Tag Archives: ports

Troubleshoot a Slow Network – Slow Server

Slow Server

How do we know the server is slow and the problem is not elsewhere?
Make a file transfer between any two other computers on the network. Compare the measurements with the server’s transfer rates.
What are the reasons for a slow server?
There are many reasons for a slow server. The server is many times the bottle-neck of a network. Here are a few reasons for a slow server:
An average, or below average network card, (you need good quality network cards for a server).
Server Network Card Underutilized. Connect your server on the backbone or on 1GB switch ports to make use of the high speed network card. You probably want to limit all your clients to transfer at 100Mb so that there is no traffic discrimination. If your server and switches support higher transfer rates, (10GB ports), make sure you make use of it.
Slow disks. Poor hardware is many times the main reason. Improper configuration, such as choosing the wrong RAID type, or not using write caching can be another reason.
Too many clients on a server. If too many clients make requests to the same single server this could overload the server and it will perceived as a slow network by the users. Measure your server’s performance on load using the performance logs and alerts and the system monitor in Windows. Usually the performance is changing over the course of a day based on the number of users who access the server at the same time. Sometimes adding another network card would be sufficient. Enabling cache writing on the SCSI card can help a lot, (make sure you install a cache battery), adding a new SCSI card and additional disks to offload the existing ones could be of help. Sometimes adding another CPU can make a difference, (if you have free CPU slots). Memory is very often the most used method of upgrading, but most of the times it is not the needed solution. Use the performance logs and alerts and the system monitor and compare with the recommended thresholds to determine what your bottleneck is.
Slow server response, (packet sniffer to determine the handshake time), Adjust the server’s configuration to optimize the handshaking time; (this is a fairly advanced optimization task).

This article is part of a five posts series regarding Network Troubleshooting.

Troubleshoot a Slow Network – The entire Network is Slow

The Entire Network is Slow

If the entire network or a part of the network is slow, this could be a strong suggestion for a faulty switch or a miss-configuration.

Poor network equipment
Usage of hubs is not recommended, (hubs are prone to collisions by design)
Cheap switches that cannot handle the total needed bandwidth. The switch’s chip can handle 100Mb/s for 12 ports, but the switch has 24 ports and all are connected. For low network usage this is not a problem, but if your network usage spikes, your switch will not be able to handle the bandwidth. The quick fix in such situation is to power off the switch for a few minutes and then power it back on.

A loopback is a network cable that has both ends connected to the same switch. If it’s a managed switch activating loop protection on all the ports could fix the problem. You can look on the switch’s log file for excessive broadcasts and isolate the two ports that are in loop. If you don’t have managed switches you can use a packet sniffer to determine if there’s a loop. A wrongly configured Spanning tree could cause a loopback.
FIX: Check all the patch-cord connections in the faulty switch. Check for patch-cords that have both ens into the same switch. Check for more than one patch-cord connecting the same two switches.
If you have cascaded switches it is normal to be slower for the devices in the cascaded switch but is not normal for the devices that are not cascaded. Check if any cascaded device is not connected on two ports on the wall, (usually the ports on the wall go to the network room). Your cascaded switch makes a loop into the upper level switch.

Bad Network Configuration
DNS issues
can cause a lot of slowdowns.
One common error is to use your ISP’s DNS server inside your Active Directory network. Your Active Directory computer members will try to resolve internal names by querying your ISP’s DNS. Those records don’t exist outside of your network.
Fix: For all of your Active Directory network clients remove any entries for your ISP’s and use only internal DNS servers. Configure your ISP’s DNS server as a forwarder on your AD DNS servers.

Network switching equipment wrongly connected is the reason of slow network for many small networks. Typically this happens when a small switch is connected to the router. When the switch becomes too small for a growing network, the first impulse is to connect the computers into the router directly.
: Install a switch that will accommodate all of the computers in the network. Disconnect any computers connected directly into the router.
Note: It is normal for the wireless connected computers to have slower transfer rate than the wired ones. Most of the wireless routers and adapters function at 54Mb per second. If your router is a modern router, (100 Mb or faster), and you still don’t get the expected transfer rates, you should revise your configuration as above.

Broadcast storm
You can efficiently detect a broadcast storm using a packet sniffer or a managed switch. With a packet sniffer you need to look for large numbers of broadcast/multicast (more than 20% of the total traffic it is an alarm signal). Locate the retransmission packets and search for the source MAC address. Disconnect the problem host.
If you suspect a broadcast storm in your network and you don’t have a managed switch or a packet sniffer, you can run download and upload tests by systematically disconnecting all of your computers in the network one by one. This is only practical in small network environment.

Virus Attack
A lot of connections originating from the same MAC address, to the same destination port, but for different destination address, and in short intervals.
Fix: Determine the source address of these connections and disconnect the suspect hosts. Run an antivirus scan on the computer before plugging it back. There are a few ways to determine the source of a virus. Use a packet sniffer, look on your managed switch for the ports with the most traffic and confirm it on the suspected computer by issuing the command “netstat -a -b”, (on a Windows machine). The command will show you which ports are active and which program, (executable), is using the ports.

This article is part of a five posts series regarding Network Troubleshooting.

How to Install Squid with Active Directory Authentication on Debian

How to Install Squid with Active Directory Authentication on Debian

Squid is a caching proxy software, licensed under GNU GPL, (free software).
It can help your Organization to reduce bandwidth and improves response times by caching and reusing frequently-requested web pages.
Squid has extensive access controls and if you don’t mind Command Line Interface is not too hard to configure. It runs on most available operating systems including Windows.
The following article is a step by step HOW TO Install Squid on Debian. Most of the steps are easily applicable to any other Linux distribution such as: RedHat, Suse, Ubuntu, etc…

Hardware requirements

Choose the machine wisely – if you are running a 50 computers Network a PIII should be enough provided that all you do is Web Caching and Filtering.
The memory is the most important and after that the disk speed. If you plan your proxy for a bigger Network you should consider using SCSI drives or SAS, and a faster CPU.
Memory requirements are explained later in the document.

Package Installation

Instal Debian minimal. The install cd, (only 650Mb) should be enough for this.
Reboot after installing and add packages with Aptitude (grafical interface) or "apt-get install program".
Add the following packages:
Kerberos apt-get install krb5-{admin-server,kdc}
PAM apt-get install libpam0g-dev
Apache if you want proxy Auto-Configuration apt-get install apache2
Dansguardian if you need advanced WEB filtering
SARG if you want a log analyzer for your WEB access/filter

– – – – – – – – – – – – – – – – – – – – – –

Configure Samba

Samba is going to be used for authentication.
Note that if you run squid in transparent mode the authentication will not work.

#nano -w /etc/samba/smb.conf

Add or remove daemons to autostart
#update-rc.d  winbind defaults
#update-rc.d  samba defaults

– – – – – – – – – – – – – – – – – – – – – –
netbios name = proxy
workgroup = SUBDOMAIN
security = ADS
password server = server1.subdomain.domain.root server2.subdomain.domain.root
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
idmap uid = 10000-20000
domain master = no
local master = no
preferred master = no
winbind enum groups = yes
winbind enum users = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = +
winbind use default domain = Yes
encrypt passwords = yes
log level = 5 passdb:5 auth:10 winbind:5
server string = proxy
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = no
syslog = 0
encrypt passwords = true
load printers = no

– – – – – – – – – – – – – – – – – – – – – –
Do not add other parameters to the configuration file as they are not needed.
You can always tweak your configuration file later on if you need additional tweaking. If you do need further modifications do one at a time and test it extensively before release to production.
After editing smb.conf run the following command
# testparm
This will test your samba configuration file against any errors.
If there are no errors restart samba:
proxy:~# /etc/init.d/samba restart
proxy:~# /etc/init.d/winbind start
– – – – – – – – – – – – – – – – – – – – – –
Add the server to the domain
#net ads join "Ottawa Computers/Servers" -U Administrator -S server1.sub-domain.domain.edu
If you have Windows 7 you might get this in your /var/log/samba/log.wb: "NTLM CRAP authentication for user returned NT_STATUS_INVALID_PARAM"
If you get it follow the instructions below to tell Windows to use NTLM version1. Note that this is a security downgrade and it opens the door for an SMB man-in-the-middle attack. Asses the risks and the advantages before you do the change.

Run local GP on W7 gpedit.msc and look for:
Local Policies Security Options Network security: LAN Manager authentication level
Change from "Not Defined" to "LM & NTLM – Use NTLMv2 session if negotiated"
– – – – – – – – – – – – – – – – – – – – – –

Configure Squid

Make a backup copy of the default configuration file:
# cp /etc/squid/squid.conf /etc/squid/squid.conf.original
Edit the file squid.conf:
#nano –w /etc/squid/squid.conf
Replace everything in the file with the below text:

– – – – – – – – – – – – – – – – – – – – – –

#Proxy configurationuration - /etc/squid.squid.conf

# -----------------------------------------------------------------------------
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid Proxy Server
auth_param basic credentialsttl 2 hours
acl authenticated_users proxy_auth REQUIRED
http_access allow authenticated_users
auth_param ntlm keep_alive on

# -----------------------------------------------------------------------------
#Deafult acl’s
acl all src all
acl manager proto cache_object
acl localhost src
acl to_localhost dst

#Declare your local network and any additional subnets
acl localnet src                # RFC1918 possible internal network
#acl remotesite src

#You would like that some of the users to be excluded from the logging.
###acl bosses src
###log_access deny bosses

#Tell Squid to not log google.ca
#Define the acl for google using regex
acl google url_regex ^http://www.google.ca
#Deny logging the acl
log_access deny google

#Allow the access for your localnet.
http_access allow localnet
#http_access allow remotesite

#Define allowed ports
acl SSL_ports port 443                    # https
acl SSL_ports port 563                    # snews
acl SSL_ports port 873                    # rsync
acl Safe_ports port 80                    # http
acl Safe_ports port 21                    # ftp
acl Safe_ports port 443                  # https
acl Safe_ports port 70                    # gopher
acl Safe_ports port 210                  # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280                  # http-mgmt
acl Safe_ports port 488                  # gss-http
acl Safe_ports port 591                  # filemaker
acl Safe_ports port 777                  # multiling http
acl Safe_ports port 631                  # cups
acl Safe_ports port 873                  # rsync
acl Safe_ports port 901                  # SWAT
acl purge method PURGE

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# -----------------------------------------------------------------------------
http_port 3128

# -----------------------------------------------------------------------------
#The memory needed for caching used files. The more you have the faster works. (No disk access.)
cache_mem 256 MB
#Objects bigger than this should be stored on the hard-drive. This can be lower than 8kb if your server has little memory.
maximum_object_size_in_memory 8 KB

# -----------------------------------------------------------------------------
#Make sure you have enough space. And mount this on a fast disk or a raid0.
##cache_dir ufs /var/squid/cache 1000 16 256
cache_dir diskd /var/squid/cache 500 16 256

#This is extremely useful if your users download big files. You can even increase this depending on usage.
maximum_object_size 40960 KB

# -----------------------------------------------------------------------------
#This logging format includes the date the address requested the IP address of the requestor and the AD user who made the request.
#Human resources need to know what your users browse during the workday.
logformat squid %tl %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
#Where to store all of this data.
access_log /var/log/squid/access.log squid

# -----------------------------------------------------------------------------
cache_mgr admin@mycompany.net
mail_from squid@ mycompany.net
visible_hostname proxy

# -----------------------------------------------------------------------------
##You have the option to use the ISP’s DNS here
# dns_nameservers
hosts_file /etc/hosts
uri_whitespace allow
http_access deny all

#### --- End of the configuration file --- ####

– – – – – – – – – – – – – – – – – – – – – –

Run the command squid –z to let squid create the necessary directories.
#squid –z
Add the squid daemon to auto-startup, on a Debian machine the command is: 
#update-rc.d  squid defaults
Start squid
#/etc/init.d/squid start

Test squid without authentication first. If this works go to the next step.
To test without authentication, comment all of the parameters in the Authentication section by adding the “#” sign at the beginning of line and restart squid.

Add or remove daemons to autostart
cd /etc/init.d/
update-rc.d  winbind defaults
update-rc.d -f apache2 remove

Tweaking performance on SQUID

A few settings that can dramaticaly improve the performance on your proxy:

cache_dir ufs /var/spool/squid 1000 50 256
This is the default Squid storage type configuration.
Change the storage type from ufs to aufs if using a Linux or variants.
Change the storage type from ufs to diskd if using BSD or variants.
If you use Windows, is probably for testing purposes, or because you don’t have a machine. Once the testing is done change to Linux or BSD.
The numeric parameters are:
First parameter is the amount of disk space in Mbytes to be used by Squid. The more you use the more physical memory (RAM) you need for indexes in order to be effective.
The rule is that you need
If you want to use the whole drive’s, (partition), space make sure you subtract 20% and use that value. In other words you can only use 80% of the drive.
The second and third parameters are the number of first and second level subdirectories that are created.

cache_mem 64 MB
The more memory you have the better it performs. Local, (cached), objects are much faster to retrieve than external ones.
The more local objects you can store the faster Squid responds.
Squid uses cache for many things other than memory cache, so make sure you have enough memory left when you configure cache_mem.

Memory cache is better for speed than disk, but is lost more easily and you can get bigger cache total spending RAM on indexes.

maximum_object_size 20480 KB
Today’s Internet usage contains has a lot of traffic in the 2MB to 200MB range. This traffic is comprised of multimedia objects, update files, etc.
You need to investigate your traffic and see what is a good number for you.

maximum_object_size_in_memory 64 KB
If you have little memory keep the default 8 KB. It is better to serve more fast pages from memory than a few slow pages that will run faster.

Check if your proxy works and if is logging properly the access.
On your proxy machine run the following command to see realtime access on the proxy: tail -f /var/log/squid/access.log On a client computer open the browser of your choice and change Networking options so that the browser uses the newly installed proxy.
Start to browse and look on the proxy’s console to see your activity logged.