions stopped working. Today I installed a temporary second firewall behind the one with the 42nics to fix the site-2-site vpn issue. This works fine. Although it's not my preffered setup and I still have to work out why it stopped working. I think that the 42 vlans are using a to much resources and that routing and remote access service is not able to handle this amount. On the other hand the firewall itself doesn't seems to be stressed at all.
|
|
|
|
|
RE: troubles in multiple vlan (42) setup - 19.Feb.2007 9:28:24 AM
|
|
|
arthurw
Posts: 23
Joined: 2.Feb.2005
From: Amsterdam
Status: offline
|
I added 1 extra GB this weekend to a total of 3GB. It didn't seem to make out any difference. Memory utilization seems very low. On the other hand it takes a long time to initialize all the vlans, up to 10 minutes. This seems to conflict with starting up the isa services, for example after a reboot. It looks like that after restarting the isa services manually the rpc functionality comes back to life again, vpn doesn't.
|
|
|
|
|
RE: troubles in multiple vlan (42) setup - 20.Feb.2007 7:47:43 AM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Do you see anything interesting about this failure in the Event Viewer? Does the ISA Firewall Console Monitoring node indicate any failures?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: troubles in multiple vlan (42) setup - 20.Feb.2007 8:41:28 AM
|
|
|
Jim Harrison
Posts: 231
Joined: 5.May2001
From: Redmond, WA
Status: offline
|
*whew* and I thought my 11-NIC lab ISA-lator was kewl...
Actually, ISA knows nothing about Q-tagging; this is handled solely by the NIC drivers. ISA Server is an IPv4-based firewall and knows nothing about any part of the stack below that. You haven't given any information regarding your IP subnetting; you need to ensure that you have *no* "crossing of the beams" anywhere.
1 - make sure you have the absolute latest ProSet package - Intel updates this regularly.
2. if this doesn't solve the problem, start looking into your event logs for complaints from your network stack - all the way from the ProSet software to the TCP/IP stack.
_____________________________
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
My ISAServer.org Stuff
My Site
|
|
|
|
|
RE: troubles in multiple vlan (42) setup - 22.Feb.2007 9:19:34 AM
|
|
|
arthurw
Posts: 23
Joined: 2.Feb.2005
From: Amsterdam
Status: offline
|
Thanks for your input. I’m aware of the intel updates. Unfortunately I’m not yet up to their latest release, this is due to fact that in case of an upgrade you have to redefine all your vlan’s. This means I have to add 42 vlans with an average creation time of 2 minutes per vlan (intel takes a long time to initialize a newly added vlan).
The only event that makes any sense is this one from the dns event viewer. I’m running a dns forwarder on the isa box. The dns server is listening on all the ip addresses of the internal vlans.
Message:
“Each of these server IP addresses consumes additional system resources and can add a slight increase in performance overhead for DNS query reception. In most cases, you can remove secondary IP addresses that are not required to support server networking hardware. For more information, see ""Configuring multihomed servers"" in the online Help."
My internal Ip subnetting is as follow:
Vlan 100 10.128.100.0/24 ipadress on vnic 10.128.100.1
Vlan 101 10.128.101.0/24 ipadress on vnic 10.128.101.1
Vlan Y 10.128.Y.0 /24
Vlan 142 10.128.142.0/24
I also have a perimeter network defined for management purposes on a different physical network interface.
All vlan’s are included in the internal network and are defined as subnets within isa. Policy rules are defined on the subnet level to control access per vlan.
We use bandwidth splitter to shape traffic per vlan (per company) this works great. There is no change with the issues if you turn the b.splitter service on or of.
Processor and memory (3B) consumption are reasonably low.
Thanks,
Arthur
|
|
|
|
|
RE: troubles in multiple vlan (42) setup - 23.Feb.2007 11:38:22 AM
|
|
|
arthurw
Posts: 23
Joined: 2.Feb.2005
From: Amsterdam
Status: offline
|
Hi Tom,
I have one DNS server running on the isa box which is listening on all the ipadresses of the vlans (virtual nics).
So for example if you click on interfaces of the dns properties you see all the ip adresses of the internal virtual network cards (10.128.100.1, 10.128.101.1, 10.128.x.1).
DNS only works as a forwarder for ext DNS requests.
thanks,
Arthur
|
|
|
|
|
RE: troubles in multiple vlan (42) setup - 25.Feb.2007 12:31:34 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Arthur,
OK, this is a complete WAG -- but what if you set the DNS server to listen on a single IP adderess, and configure only the top listed interface with that address?
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: troubles in multiple vlan (42) setup - 15.Mar.2007 9:13:20 AM
|
|
|
arthurw
Posts: 23
Joined: 2.Feb.2005
From: Amsterdam
Status: offline
|
Hi Tom,
I took a wile to find a suitable time slot to try your suggestion. Unfortunately this didn't work out.
I bought a cisco 3750 routing switch that I will be using for the vlan routing.
I will let you know if the ISA complete functionality will come back to life after the deletion of the vlans
Thanks for your help,
Arthur
|
|
|
|
|
RE: troubles in multiple vlan (42) setup - 19.Mar.2007 12:11:44 PM
|
|
|
arthurw
Posts: 23
Joined: 2.Feb.2005
From: Amsterdam
Status: offline
|
Hi Tom,
First I upgraded the NIC's to the latest Intel drivers. This didn't make out any difference.
Subsequently we migrated 10 vlans to the cisco and deleted ISA rules, subnets and listeners for the 10 biggest traffic generators. And restarted the isa services. After this action (don't get too excited yet) remote desktop started functioning again.
Nevertheless after some minor modifications in the rule base and a later reboot remote desktop and vpn connections stopped functioning again.
What I have seen and it's a wild guess is that sometimes after restarting isa services vpn functionality and mstsc come back to life again. I think there is a timing issue with starting up the services and the initialization of the vlans. In other words ISA is already up and running while the NIC's are still being initialized; this takes avg 10 minutes. On the other hand restarting the services is not always the solutions. An other guess is the enormous amounts of routes that ISA needs to process and that we are facing some limits here. I don't know....
Arthur
|
|
|
|
|
RE: troubles in multiple vlan (42) setup - 20.Mar.2007 12:22:25 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Arthur,
Do you see any errors in the Event Viewer?
It might be worth downloading the ISA BPA and running a trace and sending it to Jim Harrison. He's interested in these VLAN issues and maybe we can come up with a definitive solution here.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: troubles in multiple vlan (42) setup - 12.Apr.2007 2:13:07 PM
|
|
|
pwindell
Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
quote:
ORIGINAL: arthurw
I bought a cisco 3750 routing switch that I will be using for the vlan routing.
I will let you know if the ISA complete functionality will come back to life after the deletion of the vlans
That is what I was going to suggest earlier but didn't want to butt in to the conversation. There is no way in the world I would ever ask an ISA Server to be the LAN Router for 42 VLans. Leave that work up to a regular Router (or Layer3 Switch) and let the ISA live in the normal 2-subnet/2-nic setup and do the Firewall job that it was really meant to do.
I know ISA can double as a LAN Router, but just because something "can" do something, doesn't mean it is always a good idea.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
