Solved

Internet times out periodically

Posted on 2009-05-05
15
384 Views
Last Modified: 2013-12-08
Hi all,
We are having problems with our internet becoming very slow to the point where pages time out. This happens 3 or 4 times a day seemingly at random times. When not going through the ISA 2004 firewall/proxy this issue does not seem to occur.

What is the best way to try and resolve this? Is there any monitoring software that I can run that will monitor throughout the day and show me more information about these timeouts?
0
Comment
Question by:trono
  • 6
  • 5
  • 4
15 Comments
 
LVL 14

Expert Comment

by:Raj-GT
Comment Utility
1. Do you have all the updates installed on your ISA Server?
http://technet.microsoft.com/en-us/forefront/edgesecurity/bb734854.aspx
2. Do you see any errors on the Event Logs?
0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
Check first the following:
To check, if ISA or the router or the line has a problem, you should try with one single client to bypass ISA. If you experience normal speed with the bypassing clients and slow performance with clients over ISA, the issue maybe ISA related.

If you assume your router, just try to reboot your router so see, if this solves it. Some routers do only allow a number of simultanous connections and esp. file sharing programs like bittorrent may kill them.

For ISA, there may be the following reaons:
- If log files are enabled, they can raise from several MBs up to GBs. You should make sure, that so virus scanners are scanning them, as they take longer and longer as the log files are growing over the day.
- Check your RAM usage, if this can be an issue
- Temporarily disable the web cache
- Check the settings for Flood-Mitigation. It may be an oiption the build up a computerset with internal IP ranges and raise the values for these clients.

Some programs may open a lot of simulanous connections and this may be interpreted as a flood attack. If ISA detects a flood or spoofing attack, it may block temproraily some clients.

Also check, how many connection requests are denied on the external interface. This may also a reason for ISA to slow down.
0
 

Author Comment

by:trono
Comment Utility
Thanks for the suggestions so far. It has been determined that when bypassing ISA the issue does not occur...so it looks like it's definetly something to do with the ISA server or where it's connected.

- The ISA server is kept upto date via WSUS
- Unfortunatley no errors in the event log
- Don't think it's the log files as they have not changed in size compared to in the past
- The RAM is a little less than would be ideal but no more RAM is used when the issue occurs
- Not sure about disabling the cache as it says all the settings will be removed.
- We have ISA 2004 so I don't think the flood mitigation feature is available

0
 
LVL 14

Expert Comment

by:Raj-GT
Comment Utility
I would still suggest a manual update check using Microsoft Update to confirm patch status. Do you see any alerts logged in ISA alerts tab?
0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
- OK
1.) Usually, ISA is setup either to log in W3C Format databases (IIS Format) or to log to a SQL server instance. If you are unsure, check, whether you have a SQL server instance installed or if you find *.mdf / *.ldf files on your server.
If you log to files, the files have a format like ISALOG_xxxx.yyy somewhere.

SQL Server databases as well as the log files should not be scanned by virus scanner.

The files should grow on every access, as long as not disabled.

2.) RAM is an issue, as long as the physical RAM is completely used, means the server starts swapping into the swapfile ( pagefile.sys). This file should also excluded from virus scanners.

3.) If the cache is enabled, you should find an urlcache directory with a file named dir1.cdat on your system. Also this file should be excluded from virus scanning. If you use caching, you should select an amount of disk space, which corresponds to your usage. I use normally not more than 200 MB.

4.) Make sure, that you disable the monitoring, if you have used it. The monitoring should not run in the background. This is only for analysis purposes.

5.) As I remember, ISA 2004 supports also connection verifiers. These can be usefull to generate alerts if the external connection fails.  But they also produces some traffic, use them with rarely.

6.) try to find out, if you can observe any other kind of load on the server if you experience this issue. You have also a performance counter on the ISA start page, you can enable. Otherwise you can also use the windows performance counters to make a longer observation about a few load parameters.

7.) free disk space (should never rund under 100 MB free space)
0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
Yea, and following Ray-GT, there is an update for a ISA-NAT problem. This is usually applied by WSUS, but check your WSUS as well as your ISA, if this is really applied (and accepeted in WSUS).

Look for
- ISA SP3
- UDP Update for ISA (MS08-037 Nov. 2008)
- Security Update ISA (KB 960995 Apr. 2009)
0
 

Author Comment

by:trono
Comment Utility
thanks i had missed the latest update for ISA released on April 2009...it is good to have but unfortunatley has not resolved the issue. At this stage is looks like it is a problem with one of our switches...not sure why as yet but when we connect the ISA server and clients into a 10/100 switch instead of the usual gigagyte switch the issue seems to disappear. Still at a bit of a loss as to why & how to resolve this issue but seems like we are getting closer to confirming that the problem is an issue with the ISA server & or cisco routers connection with the gigabyte switch.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 14

Assisted Solution

by:Raj-GT
Raj-GT earned 150 total points
Comment Utility
Make sure you have the speed and duplex settings for the interfaces configured manually at both ends. I've had similar issues with Cisco routers and ISA before, which was fixed by manually configuring the interface parameters.
0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
Rah-GT is right, this is a good idea....
0
 

Author Comment

by:trono
Comment Utility
Have finally tested all you suggestions. i.e turned off caching, checked for duplex errors but unfortunatley there are still intermittent timeouts.

I have been able to confirm that it is only internet traffic that goes via ISA that is effected...when bypassing the proxy these intermittent timeouts do not seem to occur.

Haven't used it before but wondering if we might be able to narrow this down by using a product such as ethereal? Any assistance with where to go from here would be appreciated.
0
 
LVL 14

Expert Comment

by:Raj-GT
Comment Utility
You mentioned that the issue only occurs if you are connected to a gigabit switch. Did you manage to rule out any errors on the switch side? I would also recommend a NIC driver update.

Do you see any alerts logged by ISA under the monitoring tab at all during or just before the timeout issues?
0
 
LVL 35

Accepted Solution

by:
Bembi earned 350 total points
Comment Utility
If the NIC connection is dropped, you should see event messages in the event log.
If the switch has problems with the NIC, you can see this only on the switch log if it is not a SOHO switch. Switches have a lot of functionality which may be in interference with ISA. Such functions are Spanning Tree, Jumbo Frame, QoS or any other kind of load control. You may try to disable such things on the ISA port. Also NIC drivers may be interference with the switch.

Some switches or also routers also have a spoofing sensor, (as I descibed for ISA, but mainly on later versions). These sensors are triggered, whenever SYN or ACK TCP/ IP packets are not routed the same way as the original packets. If a devices gets a lot of these packages, they may slow down the line (to avoid a overflow) and later a temporary blocking of that port.  Check if any kinf of Spoofing, DNS attack or whatever filters are enabled (all switches between ISA and router, but maybe also between client and ISA). You can temporarly disable them and enable them again onne after each other (to find out, if this is the issue or not). You may also check, if ISA has a connection, if the cleints are dropped.

Decreasing performance with a final drop out may also related to any kind of logs or counters, which may collect data together. ISA logs / monitoring as I said, but also other devices may log something.

You may use ISA monitoring to see, if there are a larger amount of unusual packets which are dropped, esp. SYN and ACK packages. They should never be blocked as long it is not a real attack. Sporadic blocks may point to a misconfiguration of routing, and this may trigger a spoofing filter.



0
 
LVL 35

Expert Comment

by:Bembi
Comment Utility
Oh, Gigabit may also point to cabling issues.
0
 

Author Comment

by:trono
Comment Utility
Still trying to narrow this one down but all your help has been appreciated.
0
 

Author Closing Comment

by:trono
Comment Utility
Still having issues but have some good suggestions to work with.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now