• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 699
  • Last Modified:

Do I have a bottle neck?

My problem was I wanted to add a security appliance (Panda Gate Defender) to our network, but have it cover two access lines, one T1 and one DSL.  The DSL ports our POP3 email and this T1 serves a couple small domains totaling 115 work stations.  We are all 2003 Standard server and XP Pro based.

We are suffering from occassional slow throughput of DSL line, and now having both lines go completely down requiring router restarts.  This seems to be occurring at high volume times, easrly morning, lunch and end of work day (well everyone but me!)

Here is the layout:

                      Internet
                    /            \
    DSL Modem               Full T1 CSU
           |                            |
    FW Routers              FW Routers
                     \            /
                  SMALL SWITCH
                            |
                  Security Appliance
                            |
                  Backbone SWITCH

The security appliance serves multiple roles, one main one for filtering email going and coming from DSL, and one as web content filtering coming from T1.

Public addressing stops at WAN side of FW Routers.

THANKS!!!!
0
oakcrest
Asked:
oakcrest
  • 11
  • 9
  • 2
  • +1
1 Solution
 
jabiiiCommented:
have you tried simple pings from let's say the backbone switch to the routers?
could you get rid of the small swithc and plug the routers and sec appliance into the backbone switch?
0
 
maxinglisCommented:
Well even if its a tiny switch, if its 100Mb, its not to be the bottleneck, since neither the DSL of the T1 has the bandwidth to saturate it, even combined. You could segment 3 ports of the backbone switch to a seperate VLAN and use those for connecting the FWRouters to the Security Appliance.

I'm wondering if the security appliance is getting overworked having to differentiate traffic to seperate gateways. what type of appliance is it?

Max.
0
 
maxinglisCommented:
Nm i see its a panda gate defender. What model?
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
Jandakel2Commented:
The WAN interface of your Panda device should be within the same subnet as the LAN intefaces of your Routers, i.e.

           192.168.1.2                                       192.168.1.3
           Router 1                                              Router 2
 
                                              Little Switch

                                              192.168.1.1
                                     WAN Interface of Panda

Are you running NAT somewhere?  There should be a layer 3 device somewhere.....what is the IP of your default gateway?

JK





0
 
oakcrestAuthor Commented:
The Panda Gate Defender Performa is model 8100 which for 25 - 500 users.  115 Users currently.

The IP structure is as follows:

                      Internet
                    /            \
    DSL Modem                                                                Full T1 CSU
   216.200.100.193 / 255.255.255.224                63.119.89.129 / 255.255.255.240
           |                                                                                |
    FW Router                                                                  FW Routers
 PUB: 216.200.100.200 / 255.255.255.224       PUB: 63.119.89.131-n    / 255.255.255.240
 PRI: 10.0.0.2 / 255.255.255.0                        PRI: 10.0.0.1, 10.0.0.3   / 255.255.255.0
GATE: 216.200.100.193                                 GATE: 63.119.89.129
                     \                                             /
                                    SMALL SWITCH
                                               |
                                  Security Appliance
                              10.0.0.5 / 255.255.255.0
                                               |
                                  Backbone SWITCH

I telecomute 100% time, going through DSL so as not to affect T1, but it is extremely slow now.  Using SAT, so pinging from here is misleading with latency.  But it is three to fours times higher then usual to DSL, and ok to T1.

The purpose of the switch is to plug in three FW routers and the Applicance as shown.  The appliance has only one ethernet port outbound and one inbound, so the switch allows me to connect three FWs into outbound ethernet on appliance.

I thought I had a damaged DSL modem, but then why would on an occassion would I lose Internet access at all workstations when DSL fails totally?  All workstation gateway through routers 10.0.0.1 and 10.0.0.3.  10.0.0.2 FW router is dedicated to email / web.

At this very moment, the DSL is almost saturated, unusable.
0
 
Jandakel2Commented:
Did you have the same configuration before you put in the Panda Appliance?  Depending on what you have for your back bone switch you could always route all the traffic through one port on your switch and back in another, to allow the back bone to talk directly to the routers once again....kwim?

JK
0
 
oakcrestAuthor Commented:
The configuration has not changed, as the Gate Defender use only local IP settings, assign a free 10.0.0.5 IP.

One problem is I am not sure when it started, as it seems to come and go.  every few hours, crashing totally abut once a day, especially if there is heavy traffic.  It crashed yesterday morning for instance around 6:30am, while I was four hours into uploading a large amount of files via FTP.  The files were going fine, at good speed for hours, then it slowed, then DSL went off line altogether, could not ping DSL modem, or of course its attach FW router.  I could ping with good speed the T1 and its FW routers, even after connectivity through the T1 stopped later around 7:30.  It is this DSL affecting the T1 that's got me baffled.  I have been through three DSL modems in four years, so I was expecting perhaps it was the problem.  If nothing shakes out tonight, I will start having my jr. support person replacing equipment with backup, but this is going to cost me dearly in time and patiance.

I think the time has come to drop the DSL line and use only the T1.  I kept the DSL for email so as not to have to go through web and email changes, and to use it for emergency Internet access if T1 is down.  Is that a bad idea?

Panda has advise me the appliance should be behind FW, before backbone.  The best solution is to have two of them, one for each media line type, but that is expensive.  These boxes are 6k to start with, including one year license for 115 work stations.  I am happy with the box for it's functions, and I do not think it is the cause, but it is just too early to tell.  Has been only two weeks on net.
0
 
Jandakel2Commented:
What do you have configured as the gateway of the Panda Appliance?
0
 
oakcrestAuthor Commented:
Gateway Defender set with static IP 10.0.0.6 / 255.255.255.0 with gateway 10.0.0.1  (T1 FW router)
DNS is set to 4.2.2.1 - 4.2.2.2 - 4.2.2.3
0
 
oakcrestAuthor Commented:
I just discovered something, maybe.  The connection as mentioned above was so bad I could hardly get in, was like 12baud.  

I finally rebooted DSL router.  Did not change anything.
I rebooted Gateway Defender and noticed speed picked up to almost normal while it was rebooting.
Stayed normal after rebooting.
Browsed SPAM reports on a hunch and find gazillions of spam per second being processed!
But the heading seem to be growning exponentially like the SPAM is being looped?
0
 
Jandakel2Commented:
I think that the issue here is that you need a layer 3 device where you have your little switch.  Right now you are expecting your 10/100 switch to route to two separate gateways.  I think what is happening is the two routers that you have are updating each other through the switch, when it is much better to have them updating one central device, so that when traffic gets there, it knows where to go instead of having to go out to one of your routers to find out.  The absolute best fix for you would be to have 1 line of thoroughput incoming and outgoing.  Something else I would do, before I did anything, would be to take a laptop, install ethereal on it (www.ethereal.com, follow install instructions) and plug the laptop into the little switch and see what kind of traffic your're getting.  It's my guess that you are going to be having a ton of ARP broadcasts.  Give this a try and let me know what it yields...Ethereal is pretty straight forward, and if you are going to be a network admin, it is virtually a necessity that you learn how to use it, or some other packet sniffer.

Good Luck,

JK
0
 
oakcrestAuthor Commented:
I will do that test Jandakel, I have used COMM on servers a lot, but have not used a traffic sniffer on switches.

How would that switch effect traffic from the Internet to the DSL FW router?  I mean, right now, if I ping to this path below from the remote loacation I am at, it is bad.  This is before the swtich.  If you saw my note above, what I am seeing is thousands of SPAM per hour being redirected by Gate Defender in the SMTP protocall, not POP3.  So I am thinking that either the GD is boucing the same SPAMs around multiple times, or the internal network is greatly infected with SPAM generators.  The internal stations are protected using a network based version of Panda, which for years, has proven excellent.  What do you think?
0
 
oakcrestAuthor Commented:
Bad ping-> Remote location > 216.200.100.193 - DSL Modem, 216.200.100.200 - FW Router
This is before Switch, before Gate Defender.
Not so bad Ping-> remote Location > 63.119.89.129 - T1 CSU - 63.119.89.131 - FW Router

Is this what anyone gets too?
Is it possible that the Gate Defender is causing traffic to one side of switch due to a SPAM SMTP problem?
0
 
Jandakel2Commented:
What I think is going on, is that since the stripper is pointed toward the T1 for it's gateway, since it is only plugged into a little switch, when there is traffic that is destined for the DSL side of the house, the stripper needs to go to the T1 router to find out where to send it, then the router from the T1 sends it via the switch to the DSL side of things.  I know that you must have separate gateways set up at user level, but the stripper doesn't know the difference, it can only send packets to the gateway defined in it's settings....see what I'm getting at?

JK
0
 
oakcrestAuthor Commented:
Yes, I am having network help swap out switch for a router, after getting traffic stats off switch.  Any other suggestions in that area?  I am waiting on a support call from Panda about the SPAM question.  When I say the GD is catching and redirecting SPAM, I mean it is REALLY catching way too much SPAM, like a couple hundred thousand per hour.  Ither I am infested or the GD is cycling SPAM, right?
0
 
Jandakel2Commented:
Are the messages that it is catching duplicates or separate senders?  If they are all separate, you are definitely being targeted....this is kind of in keeping with what I was saying though, because if the Stripper gets a packet destined for the Mail side of things (DSL) than it will need to talk to the T1 router to find out how to send it out.  Try making the gateway of the stripper the DSL Router temporarily and see if that helps the SPAM problem....

JK
0
 
oakcrestAuthor Commented:
ok, will try that, I also was told by Panda support to place email address where SPAM is redirected into the GD whitelist, thinking maybe it is forwarding SPAM to a speical email account, which then is caught by SPAM controller again, which continues this cycle over and over.  

0
 
oakcrestAuthor Commented:
Ok, problem looks solved.
One of two possible reasons that caused this to happen, or both.
   1)  I had set the Panda Gate Defender to redirect all SPAM to our internal Exchange Server to a specific email address.  But I had not added that email address into the 'white list' of SPAM control, so the email would not be caught again as it was redirected to this address.

  2)  I had set the Panda Gate Defender to send to the public IP address of the internal Exchange Server, instead of the Private IP of the Exhange server.  This would have sent all redirections of email and reports up towards the Internet for resolution, hitting the FW Router which would have redirected the same traffic back down through the Gate Defender to reach the internal Exchange Server.

BIG SIGH!

BUT, I believe in the suggestions of replacing the switch with a router, level 3 component were good suggestions will will carry that out, after EASTER!

Thanks Jandakel2 for all your help and good pointers to level 3 replacement and switch sniffer tool.  The discussion help me work through the problem.  There are around 100 students and faculty people with great appreciation that things are back to 'normal', whatever that is.
0
 
Jandakel2Commented:
Glad to help....I also work in a central school district (K-12) I have a Gatefender here also, and run a Server 2003 Doamin.  So I've been through several different "trials and tribulations" haha.  I am in the midst of migrating to Exchange here, so you never know, there may be some reciprocation in the near future!  Good Luck-

JK
0
 
oakcrestAuthor Commented:
What are you migrating from?  I have gone from NT 4.0 with 5.5 to 2000 to 2003 here in last four years at this school.  Be glad to try and help if you get stuck via experts or direct email or IM.  I greatly involved in school website products right now, to rewrite and/or add CMS vendor.
0
 
Jandakel2Commented:
I am migrating from SendMail and Squirrel Mail ( currently housed on an OS X 10.4 Server)  We're changing to Exchange 2003.  If you are looking at CMS Vendors, you should take a look at School Wires.  They are outstanding from what I hear, we have a few neighboring districts who have gone that route. www.schoolwires.com  I'd love to get your email addres....albeit privately...not sure best approach from here.

Thanks-

JK
0
 
oakcrestAuthor Commented:
what the h..., cstewart@oakcrest.org, after all, I do have a working SPAM controller!
0
 
jabiiiCommented:
just ask a mod to delete your post after done :p
0
 
Jandakel2Commented:
Okay, thanks.  I'll be in contact.  Take a look at this website:  www.sllboces.org  it is a site that an associate of mine made using the schoolwires CMS.

JK
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 11
  • 9
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now