Solved

Internet Leased Line is very slow ???

Posted on 2004-09-21
20
401 Views
Last Modified: 2016-03-23
Dear Friends,

we have a new leased line 128 Kbps for internet, i have windows 2000 SP4 and exchange 5.5 SP4,
and we have 400 users in our network, before 3 days the performance of leased line is good but from 3 days its very slow.

When i ping to ISP proxy server it is taking 1000 to 12000 milli seconds of time, before it was only 60 - 80 milliseconds.

from ISP side  they are using some traffice utilization tools and they are saying that the complete bandwidth 128 Kbps is utilized for internet .
But we have only 5 users who can access internet and exchange 5.5 is connected.
If the problem with exchange traffic, before it was good , the problem is coming since 3 days only.


and another last hint is , we have another leased line to connect our remote brance, since 4 weeks that is also getting same problem.
any solution.
0
Comment
Question by:javeed_ccna
  • 10
  • 5
  • 4
  • +1
20 Comments
 

Author Comment

by:javeed_ccna
ID: 12120788
Whats happend ???
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12121015
128Kbps for 400 Users?

If your users are out going to the internet that can explain it (it takes a few days to learn the Internet's capabilities and users are fast learners when it comes to Internet). Also, I would check any FW log to verify that Im not transmitting (uploading) anything beyond my control. If you are using xDSL, uploading can be critical.

Also, you may check or scan for any sudden spyware/viruses implants...

I would suggest to implement any traffic gateway to control bandweidth thus allowing you to analyze outgoing traffic and what element is using that traffic.

If you want to read more about it just say so...

:)

Cyber
0
 

Author Comment

by:javeed_ccna
ID: 12121060
Yes please..Cyber-Dude.
Sniffer is useful ??
0
 

Author Comment

by:javeed_ccna
ID: 12121180
Cyber-dude,

400 users arent using internet connection, only 5 people are using internet. but i connected my exchange to this leased line, but before i was working fine, from one week only this is coming.

From where i can get Sniffer tool Trailer version.
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12121222
You can monitor Internet activities via Firewall and this is the best way to do so due to the fact that this is the element that holds all external usage. Do you use a Firewall system (i.e. ISA Server, Proxy, PIX, Checkpoint and forth) and if yes, what type?

Cyber
0
 

Author Comment

by:javeed_ccna
ID: 12121320

Yeah i have PIX 515E and ISA 2004 server , could you please tell me how to monitor ??
0
 
LVL 15

Accepted Solution

by:
Cyber-Dude earned 500 total points
ID: 12121496
Step by Step guide to monitor network activities:

1. Setup the PIX Firewall to generate and export Syslog activities to any Server you prefer.
2. Install any Syslog analyzer that will capture traffic in real-time from the PIX Firewall.
3. Capture a period of one hour.
4. Generate a report based on that log file.

This will provide you with exact state your network in:

Instructions:
1. To setup the PIX Firewall to generate and export Syslog activities:

Step 1: Designate a host to receive the messages with the logging host command. For normal syslog operations to any syslog server, use the default message protocol, UDP, as shown in the following example:

logging host dmz1 192.168.1.5

If you want to use the reliable syslog feature of the PFSS whereby the PIX Firewall stops its traffic if the PFSS Windows NT disk becomes full or the system is unavailable, use the tcp option; for example:

logging host interface address tcp/port

Replace interface with the interface on which the server exists, address with the IP address of the host, and port with the TCP port (if different than the default value of 1468).

You can see if PIX Firewall traffic has been disabled due to a PFSS disk-full condition with the show logging command and look for the "disabled" keyword in the display.

Only one UDP or TCP command statement is permitted for a server. A subsequent command statement overrides the previous one. Use the write terminal command to view the logging host command statement in the configuration. In the configuration, the UDP protocol appears as "17" and TCP as "6."

Step 2: Set the logging level with the logging trap command; for example:

logging trap debugging

Cisco recommends that you use the debugging level during initial setup and during testing. Thereafter, set the level from debugging to errors for production use.

Step 3: If needed, set the logging facility command to a value other than its default of 20. Most UNIX systems expect the messages to arrive at facility 20, which receives the messages in the local4 receiving mechanism, described in the section "Configuring a UNIX System for Syslog."

Step 4: Start sending messages with the logging on command. To disable sending messages, use the no logging on command.

Step 5: If you want to send time stamped messages to the PFSS, use the clock set command to set the PIX Firewall system clock and the logging timestamp command to enable time stamping. For example:

clock set 14:25:00 apr 1 2000

logging timestamp
 
In this example, the clock is set to the current time of 2:25 pm on April 1, 1999, and time stamping is enabled. To disable time-stamp logging, use the no logging timestamp command.

Step 6: If you want to stop sending a message to the syslog server, use the no logging message syslog_id command. Replace syslog_id with a syslog message ID, which you can view in the System Log Messages for the Cisco Secure PIX Firewall Version 5.1.

2. Use Syslog Server:
Step 1: Go to the following link and download the software:
http://www.sawmill.net/features.html

Step 2: Install the software and configure it to capture all Syslog activities. See the following link for its installation manual:
http://sawmill.net/cgi-bin/sawmill7/7.0.6/sawmill.cgi?dp+docs.technical_manual.toc+webvars.username+samples+webvars.password+sawmill

Step 3: Run the report in HTML format.

Good luck

:)

Cyber
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 12127734
I'd use MRTG, or a similar tool, to look at how much bandwidth is being used.

0
 

Author Comment

by:javeed_ccna
ID: 12131029
Dear cyber Dude

u explained a complex procedure, it is confirmed that there is virus in my remote network, its capturing all bandwidth of my internal leased line and external ( internet leased line). If it is a virus , what kind of virus it is ?
Could you please tell me is there any new threat or virus that effect bandwidth like DOS attack.

how to overcome such kind of situation ??
 
0
 

Author Comment

by:javeed_ccna
ID: 12132294

Dear all,

Is there any virus related to bandwidth, because my internal network bandwidth also has been decreased along with my internet leased line bandwidth. that means there is some virus in my network nodes thats causing this bandwidth problem.

How to trace such kind of virus \??
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 23

Expert Comment

by:Tim Holman
ID: 12134231
What firewall do you use ?
Surely the logs will tell you which internal IP addresses are generating the most traffic ?
Otherwise (for free), you could use Ethereal and Snort to diagnose this further...
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12137350
Any self spreading virus (i.e. worms) may potencially reduce network performance. If you want to know how it is doing so, theres an example for a very widespread and common virus: The NetSky virus...

Read the following article from the department od information technology:
http://technology.shu.edu/page/Virus+Alert+Netsky+Virus!OpenDocument

Cyber
0
 

Author Comment

by:javeed_ccna
ID: 12149384

Dear tim_holman,

I am using PIX firewall 515 E, how can i check the logs in PIx ?/
0
 

Author Comment

by:javeed_ccna
ID: 12149966

Dear tim,

I am using Ethereal, on that i found my internal router that is connected to our remote branch i generating most Broadcasting packets, and some systems oftenly broadcasting packets, can i assume this is causing a low bandwidth ?

i scanned all my pc's in my segment and i found some PC's infected with virus. \
Is there Any alternate this i have check ?

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12150064
The only way to verify PIX logs is via a Syslog server - eg Kiwi, and a log analyzer like SawMill would also assist.
Either that, or plug in a console and look at the messages as they go past, but this isn't much good if you've a high volume of messages.
If you get a nice long Ethereal file, you can pipe this through Snort to see if there are any malicious anomalies in your network traffic.  This is all freeware, so all you need is the time !
What sort of broadcasts are you picking up ?  These are normal, yes, but too many of them may indicate a faulty network card somewhere on your network, so if you've one host that is being too chatty, turn it off, retest your bandwidth.
0
 

Author Comment

by:javeed_ccna
ID: 12150206
Dear Tim,
I have a huge Ethereal file, but as u mentioned about "snort", how can i manage these info with snort?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12151207
You can 'replay' the Ethereal file through Snort.  A Win32 version is available from www.snort.org.  It's an IDS, so will detect suspicious activity / worms and will report it.
0
 

Author Comment

by:javeed_ccna
ID: 12158902
I used Ethereal , and found broadcast traffic whole network.

 consider 192.168.1.0 is our network, i found packets broadcasted to 192.168.1.255
 and also broadcasted to 255.255.255.255 , that means packets are broadcasting to all addresses.

 Can you please tell me this might be the problem ??
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12159118
You cannot monitor PIX through Syslog if you are within the network!!!

Youed have to use Syslog because switches tend to filter ALL traffic not intended to you and the broadcasts you may get are FFFFFFFFFF physical addresses intended for queries...

Cyber
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12159186
Broadcast traffic is normal to some extent, but just how much broadcast traffic does Ethereal say you are receiving, and what TCP/UDP port is involved ?
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now