Solved

Internet times out periodically

Posted on 2009-05-05
15
391 Views
Last Modified: 2013-12-08
Hi all,
We are having problems with our internet becoming very slow to the point where pages time out. This happens 3 or 4 times a day seemingly at random times. When not going through the ISA 2004 firewall/proxy this issue does not seem to occur.

What is the best way to try and resolve this? Is there any monitoring software that I can run that will monitor throughout the day and show me more information about these timeouts?
0
Comment
Question by:trono
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 4
15 Comments
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24312392
1. Do you have all the updates installed on your ISA Server?
http://technet.microsoft.com/en-us/forefront/edgesecurity/bb734854.aspx
2. Do you see any errors on the Event Logs?
0
 
LVL 35

Expert Comment

by:Bembi
ID: 24319194
Check first the following:
To check, if ISA or the router or the line has a problem, you should try with one single client to bypass ISA. If you experience normal speed with the bypassing clients and slow performance with clients over ISA, the issue maybe ISA related.

If you assume your router, just try to reboot your router so see, if this solves it. Some routers do only allow a number of simultanous connections and esp. file sharing programs like bittorrent may kill them.

For ISA, there may be the following reaons:
- If log files are enabled, they can raise from several MBs up to GBs. You should make sure, that so virus scanners are scanning them, as they take longer and longer as the log files are growing over the day.
- Check your RAM usage, if this can be an issue
- Temporarily disable the web cache
- Check the settings for Flood-Mitigation. It may be an oiption the build up a computerset with internal IP ranges and raise the values for these clients.

Some programs may open a lot of simulanous connections and this may be interpreted as a flood attack. If ISA detects a flood or spoofing attack, it may block temproraily some clients.

Also check, how many connection requests are denied on the external interface. This may also a reason for ISA to slow down.
0
 

Author Comment

by:trono
ID: 24322519
Thanks for the suggestions so far. It has been determined that when bypassing ISA the issue does not occur...so it looks like it's definetly something to do with the ISA server or where it's connected.

- The ISA server is kept upto date via WSUS
- Unfortunatley no errors in the event log
- Don't think it's the log files as they have not changed in size compared to in the past
- The RAM is a little less than would be ideal but no more RAM is used when the issue occurs
- Not sure about disabling the cache as it says all the settings will be removed.
- We have ISA 2004 so I don't think the flood mitigation feature is available

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Expert Comment

by:Raj-GT
ID: 24322604
I would still suggest a manual update check using Microsoft Update to confirm patch status. Do you see any alerts logged in ISA alerts tab?
0
 
LVL 35

Expert Comment

by:Bembi
ID: 24326839
- OK
1.) Usually, ISA is setup either to log in W3C Format databases (IIS Format) or to log to a SQL server instance. If you are unsure, check, whether you have a SQL server instance installed or if you find *.mdf / *.ldf files on your server.
If you log to files, the files have a format like ISALOG_xxxx.yyy somewhere.

SQL Server databases as well as the log files should not be scanned by virus scanner.

The files should grow on every access, as long as not disabled.

2.) RAM is an issue, as long as the physical RAM is completely used, means the server starts swapping into the swapfile ( pagefile.sys). This file should also excluded from virus scanners.

3.) If the cache is enabled, you should find an urlcache directory with a file named dir1.cdat on your system. Also this file should be excluded from virus scanning. If you use caching, you should select an amount of disk space, which corresponds to your usage. I use normally not more than 200 MB.

4.) Make sure, that you disable the monitoring, if you have used it. The monitoring should not run in the background. This is only for analysis purposes.

5.) As I remember, ISA 2004 supports also connection verifiers. These can be usefull to generate alerts if the external connection fails.  But they also produces some traffic, use them with rarely.

6.) try to find out, if you can observe any other kind of load on the server if you experience this issue. You have also a performance counter on the ISA start page, you can enable. Otherwise you can also use the windows performance counters to make a longer observation about a few load parameters.

7.) free disk space (should never rund under 100 MB free space)
0
 
LVL 35

Expert Comment

by:Bembi
ID: 24326897
Yea, and following Ray-GT, there is an update for a ISA-NAT problem. This is usually applied by WSUS, but check your WSUS as well as your ISA, if this is really applied (and accepeted in WSUS).

Look for
- ISA SP3
- UDP Update for ISA (MS08-037 Nov. 2008)
- Security Update ISA (KB 960995 Apr. 2009)
0
 

Author Comment

by:trono
ID: 24353427
thanks i had missed the latest update for ISA released on April 2009...it is good to have but unfortunatley has not resolved the issue. At this stage is looks like it is a problem with one of our switches...not sure why as yet but when we connect the ISA server and clients into a 10/100 switch instead of the usual gigagyte switch the issue seems to disappear. Still at a bit of a loss as to why & how to resolve this issue but seems like we are getting closer to confirming that the problem is an issue with the ISA server & or cisco routers connection with the gigabyte switch.
0
 
LVL 14

Assisted Solution

by:Raj-GT
Raj-GT earned 150 total points
ID: 24354510
Make sure you have the speed and duplex settings for the interfaces configured manually at both ends. I've had similar issues with Cisco routers and ISA before, which was fixed by manually configuring the interface parameters.
0
 
LVL 35

Expert Comment

by:Bembi
ID: 24358946
Rah-GT is right, this is a good idea....
0
 

Author Comment

by:trono
ID: 24499009
Have finally tested all you suggestions. i.e turned off caching, checked for duplex errors but unfortunatley there are still intermittent timeouts.

I have been able to confirm that it is only internet traffic that goes via ISA that is effected...when bypassing the proxy these intermittent timeouts do not seem to occur.

Haven't used it before but wondering if we might be able to narrow this down by using a product such as ethereal? Any assistance with where to go from here would be appreciated.
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 24501003
You mentioned that the issue only occurs if you are connected to a gigabit switch. Did you manage to rule out any errors on the switch side? I would also recommend a NIC driver update.

Do you see any alerts logged by ISA under the monitoring tab at all during or just before the timeout issues?
0
 
LVL 35

Accepted Solution

by:
Bembi earned 350 total points
ID: 24501086
If the NIC connection is dropped, you should see event messages in the event log.
If the switch has problems with the NIC, you can see this only on the switch log if it is not a SOHO switch. Switches have a lot of functionality which may be in interference with ISA. Such functions are Spanning Tree, Jumbo Frame, QoS or any other kind of load control. You may try to disable such things on the ISA port. Also NIC drivers may be interference with the switch.

Some switches or also routers also have a spoofing sensor, (as I descibed for ISA, but mainly on later versions). These sensors are triggered, whenever SYN or ACK TCP/ IP packets are not routed the same way as the original packets. If a devices gets a lot of these packages, they may slow down the line (to avoid a overflow) and later a temporary blocking of that port.  Check if any kinf of Spoofing, DNS attack or whatever filters are enabled (all switches between ISA and router, but maybe also between client and ISA). You can temporarly disable them and enable them again onne after each other (to find out, if this is the issue or not). You may also check, if ISA has a connection, if the cleints are dropped.

Decreasing performance with a final drop out may also related to any kind of logs or counters, which may collect data together. ISA logs / monitoring as I said, but also other devices may log something.

You may use ISA monitoring to see, if there are a larger amount of unusual packets which are dropped, esp. SYN and ACK packages. They should never be blocked as long it is not a real attack. Sporadic blocks may point to a misconfiguration of routing, and this may trigger a spoofing filter.



0
 
LVL 35

Expert Comment

by:Bembi
ID: 24501093
Oh, Gigabit may also point to cabling issues.
0
 

Author Comment

by:trono
ID: 25028986
Still trying to narrow this one down but all your help has been appreciated.
0
 

Author Closing Comment

by:trono
ID: 31578294
Still having issues but have some good suggestions to work with.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I annotated my article on ransomware somewhat extensively, but I keep adding new references and wanted to put a link to the reference library.  Despite all the reference tools I have on hand, it was not easy to find a way to do this easily. I finall…
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question