Internet times out periodically

Hi all,
We are having problems with our internet becoming very slow to the point where pages time out. This happens 3 or 4 times a day seemingly at random times. When not going through the ISA 2004 firewall/proxy this issue does not seem to occur.

What is the best way to try and resolve this? Is there any monitoring software that I can run that will monitor throughout the day and show me more information about these timeouts?
Who is Participating?
BembiConnect With a Mentor CEOCommented:
If the NIC connection is dropped, you should see event messages in the event log.
If the switch has problems with the NIC, you can see this only on the switch log if it is not a SOHO switch. Switches have a lot of functionality which may be in interference with ISA. Such functions are Spanning Tree, Jumbo Frame, QoS or any other kind of load control. You may try to disable such things on the ISA port. Also NIC drivers may be interference with the switch.

Some switches or also routers also have a spoofing sensor, (as I descibed for ISA, but mainly on later versions). These sensors are triggered, whenever SYN or ACK TCP/ IP packets are not routed the same way as the original packets. If a devices gets a lot of these packages, they may slow down the line (to avoid a overflow) and later a temporary blocking of that port.  Check if any kinf of Spoofing, DNS attack or whatever filters are enabled (all switches between ISA and router, but maybe also between client and ISA). You can temporarly disable them and enable them again onne after each other (to find out, if this is the issue or not). You may also check, if ISA has a connection, if the cleints are dropped.

Decreasing performance with a final drop out may also related to any kind of logs or counters, which may collect data together. ISA logs / monitoring as I said, but also other devices may log something.

You may use ISA monitoring to see, if there are a larger amount of unusual packets which are dropped, esp. SYN and ACK packages. They should never be blocked as long it is not a real attack. Sporadic blocks may point to a misconfiguration of routing, and this may trigger a spoofing filter.

Raj-GTSystems EngineerCommented:
1. Do you have all the updates installed on your ISA Server?
2. Do you see any errors on the Event Logs?
Check first the following:
To check, if ISA or the router or the line has a problem, you should try with one single client to bypass ISA. If you experience normal speed with the bypassing clients and slow performance with clients over ISA, the issue maybe ISA related.

If you assume your router, just try to reboot your router so see, if this solves it. Some routers do only allow a number of simultanous connections and esp. file sharing programs like bittorrent may kill them.

For ISA, there may be the following reaons:
- If log files are enabled, they can raise from several MBs up to GBs. You should make sure, that so virus scanners are scanning them, as they take longer and longer as the log files are growing over the day.
- Check your RAM usage, if this can be an issue
- Temporarily disable the web cache
- Check the settings for Flood-Mitigation. It may be an oiption the build up a computerset with internal IP ranges and raise the values for these clients.

Some programs may open a lot of simulanous connections and this may be interpreted as a flood attack. If ISA detects a flood or spoofing attack, it may block temproraily some clients.

Also check, how many connection requests are denied on the external interface. This may also a reason for ISA to slow down.
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

tronoAuthor Commented:
Thanks for the suggestions so far. It has been determined that when bypassing ISA the issue does not it looks like it's definetly something to do with the ISA server or where it's connected.

- The ISA server is kept upto date via WSUS
- Unfortunatley no errors in the event log
- Don't think it's the log files as they have not changed in size compared to in the past
- The RAM is a little less than would be ideal but no more RAM is used when the issue occurs
- Not sure about disabling the cache as it says all the settings will be removed.
- We have ISA 2004 so I don't think the flood mitigation feature is available

Raj-GTSystems EngineerCommented:
I would still suggest a manual update check using Microsoft Update to confirm patch status. Do you see any alerts logged in ISA alerts tab?
- OK
1.) Usually, ISA is setup either to log in W3C Format databases (IIS Format) or to log to a SQL server instance. If you are unsure, check, whether you have a SQL server instance installed or if you find *.mdf / *.ldf files on your server.
If you log to files, the files have a format like ISALOG_xxxx.yyy somewhere.

SQL Server databases as well as the log files should not be scanned by virus scanner.

The files should grow on every access, as long as not disabled.

2.) RAM is an issue, as long as the physical RAM is completely used, means the server starts swapping into the swapfile ( pagefile.sys). This file should also excluded from virus scanners.

3.) If the cache is enabled, you should find an urlcache directory with a file named dir1.cdat on your system. Also this file should be excluded from virus scanning. If you use caching, you should select an amount of disk space, which corresponds to your usage. I use normally not more than 200 MB.

4.) Make sure, that you disable the monitoring, if you have used it. The monitoring should not run in the background. This is only for analysis purposes.

5.) As I remember, ISA 2004 supports also connection verifiers. These can be usefull to generate alerts if the external connection fails.  But they also produces some traffic, use them with rarely.

6.) try to find out, if you can observe any other kind of load on the server if you experience this issue. You have also a performance counter on the ISA start page, you can enable. Otherwise you can also use the windows performance counters to make a longer observation about a few load parameters.

7.) free disk space (should never rund under 100 MB free space)
Yea, and following Ray-GT, there is an update for a ISA-NAT problem. This is usually applied by WSUS, but check your WSUS as well as your ISA, if this is really applied (and accepeted in WSUS).

Look for
- UDP Update for ISA (MS08-037 Nov. 2008)
- Security Update ISA (KB 960995 Apr. 2009)
tronoAuthor Commented:
thanks i had missed the latest update for ISA released on April is good to have but unfortunatley has not resolved the issue. At this stage is looks like it is a problem with one of our switches...not sure why as yet but when we connect the ISA server and clients into a 10/100 switch instead of the usual gigagyte switch the issue seems to disappear. Still at a bit of a loss as to why & how to resolve this issue but seems like we are getting closer to confirming that the problem is an issue with the ISA server & or cisco routers connection with the gigabyte switch.
Raj-GTConnect With a Mentor Systems EngineerCommented:
Make sure you have the speed and duplex settings for the interfaces configured manually at both ends. I've had similar issues with Cisco routers and ISA before, which was fixed by manually configuring the interface parameters.
Rah-GT is right, this is a good idea....
tronoAuthor Commented:
Have finally tested all you suggestions. i.e turned off caching, checked for duplex errors but unfortunatley there are still intermittent timeouts.

I have been able to confirm that it is only internet traffic that goes via ISA that is effected...when bypassing the proxy these intermittent timeouts do not seem to occur.

Haven't used it before but wondering if we might be able to narrow this down by using a product such as ethereal? Any assistance with where to go from here would be appreciated.
Raj-GTSystems EngineerCommented:
You mentioned that the issue only occurs if you are connected to a gigabit switch. Did you manage to rule out any errors on the switch side? I would also recommend a NIC driver update.

Do you see any alerts logged by ISA under the monitoring tab at all during or just before the timeout issues?
Oh, Gigabit may also point to cabling issues.
tronoAuthor Commented:
Still trying to narrow this one down but all your help has been appreciated.
tronoAuthor Commented:
Still having issues but have some good suggestions to work with.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.