Solved

Internet connection speed intermitent.

Posted on 2010-09-22
22
839 Views
Last Modified: 2012-05-10
Greetings,

I browse from a LAN made up of 80 workstations and have a very capable internet connection but from some days ago, I am experiencing enormous delays to download/upload files for some reason.

My connection config is as follows:

ISA Server (web proxy, gfi webmonitor),edge firewall model (two NIC's, whereas one is LAN and the other the INTERNET);

In a separate computer, I have my LAN server which is the PDC as well as DNS and DHCP "patron";
No client makes a direct connection to 'outside'.

I have connected directly to my router to see whether the problem was from my ISP but the connection speed seemed normal and could even download big files without delays. For e.g. a 65Mb file, connecting directly was downloaded at 250Kb/s, while repeating the procedure passing through the normal configs. it could not go higher than 4Kb/s!!!

I have included snapshots of my ISA firewall policies in case I have my orders wrong.

Best regards.








 First Image Second Image
0
Comment
Question by:kemitHamite
  • 12
  • 5
  • 3
  • +1
22 Comments
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 33736825
How many hosts have this problem?  All of them?  Just some of them?

Have you rebooted all the switches and routers?  I would do that.

Then, if it still persists:

What happens if you insert a switch at the internet server LAN side and plug in a laptop there?  

I suspect a speed conflict or a physical problem or a device that has "lost its mind" needing reboot.
0
 

Expert Comment

by:nickciu10
ID: 33737503
Depending on what type of switches you own you may also be able to use a NetFlow Analyzer. This will help pinpoint the bandwidth  issue.
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 33739018
i use cnet switches. Will try the reboot procedure in its entirety(i only rebooted the server actually).i already  did try connecting to a switch which is directly connected to the internet LAN. i assume there is nothing wrong with the isa rules right???
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 33739088
i use cnet switches. Will try the reboot procedure in its entirety(i only rebooted the server actually).i already  did try connecting to a switch which is directly connected to the internet LAN. i assume there is nothing wrong with the isa rules right???
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 33741543
I tried rebooting every single switch, the router as well as my servers, the issue pervails. It is a strange situation.
I will break it down to make things easier to analyse. The way the browser behaves to download attempts is as if it was negotiating the download attempt by having to go through a validation period (it can sometimes take up to 5 min before it starts downloading!!!). Normal browsing seems normal although with just a little bit of lagg too.

Please bear in mind the fact that I am also using GFI Webmonitor (ISA Server 2006 module).

Rgs
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 33741660
Just some additional info, I did a speedtest from my ISA Server, a 1MB file was downloaded at 17Mbps, the same file from a workstation was downloaded at 43Kbps!!!!!!
0
 
LVL 7

Expert Comment

by:JJ2
ID: 33741974
The client PCs might be infected with malicious programs or services causing a congestion to the ISA server.

In the ISA server, try monitoring the Destination IPs below and observe if it's getting a hit:

204.152.184.92
204.152.184.139

If yes, those Client PCs registry should be modified by removing the malicious services entries. Must run a good antivirus product.
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 33742253
@JJ2,

I simulated a connection to both addresses you provided, the connections went through though It could not resolve both IP's. Tried pinging them either and there were positive responses from both.

What are the services that should be removed from the registry? Any Idea of what malware it could be?

Rgs
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 33744815
"already  did try connecting to a switch which is directly connected to the internet LAN. "

I'm being picky here and you may have done exactly this .. but there's a purpose.  
The intended suggestion was to do this:
Introduce a new, simple switch between the *internet server* and its LAN connection.  
[i.e. not just to any switch on the LAN - which is how one might read your response].
Then, connect a computer to this new switch.
The idea is to bypass all intervening switches and cables on the LAN and get a test as close to the server/gateway as possible to eliminate the possibility of bad hardware on the LAN.
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 33745132
Hi fmarshall,

I get your point, besides connecting to a 'normal' switch, I also did connect directly to the gateway, without even passing through the server (just replicated the settings to the NIC on the 'test' computer). The browsing seemed normal.

Rgs
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 25

Assisted Solution

by:Fred Marshall
Fred Marshall earned 50 total points
ID: 33745459
But the Server is a key in your questioning isn't it?  So, I would definitely connect a computer right up to it (thus the switch) on the LAN side and see if the performance running more or less directly through the server is different than the poor performance you're generally seeing on the LAN otherwise.
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 33746001
Okay,

I get your point. Will try it right away and get back to you.
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 33754970
@fmarshall,

I tried your suggestion, the problem prevails even though I used a separate switch where only my laptop and the DC were connected to.

Any ideas?

Rgs
0
 
LVL 7

Assisted Solution

by:JJ2
JJ2 earned 50 total points
ID: 33759310
While monitoring, did the logs shows that several client PCs are connecting continuously to the destinaion IP Addresses ( 204.152.184.92, 204.152.184.139)?
0
 
LVL 25

Accepted Solution

by:
Fred Marshall earned 50 total points
ID: 33761069
Problem solving is often a matter of elimination.  So now it appears you've eliminated a number of cables and switches as possible sources of trouble.  And, one hopes, suggestions that target those elements.  The focus can now be on other things.

Here's another experiment:
Temporarily replace the DC with a simple router with NAT.  Does the behavior persist?
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 33764373
@fmarshall,

I completely agree with the 'rule of elimination', will try the last suggestion and come back with news tomorrow.

@JJ2,

I ran a simulation through ISA's 'troubleshoot' plugin, and did it by using a single IP to both IP's you provided. How would I do it in a way that could show me how many hosts are attempting a connection to such IP's?

Rgs
0
 
LVL 7

Assisted Solution

by:JJ2
JJ2 earned 50 total points
ID: 33767093
In the ISA server:

Monitoring
Logging
Edit Filter
Filter by>Destination IP
Condition>Equals
Value> 204.152.184.139
Start Query

If there's a hit, it will show the details and you will see the infected clients in the Client IP Tab.
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 33768895
@JJ2

I ran the log on the IP's you provided, there was no hit from neither of the IPs. I can ping them though.
0
 
LVL 1

Assisted Solution

by:kemitHamite
kemitHamite earned 0 total points
ID: 33805148
After a thorough analysis, I reached the conclusion that the 'abnormalities' I reported were caused by the GFI Webmonitor (ISA Server Edition) I have configured on my firewall. As soon as I added the various content types to the list of allowed mime types, everything seemed normal.

I thank everyone who took their time in order to help me find a solution.

Best regards
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 33808835
It seems to me that the process of elimination worked!
0
 
LVL 1

Author Comment

by:kemitHamite
ID: 33810245
Agreed, though, as I pointed out, it served as a guideline but did not exactly say what the problem was. In the line of, for eg. the sum of two numbers adds up to 80, find the solution... A pretty simple analogy but hopefully you get my point. The fact that I looked for help from here can also be considered as a process of elimination, doesn't it?

Rgs
"Aut Caesar, Aut Nihill"
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Introduction: Sometimes when I receive a call from my users to solve their problems it is very difficult for me to found their computer IP address. Even finding their computer Host to provide remote support can be a problem.  So I resorted to Goo…
This is a fairly complicated script that will install the required prerequisites to install SCCM 2012 R2 on a server.  It was designed under the functional model in order to compartmentalize each step required, reducing the overall complexity.  The …
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now