Solved

Sonicwall      tNetTask at 100%   DMZ file copy causes slowness

Posted on 2010-09-13
20
4,935 Views
Last Modified: 2012-05-10
Our Leading edge firewall is  Sonicwall 2040 pro VPN Firewall appliance.  We have a server in the DMZ from which we occasionally need to copy files to/from the LAN.  When the copy job starts, the CPU jumps to 100% and all DMZ activity grinds to a halt until the the copy job completes.  This happens even for small files.  Copying those same files to other servers in the  DMZ has no negative effects.

In watching the Sonicwall's process monitor, I can see that the" tNetTask" process is at 100% when the CPU is maxed out.  Our zone settings are already set to Auto negotiate link speed.

Help!
0
Comment
Question by:okacs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 7
20 Comments
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 33667773
Do you have any of the security services scanning anything DMZ > LAN and vice versa?
0
 

Author Comment

by:okacs
ID: 33672164

I disabled the Gateway AV, CAV enforcement, and IPS on the DMZ and LAN zones.  Then I re-tested.  The problem remains.

Thanks.

0
 

Author Comment

by:okacs
ID: 33672201
On another note,  copying "file A" (75,396kb) from the DMZ to the LAN takes about 5minutes.  Copying it from LAN to LAN takes 10 seconds.
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 

Author Comment

by:okacs
ID: 33672452
Have also tried FTP from DMZ to LAN instead of file copy.  Same problem.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33673352
i don't have my computer with so can't confirm...go to the dmz interface and edit it.  then, go to the second tab, is there a place to modify the mtu of the dmz?  i've seen where modifying the mtu of the wan interface resolved the issue you are having...i wrote an article on how to modify the mtu of the wan interface on a sonicwall and how to calculate the mtu.
0
 

Author Comment

by:okacs
ID: 33673786
No, that option only exists on the Advanced tab of the WAN port (interface X1).  There is no such option on the other interfaces, including LAN or DMZ.  IIRC - This is because MTU settings are used to tweak "long-wire" communications back to your ISP, etc.
0
 

Author Comment

by:okacs
ID: 33673859
I tried adding a route to and from the LAN-DMZ with lower metric and higher priority.  Didnt help.
0
 

Author Comment

by:okacs
ID: 33677270
In my DMZ I have 2 servers.  They plug into a small 8 port 10/100 hub which in turn plugs into the DMZ zone port (x2) on my Sonicwall.  I thought that maybe the hub was the issue, so I replaced it *.  The problem persists.

* I replaced it with a small Sonicwall Tz170, plugging everything in to the LAN side so that the WAN port is not even used - in order to simulate a hub with a greater backplane.  There was performance improvement, but it was negligible.  (CPU is now at 95-98% insead of 100% during the file copy)

HELP!

Thanks.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33678850
Plug one of your servers directly into the DMZ port of your 2040...set the port to static speed/duplex.  You might have to choose different combinations: 100/full, 10/full, 100/half, etc.  Report back the results.
0
 

Author Comment

by:okacs
ID: 33685678
Ok, I plugged server A in the DMZ directly into the DMZ port (x2) on the Sonicwall and did more testing.  No change.  The CPU sill pegs out and the transfer rate is still abysmally slow.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33685716
so, changing the speed/duplex did nothing?
0
 

Author Comment

by:okacs
ID: 33691614
No, changing the duplex / speed does not help.

Copying files Directly from Server A in the DMZ to Server B in the DMZ is fast and does not max out the Sonicwall CPU.  
Copying files indirectly from Server A in the DMZ to Server B in the DMZ via a PC in the LAN zone is slow maxes out the Sonicwall CPU.  

The problem only occurs when data passes through the DMZ port on the Sonicwall.
0
 

Author Comment

by:okacs
ID: 33691700
Ok, in reviewing everything again this AM, i noticed that the IPS didn't get turned off on the DMZ zone.  I unselected it again, and tested.  Copying was fast and CPU never rose above 50%.  Problem found.

However, now we have a real problem...  because IPS is necessary on this segment.  

So I re-enabled IPS and I added an exclusion range for the IPs that would be doing the copy job, but that didn't help.

Ideas?
0
 
LVL 33

Expert Comment

by:digitap
ID: 33691925
Why do you need IPS on the DMZ?  You know the hosts there and trust them, right?  You'd only be concerned if someone hacked your server on the DMZ.  You can setup an firewall access rule that only allows those two IP addresses through to the LAN and disable IPS.
0
 

Author Comment

by:okacs
ID: 33691970
Yes, we already have such a rule limiting access by IP and port/service.  However, our security policy requires an IPS be enabled on the zone where those web servers are.  I would use a separate IPS product / box but there is no budget.
0
 

Author Comment

by:okacs
ID: 33692002

I found this workaround to fix slow email issues.  
http://support.appriver.com/KB/a66/sonic-wall-ips-service-blocking-mail-stream.aspx

I'm wondering if there is some similar fix for file-share / file-copying.  I haven't found it yet....
0
 

Author Comment

by:okacs
ID: 33692252
Bah, I had a typo in the IP exclusion.  Configured properly, it now works fine.

Thanks!
0
 

Author Closing Comment

by:okacs
ID: 33692274
The problem was the IPS (INtrusion Prevention Service) on the DMZ zone.  I had to leave it enalbed, so I added an exclusion list for the IPs that would reoutinly be doing file copying from the DMZ.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33692281
I understand policy.  OK, so you created a policy for both the LAN IP and the DMZ IP in the exclusion list?
0
 
LVL 33

Expert Comment

by:digitap
ID: 33692299
Sorry...I see your post here now, http:#a33692252.  Disreagard my post here, http:#a33692281.  Thanks for the points and glad you got it working!
0

Featured Post

Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question