Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 629
  • Last Modified:

intermittent network performance problem

I have a customer running Std Server 2003 with about 15 workstations on a 10/100 ethernet  network with two wireless access points. Users are experiencing intermittent performance issues. when performance is impacted it seems to be general. Affects all users, affects Internet page loads, and Server based apps. I have looked at server performance during periods of poor performance using Windows task manager and Process Explorer. Processor Idle time is high and memory utilization seems to be about 50%. The server memory is only DDR2  8GB on Intel S5000 series board at this time. Internet speed tests run during poor performance indicate 30 X 5. Router is Sonic Wall TZ105. I looked for scheduled tasks, scheduled updates, malware scans, etc. but everything is scheduled to run after hours. Quick Books data protect (a resource pig) is disabled.
0
rettif9
Asked:
rettif9
  • 4
  • 4
  • 4
  • +1
2 Solutions
 
Fred MarshallCommented:
Does the Server have any role in internet access and/or routing?  Or, is there a separate internet gateway / firewall?  That is, does the Sonic Wall deal with most of these things or does the Server?  I will assume the former here in order to respond quicker:

A 10/100 network should be OK for a small network like this one.  
But, bandwidth concerns would remain for unusual situations.

Do you have managed switches such that you can use SMTP monitoring of the ports?  If so, I would install the free version of Paessler PRTG on your workstation.  Surely the Sonic Wall can support SMTP as well as can the Server.
With this, I would look at data rates on all the critical connections (Ethernet ports).
Then you can see if there's a difference when performance is good and when it's not.
This is a very logical first step as it's easy enough to implement and can reveal quite a bit of information (and set aside some hypotheses that could waste your time).

You could install Wireshark on the Server to analyze traffic on its NIC.

In both cases you might also want to look for "errors" and port jabbers in addition to data rate.  All this could be a bad NIC or port on one device.
0
 
BobintheNocCommented:
If everything on the network seems slow, but your server's performance values don't seem impacted, you may have a network problem--

Does the server act as your internet gateway/router too?  For each 'thing' that seems slow, there'll be a variety of tests to identify any potential problems or bottlenecks.

Examples:
If internet browsing becomes slow, even from the server, you may have something as easy as poor ISP performance or an overloaded router.  It could be the DNS servers that you're using to resolve internet names--which can make things appear slow despite your internet connection being relatively unloaded.

If opening files from the server's shared drives is slow, and the server DOESN'T exhibit performance issues (cpu utilization, low on memory), you might have software getting in the way like Antivirus packages that are taking too long to scan the files.

In all likelihood, NOT everything is slow--you'll have to find the correlation or commonalities to better determine where you should look.  IF everything truly is impacted, you might look toward the Ethernet side of things--perhaps a PC or even server has a misconfigured network card, or maybe someone has looped your network (like plugging in a network switch incorrectly).

With WIFI in the mix, the most common issues are too many clients on the WIFI network, or possibly poor reception quality or interference from nearby networks, cordless phones, baby monitors etc.,

Again, trying to isolate exactly what's slow, or the most common 'central' pieces around all things that seem slow is crucial.  If there's a problem, there'll be something that binds all the clues together--finding it is the challenge.

How many network cards are present in your Server?  Are you certain that core services to the network, like IP Addressing, routing, subnet masks are valid?  How do your computers receive their IP address?

This type of general troubleshooting can fill a book with details.  Sometimes, it just takes a pro to get in, get a feel for what's going on, then recommend a solution.

Could you possibly be infected on several or even just one computer that's flooding the network?  For a quick type of test, using something like Wireshark on the server can capture network packets, you might see that your network is suffering from a broadcast storm that's congesting or locking up the network.  Wireshark has some built in 'Expert' analysis tools that'll make big problems easy to spot.

During periods of slow performance, it'd be good to perform some simple ping and tracert tests.  From a single PC, as well as from the server, open several CMD windows and attempt PING to a variety of IP addresses, including pinging the Server itself, the Sonic Wall, another PC, and external IP addresses like Google's DNS servers at 8.8.8.8.  Similarly, open CMD windows and tracert to the same addresses--you're looking for any points or addresses that have high response/latency times, or even inability to reach an IP address.

A thousand things can be at play, I'd start with the PINGs, and checking your computers (and server's) EVENT logs for any big clues.
0
 
rettif9ManagerAuthor Commented:
I'm off site so troubleshooting may have to wait till after hours when I can work at user workstations. The only switch is a level 1 unmanaged switch. The server has DHCP and DNS enabled. ISP is Charter. Forwarders are Charter DNS servers. LAN is 10.0.0.0/24 DHCP is off in the sonic wall. Server has one enabled NIC. The server did have ISA installed but it was removed in an effort to improve performance several months ago. Sonic Wall was installed at that time. All workstations are wired and use DHCP. WAPs are for mobile devices (guests on the network not in AD) I did run wireshark. I didn't see many error messages at all. most of the traffic was on the local subnet. I'm not really proficient with wireshark. Both of you have given me some good ideas of things to look for. stay tuned.

I ran a wireshark scan for about 18 minutes (not during a problem period) and then clicked on summary here are some of the results rounded. Anything jump out at you?

Avg. Packets/sec   637
Avg. packet size    260 bytes
Avg. bytes/sec       166012
0
 
Fred MarshallCommented:
Averages look OK. Nothing too surprising to *me*.
But it means little unless there's a problem period to compare with.
At least now you have a baseline.
0
 
BobintheNocCommented:
Agreed, those numbers are well.within reason for a dozen machines or so.
During a problem situation, how long does it last and is anything done to bring it back to normal, or does it just return to normal on its own?
0
 
BobintheNocCommented:
I think fmarshall is referring to SNMP--  simple network management protocol.   Probably a little thick to do at this moment, but definitely something to suggest to the client for an easy billable few hours.
0
 
Blue Street TechLast KnightsCommented:
Hi rettif9,

Change MTU on the SonicWALL. Here is an article that explains how to get the correct MTU value: http:/A_12615-Unstable-Slow-Performing-Networks-or-VPNs-just-go-grocery-shopping.htm

Let me know how it goes!
0
 
Fred MarshallCommented:
Yes SMTP=SNMP oops!
I don't think this is "heavy" in the sense that issues like this come up all the time and IF you have managed switches it's easy enough to set up and capable of giving lots of good information without too much trouble.  Well, IF you use PRTG.
You can go round and round with SNMP and MIBs, etc. etc. which is way too detailed a level to be working.  PRTG gets you past that in every case for normal/simple network monitoring.
0
 
rettif9ManagerAuthor Commented:
To all Commenters,

I'm still trying to resolve this issue. I'm seeing a couple of IPs doing bursts of DNS traffic and so I suspect malware on those hosts. Both are protected so I may need to delve a little deeper. As I said this problem has convinced me to learn how to use wireshark (wireshark101 on the way). Checking Youtube videos and ramping up. Not familiar with PRTG either. I'm a windows guy. Will post when I have more info. Have to move a server and run cable today then back to this problem. The joys of being a one man shop.
0
 
Fred MarshallCommented:
PRTG works very well in Windows....
Wireshark is great but the interpretation of results, filtering, etc. is a continuing challenge as needs change from case to case.

"Protected"?  *NO* protection is perfect.  I clean up computers with malware all the time and most of them were "protected".  If you see unusual behavior on any computer, I would say that at least warrants a Malwarebytes scan .. and then go from there.
0
 
Blue Street TechLast KnightsCommented:
Your SonicWALL has a packet capture built-in that will be far easier and faster to learn than WireShark. Go to System > Packet Monitor and run from there.
0
 
Blue Street TechLast KnightsCommented:
Any update on this?
0
 
rettif9ManagerAuthor Commented:
Thanks for the tip about PRTG I was unaware of it. The problem turned out to be a combination of several things. Malware, misconfiguration, and the memory limitation of Server 2003 32 bit. It took several tries before I finally caught the server maxing the memory out and paging. The tools helped me narrow it down. Thanks also to @Diverseit, although I didn't use the packet monitor or change the MTU settings your input was appreciated. After diagnosis the end result is a determination that a server replacement is appropriate. Thanks to all for your input.
0
 
Blue Street TechLast KnightsCommented:
You're welcome! Glad I could help.
0
 
BobintheNocCommented:
2003 sees end of life/support very soon anyways, sounds like a good opportunity for a safe and casual migration.
0
  • 4
  • 4
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now