Solved

network

Posted on 2011-03-16
18
335 Views
Last Modified: 2012-06-27
I have 200 internal ip addresses for our workstation these go to to switches(unmanged) that then connect to another switch that connects to the servers. The servers have external ip addresses. When a workstation makes a file request from the server it goes very very slow. when I change to workstation to the same ip addresses as server it runs very fast.
example If we open a large CAD drawing using the natted addresses it may take 10 minutes to open. By switching the ip to the server's subnet it does the same load in 1 minute.
then network is a gigabite
0
Comment
Question by:don_bruess
  • 9
  • 6
  • 2
  • +1
18 Comments
 

Expert Comment

by:ssc-insight
Comment Utility
Add a host file entry on one of the workstations for one of the servers you are trying to access and see if the response is faster for the test workstation reaching the server.  If so, you've got a DNS issue.   If the test does not make a difference please provide information about the device & corresponding config that is between your internal and external switches.   You mentioned you are using NAT so that implies you have more than just switches.  

0
 

Author Comment

by:don_bruess
Comment Utility
sorry yes we have a watchguard firewall
0
 
LVL 12

Expert Comment

by:Sommerblink
Comment Utility
Question: Why do you have your (what appears to be) servers have external IP addresses?
Question: What protocol(s) are you using for file transfer?
Question: How are your workstations calling your file servers? Is it via IP address or a DNS name or just a host name?
Question: What is the purpose of segregating your workstations from your servers?
Question: Is this a Windows network (eg: Domain or Workgroup) or something else (Linux, etc)?
0
 

Author Comment

by:don_bruess
Comment Utility
Most of the servers have duties which require public IPs
standard file transfer within windows cut and paste or in some cases programs may use other methods I am not sure about CAD which is the one that I am working with.
The workstations address the server by DNS, CAD I beleive use what it referers to as XREFs
Windows Domain
0
 

Expert Comment

by:ssc-insight
Comment Utility
Typically we'd see servers on the same subnet as the internal / primary workstations and specific public duties allowed through the firewall on a case by case basis (e.g., e-mail, websites, etc.)  as NAT or PAT translations and filter policies on your firewall config.  Remote users expect performance to be slower, whereas you don't want internal traffic to be throttled at all by your firewall if you can avoid it.  

It sounds like you are making your firewall handle much more traffic than is needed.  
0
 

Author Comment

by:don_bruess
Comment Utility
The firewall's primary duty is the external connection but It does route the nat addresses. Besides the normal web work, FTP, and such the external servers are server as terminal servers for our remote sites and some are needed for RDP work by software vendor in suppot rolls of their software. I have considered placing three or four of the file sharing servers on the same subet and removing the outside duties to other servers. I assume by your comment that would make a difference or as least easier to work with.
0
 

Expert Comment

by:ssc-insight
Comment Utility
Yes.  Certainly if you are working with CAD files (typically relatively large), these would be good candidates for bringing inside on the same subnet as primary users.   If you are using gigabit switches for your workstation and for your servers, it is unlikely your firewall even handles gigabit speeds unless you have a high-end model.  
0
 

Author Comment

by:don_bruess
Comment Utility
Dont know what is considered high end I think the watchguard firewall sells for about 2500.00 I
I tried the lmhosts and found the results the same
0
 

Expert Comment

by:ssc-insight
Comment Utility
I'm leaning towards throughput issues based on what you've shared.  Your firewall throughput will be throttled by the interface speed as well as the configuration work requirements (i.e., how much work you are asking it to do).   For example, you may have a gigabit connection to the firewall and therefore the BEST possible throughput you'll get is the same as your gigabit switch.   More likely though is the workload requirements will throttle that down far more...

At least if it were a DNS issue since the fix might be less involved.  Another way to isolate DNS issue vs. throughput issue is test a very small vs. a very large file.   If the delays are highly related to file size, I would suspect a throughput issue, whereas if the the delays for very small files and large files are comparable, I'd take a closer look at DNS (and you need to edit the hosts file not lmhosts file).    


0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:don_bruess
Comment Utility
OK I will edit host and file test also test small vs large file transfer time
If it was through put would it not be the same problem with any IP used? In checking the network usage on the both machine and firewall the machine never exceeds 3-4% and the fire wall stays around 12% .
0
 
LVL 12

Expert Comment

by:Sommerblink
Comment Utility
I suspect that the biggest problem you are having is that SMB is just an extremely chatty protocol. It was never designed with transversing NAT/PAT.

It sounds like you have NetBIOS enabled over TCP/IP. I would recommend against that (especially since you are transversing a firewall) and instead use Direct hosting of SMB (http://support.microsoft.com/kb/204279), but only if you aren't using any software which requires NetBIOS.

Because of the rules that are in effect with NetBIOS when you have a domain model, you do need to take that into consideration as well. Here is a good primer to NetBIOS requirements: http://support.microsoft.com/kb/188001

In cases where we need to allow file transfers over a firewall, using another technology besides SMB is usually the best way to go, like FTP or HTTP/S... but I'm getting ahead of myself.

Don, I would seriously recommend that you consider reevaluating your fundemental network design. I think that the problem you are having now is just a tip of the iceburg.

You mention that you are running Active Directory. Are the servers on the other side of the firewall, domain members? If so, did you put a domain controller (or two) over there? And did you then poke ALL the holes that are required for DC communication or make the necessary registry fixes in order to fix your RPC port (http://technet.microsoft.com/en-us/library/bb727063.aspx) on all the servers over there?
0
 

Author Comment

by:don_bruess
Comment Utility
Thanks for the input.
I believe TCP/IP netbios is turned on but I will have to verify
Bot the private and public ip ranges are inside the firewall with holes puched for the need port traffice on the publice side. The ACAD work is done locally not over the internet so the remote sites do not have the issue it is local only. I have reviewed the rules on the firewall for the internal traffice and cannot find anything which would cause the issue. But sometimes one cannot see the forest for the trees. I do have several DC's but since they are on the same side of the firewall it should not be an issue. pulling out what is left of my hair I am struggling here. The private ip being used 192.168.0.84 takes 10 times longer then if I switch him to the public ip to load the drawing. The only common thingI can think of is the firewall, but as i said no rules showing restricting.
Thanks
Don
0
 

Expert Comment

by:ssc-insight
Comment Utility
My thinking is that the firewall processes the packets differently (or perhaps not at all -- i.e.  pass through) if it sees the subnet is the same.  

Regarding firewall throughput unfortunately the network usage and firewall CPU utilization are not good indicators of total throttling effect.  Efficiencies in the firewall algorithms and other factors impact how quickly the packets are processed.  It's true that if the CPU was maxed it would likely be affecting throughput, but the opposite is not true.  

 
0
 

Author Comment

by:don_bruess
Comment Utility
Thanks I will contact the firewall folks and get some input from them. With so few connections and on a few switches you would think this would be a no brainer......Networks ...a never ending story
0
 

Expert Comment

by:ssc-insight
Comment Utility
The network info you just provided is very helpful.  

To isolate the issue further, have you done anything with static route commands to see if you can bypass the firewall function altogether for your inside nodes?  

If the firewall defaults to (or otherwise uses) the outside interface for the internal public IP addresses, it is likely that it will be doing some processing, so adding the appropriate static routes may help you direct the traffic in such a way as to effectively bypass the firewall processing.  
0
 

Author Comment

by:don_bruess
Comment Utility
The firewall sets up using the outside IP;s and option to add secondary IP's. I added the secondary IP's and set it to nat only if it was outside. You have a point they people are trying to catch up on their work from my testing. I will try more testing tomorrow. If you think of anything else let me know.

Thanks,
Don
0
 
LVL 13

Accepted Solution

by:
kdearing earned 500 total points
Comment Utility
I would add a second network card to the server and put it on the same subnet as the LAN.
0
 

Author Closing Comment

by:don_bruess
Comment Utility
Once I added a second NIC everything ran as it should. I have the firewall pepole also looking at the issue but they felt the switches were not doing what they should be doing. All is fine now. Thanks to everyone who took the time to think about the problem.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The worst thing when starting a new job is when the previous Network Administrator left behind no documentation. How do you get into the devices? If you've been in this situation or just accidently mistyped your password, this article will hopefully…
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now