Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5057
  • Last Modified:

Sonicwall tNetTask at 100% DMZ file copy causes slowness

Our Leading edge firewall is  Sonicwall 2040 pro VPN Firewall appliance.  We have a server in the DMZ from which we occasionally need to copy files to/from the LAN.  When the copy job starts, the CPU jumps to 100% and all DMZ activity grinds to a halt until the the copy job completes.  This happens even for small files.  Copying those same files to other servers in the  DMZ has no negative effects.

In watching the Sonicwall's process monitor, I can see that the" tNetTask" process is at 100% when the CPU is maxed out.  Our zone settings are already set to Auto negotiate link speed.

Help!
0
okacs
Asked:
okacs
  • 13
  • 7
1 Solution
 
digitapCommented:
Do you have any of the security services scanning anything DMZ > LAN and vice versa?
0
 
okacsAuthor Commented:

I disabled the Gateway AV, CAV enforcement, and IPS on the DMZ and LAN zones.  Then I re-tested.  The problem remains.

Thanks.

0
 
okacsAuthor Commented:
On another note,  copying "file A" (75,396kb) from the DMZ to the LAN takes about 5minutes.  Copying it from LAN to LAN takes 10 seconds.
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
okacsAuthor Commented:
Have also tried FTP from DMZ to LAN instead of file copy.  Same problem.
0
 
digitapCommented:
i don't have my computer with so can't confirm...go to the dmz interface and edit it.  then, go to the second tab, is there a place to modify the mtu of the dmz?  i've seen where modifying the mtu of the wan interface resolved the issue you are having...i wrote an article on how to modify the mtu of the wan interface on a sonicwall and how to calculate the mtu.
0
 
okacsAuthor Commented:
No, that option only exists on the Advanced tab of the WAN port (interface X1).  There is no such option on the other interfaces, including LAN or DMZ.  IIRC - This is because MTU settings are used to tweak "long-wire" communications back to your ISP, etc.
0
 
okacsAuthor Commented:
I tried adding a route to and from the LAN-DMZ with lower metric and higher priority.  Didnt help.
0
 
okacsAuthor Commented:
In my DMZ I have 2 servers.  They plug into a small 8 port 10/100 hub which in turn plugs into the DMZ zone port (x2) on my Sonicwall.  I thought that maybe the hub was the issue, so I replaced it *.  The problem persists.

* I replaced it with a small Sonicwall Tz170, plugging everything in to the LAN side so that the WAN port is not even used - in order to simulate a hub with a greater backplane.  There was performance improvement, but it was negligible.  (CPU is now at 95-98% insead of 100% during the file copy)

HELP!

Thanks.
0
 
digitapCommented:
Plug one of your servers directly into the DMZ port of your 2040...set the port to static speed/duplex.  You might have to choose different combinations: 100/full, 10/full, 100/half, etc.  Report back the results.
0
 
okacsAuthor Commented:
Ok, I plugged server A in the DMZ directly into the DMZ port (x2) on the Sonicwall and did more testing.  No change.  The CPU sill pegs out and the transfer rate is still abysmally slow.
0
 
digitapCommented:
so, changing the speed/duplex did nothing?
0
 
okacsAuthor Commented:
No, changing the duplex / speed does not help.

Copying files Directly from Server A in the DMZ to Server B in the DMZ is fast and does not max out the Sonicwall CPU.  
Copying files indirectly from Server A in the DMZ to Server B in the DMZ via a PC in the LAN zone is slow maxes out the Sonicwall CPU.  

The problem only occurs when data passes through the DMZ port on the Sonicwall.
0
 
okacsAuthor Commented:
Ok, in reviewing everything again this AM, i noticed that the IPS didn't get turned off on the DMZ zone.  I unselected it again, and tested.  Copying was fast and CPU never rose above 50%.  Problem found.

However, now we have a real problem...  because IPS is necessary on this segment.  

So I re-enabled IPS and I added an exclusion range for the IPs that would be doing the copy job, but that didn't help.

Ideas?
0
 
digitapCommented:
Why do you need IPS on the DMZ?  You know the hosts there and trust them, right?  You'd only be concerned if someone hacked your server on the DMZ.  You can setup an firewall access rule that only allows those two IP addresses through to the LAN and disable IPS.
0
 
okacsAuthor Commented:
Yes, we already have such a rule limiting access by IP and port/service.  However, our security policy requires an IPS be enabled on the zone where those web servers are.  I would use a separate IPS product / box but there is no budget.
0
 
okacsAuthor Commented:

I found this workaround to fix slow email issues.  
http://support.appriver.com/KB/a66/sonic-wall-ips-service-blocking-mail-stream.aspx

I'm wondering if there is some similar fix for file-share / file-copying.  I haven't found it yet....
0
 
okacsAuthor Commented:
Bah, I had a typo in the IP exclusion.  Configured properly, it now works fine.

Thanks!
0
 
okacsAuthor Commented:
The problem was the IPS (INtrusion Prevention Service) on the DMZ zone.  I had to leave it enalbed, so I added an exclusion list for the IPs that would reoutinly be doing file copying from the DMZ.
0
 
digitapCommented:
I understand policy.  OK, so you created a policy for both the LAN IP and the DMZ IP in the exclusion list?
0
 
digitapCommented:
Sorry...I see your post here now, http:#a33692252.  Disreagard my post here, http:#a33692281.  Thanks for the points and glad you got it working!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

  • 13
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now