Solved

Sonicwall      tNetTask at 100%   DMZ file copy causes slowness

Posted on 2010-09-13
20
4,791 Views
Last Modified: 2012-05-10
Our Leading edge firewall is  Sonicwall 2040 pro VPN Firewall appliance.  We have a server in the DMZ from which we occasionally need to copy files to/from the LAN.  When the copy job starts, the CPU jumps to 100% and all DMZ activity grinds to a halt until the the copy job completes.  This happens even for small files.  Copying those same files to other servers in the  DMZ has no negative effects.

In watching the Sonicwall's process monitor, I can see that the" tNetTask" process is at 100% when the CPU is maxed out.  Our zone settings are already set to Auto negotiate link speed.

Help!
0
Comment
Question by:okacs
  • 13
  • 7
20 Comments
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
Comment Utility
Do you have any of the security services scanning anything DMZ > LAN and vice versa?
0
 

Author Comment

by:okacs
Comment Utility

I disabled the Gateway AV, CAV enforcement, and IPS on the DMZ and LAN zones.  Then I re-tested.  The problem remains.

Thanks.

0
 

Author Comment

by:okacs
Comment Utility
On another note,  copying "file A" (75,396kb) from the DMZ to the LAN takes about 5minutes.  Copying it from LAN to LAN takes 10 seconds.
0
 

Author Comment

by:okacs
Comment Utility
Have also tried FTP from DMZ to LAN instead of file copy.  Same problem.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
i don't have my computer with so can't confirm...go to the dmz interface and edit it.  then, go to the second tab, is there a place to modify the mtu of the dmz?  i've seen where modifying the mtu of the wan interface resolved the issue you are having...i wrote an article on how to modify the mtu of the wan interface on a sonicwall and how to calculate the mtu.
0
 

Author Comment

by:okacs
Comment Utility
No, that option only exists on the Advanced tab of the WAN port (interface X1).  There is no such option on the other interfaces, including LAN or DMZ.  IIRC - This is because MTU settings are used to tweak "long-wire" communications back to your ISP, etc.
0
 

Author Comment

by:okacs
Comment Utility
I tried adding a route to and from the LAN-DMZ with lower metric and higher priority.  Didnt help.
0
 

Author Comment

by:okacs
Comment Utility
In my DMZ I have 2 servers.  They plug into a small 8 port 10/100 hub which in turn plugs into the DMZ zone port (x2) on my Sonicwall.  I thought that maybe the hub was the issue, so I replaced it *.  The problem persists.

* I replaced it with a small Sonicwall Tz170, plugging everything in to the LAN side so that the WAN port is not even used - in order to simulate a hub with a greater backplane.  There was performance improvement, but it was negligible.  (CPU is now at 95-98% insead of 100% during the file copy)

HELP!

Thanks.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Plug one of your servers directly into the DMZ port of your 2040...set the port to static speed/duplex.  You might have to choose different combinations: 100/full, 10/full, 100/half, etc.  Report back the results.
0
 

Author Comment

by:okacs
Comment Utility
Ok, I plugged server A in the DMZ directly into the DMZ port (x2) on the Sonicwall and did more testing.  No change.  The CPU sill pegs out and the transfer rate is still abysmally slow.
0
Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

 
LVL 33

Expert Comment

by:digitap
Comment Utility
so, changing the speed/duplex did nothing?
0
 

Author Comment

by:okacs
Comment Utility
No, changing the duplex / speed does not help.

Copying files Directly from Server A in the DMZ to Server B in the DMZ is fast and does not max out the Sonicwall CPU.  
Copying files indirectly from Server A in the DMZ to Server B in the DMZ via a PC in the LAN zone is slow maxes out the Sonicwall CPU.  

The problem only occurs when data passes through the DMZ port on the Sonicwall.
0
 

Author Comment

by:okacs
Comment Utility
Ok, in reviewing everything again this AM, i noticed that the IPS didn't get turned off on the DMZ zone.  I unselected it again, and tested.  Copying was fast and CPU never rose above 50%.  Problem found.

However, now we have a real problem...  because IPS is necessary on this segment.  

So I re-enabled IPS and I added an exclusion range for the IPs that would be doing the copy job, but that didn't help.

Ideas?
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Why do you need IPS on the DMZ?  You know the hosts there and trust them, right?  You'd only be concerned if someone hacked your server on the DMZ.  You can setup an firewall access rule that only allows those two IP addresses through to the LAN and disable IPS.
0
 

Author Comment

by:okacs
Comment Utility
Yes, we already have such a rule limiting access by IP and port/service.  However, our security policy requires an IPS be enabled on the zone where those web servers are.  I would use a separate IPS product / box but there is no budget.
0
 

Author Comment

by:okacs
Comment Utility

I found this workaround to fix slow email issues.  
http://support.appriver.com/KB/a66/sonic-wall-ips-service-blocking-mail-stream.aspx

I'm wondering if there is some similar fix for file-share / file-copying.  I haven't found it yet....
0
 

Author Comment

by:okacs
Comment Utility
Bah, I had a typo in the IP exclusion.  Configured properly, it now works fine.

Thanks!
0
 

Author Closing Comment

by:okacs
Comment Utility
The problem was the IPS (INtrusion Prevention Service) on the DMZ zone.  I had to leave it enalbed, so I added an exclusion list for the IPs that would reoutinly be doing file copying from the DMZ.
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
I understand policy.  OK, so you created a policy for both the LAN IP and the DMZ IP in the exclusion list?
0
 
LVL 33

Expert Comment

by:digitap
Comment Utility
Sorry...I see your post here now, http:#a33692252.  Disreagard my post here, http:#a33692281.  Thanks for the points and glad you got it working!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now