Solved

intermittent network performance problem

Posted on 2013-12-12
15
596 Views
Last Modified: 2016-10-28
I have a customer running Std Server 2003 with about 15 workstations on a 10/100 ethernet  network with two wireless access points. Users are experiencing intermittent performance issues. when performance is impacted it seems to be general. Affects all users, affects Internet page loads, and Server based apps. I have looked at server performance during periods of poor performance using Windows task manager and Process Explorer. Processor Idle time is high and memory utilization seems to be about 50%. The server memory is only DDR2  8GB on Intel S5000 series board at this time. Internet speed tests run during poor performance indicate 30 X 5. Router is Sonic Wall TZ105. I looked for scheduled tasks, scheduled updates, malware scans, etc. but everything is scheduled to run after hours. Quick Books data protect (a resource pig) is disabled.
0
Comment
Question by:rettif9
  • 4
  • 4
  • 4
  • +1
15 Comments
 
LVL 25

Accepted Solution

by:
Fred Marshall earned 250 total points
ID: 39714419
Does the Server have any role in internet access and/or routing?  Or, is there a separate internet gateway / firewall?  That is, does the Sonic Wall deal with most of these things or does the Server?  I will assume the former here in order to respond quicker:

A 10/100 network should be OK for a small network like this one.  
But, bandwidth concerns would remain for unusual situations.

Do you have managed switches such that you can use SMTP monitoring of the ports?  If so, I would install the free version of Paessler PRTG on your workstation.  Surely the Sonic Wall can support SMTP as well as can the Server.
With this, I would look at data rates on all the critical connections (Ethernet ports).
Then you can see if there's a difference when performance is good and when it's not.
This is a very logical first step as it's easy enough to implement and can reveal quite a bit of information (and set aside some hypotheses that could waste your time).

You could install Wireshark on the Server to analyze traffic on its NIC.

In both cases you might also want to look for "errors" and port jabbers in addition to data rate.  All this could be a bad NIC or port on one device.
0
 
LVL 7

Assisted Solution

by:BobintheNoc
BobintheNoc earned 250 total points
ID: 39714423
If everything on the network seems slow, but your server's performance values don't seem impacted, you may have a network problem--

Does the server act as your internet gateway/router too?  For each 'thing' that seems slow, there'll be a variety of tests to identify any potential problems or bottlenecks.

Examples:
If internet browsing becomes slow, even from the server, you may have something as easy as poor ISP performance or an overloaded router.  It could be the DNS servers that you're using to resolve internet names--which can make things appear slow despite your internet connection being relatively unloaded.

If opening files from the server's shared drives is slow, and the server DOESN'T exhibit performance issues (cpu utilization, low on memory), you might have software getting in the way like Antivirus packages that are taking too long to scan the files.

In all likelihood, NOT everything is slow--you'll have to find the correlation or commonalities to better determine where you should look.  IF everything truly is impacted, you might look toward the Ethernet side of things--perhaps a PC or even server has a misconfigured network card, or maybe someone has looped your network (like plugging in a network switch incorrectly).

With WIFI in the mix, the most common issues are too many clients on the WIFI network, or possibly poor reception quality or interference from nearby networks, cordless phones, baby monitors etc.,

Again, trying to isolate exactly what's slow, or the most common 'central' pieces around all things that seem slow is crucial.  If there's a problem, there'll be something that binds all the clues together--finding it is the challenge.

How many network cards are present in your Server?  Are you certain that core services to the network, like IP Addressing, routing, subnet masks are valid?  How do your computers receive their IP address?

This type of general troubleshooting can fill a book with details.  Sometimes, it just takes a pro to get in, get a feel for what's going on, then recommend a solution.

Could you possibly be infected on several or even just one computer that's flooding the network?  For a quick type of test, using something like Wireshark on the server can capture network packets, you might see that your network is suffering from a broadcast storm that's congesting or locking up the network.  Wireshark has some built in 'Expert' analysis tools that'll make big problems easy to spot.

During periods of slow performance, it'd be good to perform some simple ping and tracert tests.  From a single PC, as well as from the server, open several CMD windows and attempt PING to a variety of IP addresses, including pinging the Server itself, the Sonic Wall, another PC, and external IP addresses like Google's DNS servers at 8.8.8.8.  Similarly, open CMD windows and tracert to the same addresses--you're looking for any points or addresses that have high response/latency times, or even inability to reach an IP address.

A thousand things can be at play, I'd start with the PINGs, and checking your computers (and server's) EVENT logs for any big clues.
0
 
LVL 7

Author Comment

by:rettif9
ID: 39714684
I'm off site so troubleshooting may have to wait till after hours when I can work at user workstations. The only switch is a level 1 unmanaged switch. The server has DHCP and DNS enabled. ISP is Charter. Forwarders are Charter DNS servers. LAN is 10.0.0.0/24 DHCP is off in the sonic wall. Server has one enabled NIC. The server did have ISA installed but it was removed in an effort to improve performance several months ago. Sonic Wall was installed at that time. All workstations are wired and use DHCP. WAPs are for mobile devices (guests on the network not in AD) I did run wireshark. I didn't see many error messages at all. most of the traffic was on the local subnet. I'm not really proficient with wireshark. Both of you have given me some good ideas of things to look for. stay tuned.

I ran a wireshark scan for about 18 minutes (not during a problem period) and then clicked on summary here are some of the results rounded. Anything jump out at you?

Avg. Packets/sec   637
Avg. packet size    260 bytes
Avg. bytes/sec       166012
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 39715221
Averages look OK. Nothing too surprising to *me*.
But it means little unless there's a problem period to compare with.
At least now you have a baseline.
0
 
LVL 7

Expert Comment

by:BobintheNoc
ID: 39715684
Agreed, those numbers are well.within reason for a dozen machines or so.
During a problem situation, how long does it last and is anything done to bring it back to normal, or does it just return to normal on its own?
0
 
LVL 7

Expert Comment

by:BobintheNoc
ID: 39715688
I think fmarshall is referring to SNMP--  simple network management protocol.   Probably a little thick to do at this moment, but definitely something to suggest to the client for an easy billable few hours.
0
 
LVL 24

Expert Comment

by:diverseit
ID: 39716066
Hi rettif9,

Change MTU on the SonicWALL. Here is an article that explains how to get the correct MTU value: http:/A_12615-Unstable-Slow-Performing-Networks-or-VPNs-just-go-grocery-shopping.htm

Let me know how it goes!
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 25

Expert Comment

by:Fred Marshall
ID: 39717167
Yes SMTP=SNMP oops!
I don't think this is "heavy" in the sense that issues like this come up all the time and IF you have managed switches it's easy enough to set up and capable of giving lots of good information without too much trouble.  Well, IF you use PRTG.
You can go round and round with SNMP and MIBs, etc. etc. which is way too detailed a level to be working.  PRTG gets you past that in every case for normal/simple network monitoring.
0
 
LVL 7

Author Comment

by:rettif9
ID: 39718742
To all Commenters,

I'm still trying to resolve this issue. I'm seeing a couple of IPs doing bursts of DNS traffic and so I suspect malware on those hosts. Both are protected so I may need to delve a little deeper. As I said this problem has convinced me to learn how to use wireshark (wireshark101 on the way). Checking Youtube videos and ramping up. Not familiar with PRTG either. I'm a windows guy. Will post when I have more info. Have to move a server and run cable today then back to this problem. The joys of being a one man shop.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 39718855
PRTG works very well in Windows....
Wireshark is great but the interpretation of results, filtering, etc. is a continuing challenge as needs change from case to case.

"Protected"?  *NO* protection is perfect.  I clean up computers with malware all the time and most of them were "protected".  If you see unusual behavior on any computer, I would say that at least warrants a Malwarebytes scan .. and then go from there.
0
 
LVL 24

Expert Comment

by:diverseit
ID: 39718982
Your SonicWALL has a packet capture built-in that will be far easier and faster to learn than WireShark. Go to System > Packet Monitor and run from there.
0
 
LVL 24

Expert Comment

by:diverseit
ID: 39725181
Any update on this?
0
 
LVL 7

Author Closing Comment

by:rettif9
ID: 39725507
Thanks for the tip about PRTG I was unaware of it. The problem turned out to be a combination of several things. Malware, misconfiguration, and the memory limitation of Server 2003 32 bit. It took several tries before I finally caught the server maxing the memory out and paging. The tools helped me narrow it down. Thanks also to @Diverseit, although I didn't use the packet monitor or change the MTU settings your input was appreciated. After diagnosis the end result is a determination that a server replacement is appropriate. Thanks to all for your input.
0
 
LVL 24

Expert Comment

by:diverseit
ID: 39725514
You're welcome! Glad I could help.
0
 
LVL 7

Expert Comment

by:BobintheNoc
ID: 39725644
2003 sees end of life/support very soon anyways, sounds like a good opportunity for a safe and casual migration.
0

Join & Write a Comment

When replacing some switches recently I started playing with the idea of having admins authenticate with their domain accounts instead of having local users on all switches all over the place. Since I allready had an w2k8R2 NPS running for my acc…
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now