Solved

Sonicwall      tNetTask at 100%   DMZ file copy causes slowness

Posted on 2010-09-13
20
4,828 Views
Last Modified: 2012-05-10
Our Leading edge firewall is  Sonicwall 2040 pro VPN Firewall appliance.  We have a server in the DMZ from which we occasionally need to copy files to/from the LAN.  When the copy job starts, the CPU jumps to 100% and all DMZ activity grinds to a halt until the the copy job completes.  This happens even for small files.  Copying those same files to other servers in the  DMZ has no negative effects.

In watching the Sonicwall's process monitor, I can see that the" tNetTask" process is at 100% when the CPU is maxed out.  Our zone settings are already set to Auto negotiate link speed.

Help!
0
Comment
Question by:okacs
  • 13
  • 7
20 Comments
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 33667773
Do you have any of the security services scanning anything DMZ > LAN and vice versa?
0
 

Author Comment

by:okacs
ID: 33672164

I disabled the Gateway AV, CAV enforcement, and IPS on the DMZ and LAN zones.  Then I re-tested.  The problem remains.

Thanks.

0
 

Author Comment

by:okacs
ID: 33672201
On another note,  copying "file A" (75,396kb) from the DMZ to the LAN takes about 5minutes.  Copying it from LAN to LAN takes 10 seconds.
0
 

Author Comment

by:okacs
ID: 33672452
Have also tried FTP from DMZ to LAN instead of file copy.  Same problem.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33673352
i don't have my computer with so can't confirm...go to the dmz interface and edit it.  then, go to the second tab, is there a place to modify the mtu of the dmz?  i've seen where modifying the mtu of the wan interface resolved the issue you are having...i wrote an article on how to modify the mtu of the wan interface on a sonicwall and how to calculate the mtu.
0
 

Author Comment

by:okacs
ID: 33673786
No, that option only exists on the Advanced tab of the WAN port (interface X1).  There is no such option on the other interfaces, including LAN or DMZ.  IIRC - This is because MTU settings are used to tweak "long-wire" communications back to your ISP, etc.
0
 

Author Comment

by:okacs
ID: 33673859
I tried adding a route to and from the LAN-DMZ with lower metric and higher priority.  Didnt help.
0
 

Author Comment

by:okacs
ID: 33677270
In my DMZ I have 2 servers.  They plug into a small 8 port 10/100 hub which in turn plugs into the DMZ zone port (x2) on my Sonicwall.  I thought that maybe the hub was the issue, so I replaced it *.  The problem persists.

* I replaced it with a small Sonicwall Tz170, plugging everything in to the LAN side so that the WAN port is not even used - in order to simulate a hub with a greater backplane.  There was performance improvement, but it was negligible.  (CPU is now at 95-98% insead of 100% during the file copy)

HELP!

Thanks.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33678850
Plug one of your servers directly into the DMZ port of your 2040...set the port to static speed/duplex.  You might have to choose different combinations: 100/full, 10/full, 100/half, etc.  Report back the results.
0
 

Author Comment

by:okacs
ID: 33685678
Ok, I plugged server A in the DMZ directly into the DMZ port (x2) on the Sonicwall and did more testing.  No change.  The CPU sill pegs out and the transfer rate is still abysmally slow.
0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 
LVL 33

Expert Comment

by:digitap
ID: 33685716
so, changing the speed/duplex did nothing?
0
 

Author Comment

by:okacs
ID: 33691614
No, changing the duplex / speed does not help.

Copying files Directly from Server A in the DMZ to Server B in the DMZ is fast and does not max out the Sonicwall CPU.  
Copying files indirectly from Server A in the DMZ to Server B in the DMZ via a PC in the LAN zone is slow maxes out the Sonicwall CPU.  

The problem only occurs when data passes through the DMZ port on the Sonicwall.
0
 

Author Comment

by:okacs
ID: 33691700
Ok, in reviewing everything again this AM, i noticed that the IPS didn't get turned off on the DMZ zone.  I unselected it again, and tested.  Copying was fast and CPU never rose above 50%.  Problem found.

However, now we have a real problem...  because IPS is necessary on this segment.  

So I re-enabled IPS and I added an exclusion range for the IPs that would be doing the copy job, but that didn't help.

Ideas?
0
 
LVL 33

Expert Comment

by:digitap
ID: 33691925
Why do you need IPS on the DMZ?  You know the hosts there and trust them, right?  You'd only be concerned if someone hacked your server on the DMZ.  You can setup an firewall access rule that only allows those two IP addresses through to the LAN and disable IPS.
0
 

Author Comment

by:okacs
ID: 33691970
Yes, we already have such a rule limiting access by IP and port/service.  However, our security policy requires an IPS be enabled on the zone where those web servers are.  I would use a separate IPS product / box but there is no budget.
0
 

Author Comment

by:okacs
ID: 33692002

I found this workaround to fix slow email issues.  
http://support.appriver.com/KB/a66/sonic-wall-ips-service-blocking-mail-stream.aspx

I'm wondering if there is some similar fix for file-share / file-copying.  I haven't found it yet....
0
 

Author Comment

by:okacs
ID: 33692252
Bah, I had a typo in the IP exclusion.  Configured properly, it now works fine.

Thanks!
0
 

Author Closing Comment

by:okacs
ID: 33692274
The problem was the IPS (INtrusion Prevention Service) on the DMZ zone.  I had to leave it enalbed, so I added an exclusion list for the IPs that would reoutinly be doing file copying from the DMZ.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33692281
I understand policy.  OK, so you created a policy for both the LAN IP and the DMZ IP in the exclusion list?
0
 
LVL 33

Expert Comment

by:digitap
ID: 33692299
Sorry...I see your post here now, http:#a33692252.  Disreagard my post here, http:#a33692281.  Thanks for the points and glad you got it working!
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now