• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Broadband connectivity problem with "ISP"

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Connectivity // Telecommunications // Internet News

View previous topic :: View next topic  
Author Message
browolf
Trusted SF Member
Trusted SF Member


Joined: 19 Apr 2002
Posts: 1


Offline

PostPosted: Mon Dec 16, 2002 1:27 pm    Post subject: Broadband connectivity problem with "ISP" Reply with quote

At work we have a problem, apparently we are not the only site with this problem. Even stranger, the "ISP" dont know what is causing it.
I figure this is a chance to get some brownie points if i can figure out anything.

I will describe the problem as it effect us. I dont expect anyone to say "oh yeah its..." but any ideas on what to look for would help.

The Setup:
We have a nt proxy 2 (running on a p3/700isj 128mb ram) connected to a router which connects to a microwave broadband dish. (10mb+). There is another router connected to the dish which connects to about 9 sdsl modems which go through bt and allow another sites to use the dish.

I have a connection on my pc that bypasses the proxy (for testing purposes)

The problem:
At times during the day trying to access pages thru the proxy becomes slow and useless. we used to get proxy error msgs like "the specified network name could no longer be found" but now we get proxy timeouts. And you sit there waiting.....
At the time the proxy bypass connection works perfectly well.

The Temporary solution:
Change the external ip address of the proxy(i just add one) and reboot.
We used to switch to the backup proxy which had the same effect.
But evert day it would be ...change to the other proxy.


Stuff i've noticed so far:

I've got performance monitor running on the proxy. I dont exactly know what i'm looking for but i have noticed today. but i need to confirm. When "it" was happening earlier, the processor usage on the proxy was stuck at 100%. normally it's around 15-20% for the same 50 odd users.

I've used ethereal b4 to check the traffic but i dont remember seeing anything conclusive. There were some strange router packets which i'm gonna have to ask about when i get it going again.
I shall continue to add to this thread as my investigation progresses.

~Andy
Back to top
View user's profile Send private message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Mon Dec 16, 2002 1:40 pm    Post subject: Reply with quote

I had similar problems a while ago with the same product, I had to reboot it virtually every day or it would just start timing out everyone.

Changed it to a *nix machine and it was fine.

But I guess that's not the answer you were looking for Very Happy
Back to top
View user's profile Send private message Visit poster's website
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Mon Dec 16, 2002 1:44 pm    Post subject: Reply with quote

Could be a bug in the proxy software.

I would give www.windowsupdate.com a try, to see if you can get any patches for the proxy, + general windows updates, bug fixes etc.

~~~~~~~~~
Also, is it possible to remove the router from the equation, and have the proxy direct into the Wan Link?

OR

Why go through a proxy if you have so much bandwidth available?
Could you not set the PC's to use the router as the default gateway?
~~~~~~~~~

J
Back to top
View user's profile Send private message Send e-mail
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Mon Dec 16, 2002 1:46 pm    Post subject: Reply with quote

jasonlambert wrote:

Why go through a proxy if you have so much bandwidth available?
Could you not set the PC's to use the router as the default gateway?


To allow limitation to net access by Domain logon I imagine, if that is not required there is no real reason to be using a proxy (apart from caching or content control).
Back to top
View user's profile Send private message Visit poster's website
browolf
Trusted SF Member
Trusted SF Member


Joined: 19 Apr 2002
Posts: 1


Offline

PostPosted: Mon Dec 16, 2002 2:09 pm    Post subject: Reply with quote

We dont own the wan equipment and we're not allowed to touch it.
Some other sites do have non-proxied connections to the WAN but We didnt do this cos we wanted to restrict access to some user groups.

We have an account named "internet" and a perl script that changes the password on the account every hour. if certain groups want access their teacher (it's a school) has to phone for the password.

crickey we're upto 81 connections thru the proxy now. Surprised
processor time is averaging at 8%
current average milliseconds per request is .8ms when it gets bad it can be as much as 45s!!

There's at least 5 routers between our proxy and the proxy upstream. So the problem could be anywhere. the fact its happening to other people tends to indicate it must be inbetween somewhere. if I could at least find out why the proxy gets killed that would be something.

~Andy
Back to top
View user's profile Send private message
browolf
Trusted SF Member
Trusted SF Member


Joined: 19 Apr 2002
Posts: 1


Offline

PostPosted: Mon Dec 16, 2002 4:29 pm    Post subject: Reply with quote

i've found out what CDP and STP are and have managed to find out

the router is a cisco ws-c3550-24

it is setup to :
performs level 3 routing
doesnt perform level 2 transparent bridging
doesnt perform level 2 source-route bridging
performs level 2 switching
doesnt send or receive packets for network-layer protocols
doesnt forward igmp report packets on nonrouter ports
doesnt provide level 1 functionality

I think over the summer the whole network was reconfigured. B4 it was operated by someone else and was a whole lot less secure.
By that I mean I could do SMTP scans and get lots more info off public keys. now it's all private.

the best it seems i can hope for it seems is to try different stuff in performance mon and watch ethereal to see if anything obvious happens.

someone else says the 100% processor usage could be os related so i'm gonna go look for stuff about that.
Back to top
View user's profile Send private message
browolf
Trusted SF Member
Trusted SF Member


Joined: 19 Apr 2002
Posts: 1


Offline

PostPosted: Tue Dec 17, 2002 1:54 pm    Post subject: Reply with quote

I remembered something else from b4.

when i packet sniffed the connection to our proxy we used to get http
1.1 errors. specifically 407 Proxy Access Denied

I still see these occasionally but now it tends to be
504 proxy error (connection timed out)

here a new one.

407 proxy authentication required, NTLMSSP_CHALLENGE

another odd thing. I'm sniffering the external connection from the proxy to the router.

the proxy has tried to do a DNS query to the upstream dns on my
internal ip address
e.g.
proxy > dns "standard query PTR 8.0.168.192.in-addr.arpa"
dns > proxy "standard query response, no such name"

and

my computer is trying to send ICMP packets to the external address of the proxy

192.168.0.8 (me) > 10.77.12.27 (ext-proxy) ICMP Destination Unreachable

in the packet:>> Internet control message protocol >> User datagram protocol the src and dest port is netbios-ns (137)
what's going on here?

I found another one where it's trying to resolve internal addresses
with the upstream dns.

hmm is this is happening a lot could it be some sort of routing problem i thinking ?

also how does changing the proxy-external ip address and rebooting fix this?

another strange thing i've noticed is that there are a lot of dns requests for invalid addresses like:

standard query A www.www.bbc.co.uk.edu.lancs.ac.uk
standard query A www.flezz.f2s.com.lancs.ac.uk
standard query A www.www.hotmail.com.com.ourdomainname.lancs.ac.uk
standard query A www.www.google.com.com.lancs.ac.uk
standard query A www.www.google.com.net.ac.uk

that's very very wierd. i'#m trying to get ethereal running on the internal side of the proxy so i can see what's going in.
Back to top
View user's profile Send private message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Tue Dec 17, 2002 2:30 pm    Post subject: Reply with quote

Mate that looks completely buggered.

Anyway I've done an in-depth technical analysis of what you've posted and I've come up with a solution

BIN IT!

Twisted Evil
Back to top
View user's profile Send private message Visit poster's website
browolf
Trusted SF Member
Trusted SF Member


Joined: 19 Apr 2002
Posts: 1


Offline

PostPosted: Tue Dec 17, 2002 4:17 pm    Post subject: Reply with quote

i'm inclined to agree with you but no-one ever believes me.

i got a packet trace from the proxy showing what happens when i request a website and get a timed out msg (internally)


No. Time Source Destination Protocol Info
1 2002-12-17 12:55:21.252960 192.168.0.8 192.168.0.1 TCP 2602 > 80 [SYN] Seq=2891062162 Ack=0 Win=64240 Len=0
2 2002-12-17 12:55:21.253060 192.168.0.1 192.168.0.8 TCP 80 > 2602 [SYN, ACK] Seq=40819638 Ack=2891062163 Win=8760 Len=0
3 2002-12-17 12:55:21.253227 192.168.0.8 192.168.0.1 TCP 2602 > 80 [ACK] Seq=2891062163 Ack=40819639 Win=64240 Len=0
4 2002-12-17 12:55:21.253608 192.168.0.8 192.168.0.1 HTTP GET http://www.digitalspy.co.uk/ HTTP/1.0
5 2002-12-17 12:55:21.254268 192.168.0.1 192.168.0.8 HTTP HTTP/1.1 407 Proxy Access Denied
6 2002-12-17 12:55:21.254517 192.168.0.1 192.168.0.8 TCP 80 > 2602 [FIN, ACK] Seq=40819765 Ack=2891062367 Win=8556 Len=0
7 2002-12-17 12:55:21.254683 192.168.0.8 192.168.0.1 TCP 2602 > 80 [ACK] Seq=2891062367 Ack=40819766 Win=64114 Len=0
8 2002-12-17 12:55:21.256452 192.168.0.8 192.168.0.1 TCP 2602 > 80 [FIN, ACK] Seq=2891062367 Ack=40819766 Win=64114 Len=0
9 2002-12-17 12:55:21.256511 192.168.0.1 192.168.0.8 TCP 80 > 2602 [ACK] Seq=40819766 Ack=2891062368 Win=8556 Len=0
10 2002-12-17 12:55:21.257685 192.168.0.8 192.168.0.1 TCP 2603 > 80 [SYN] Seq=2891099381 Ack=0 Win=64240 Len=0
11 2002-12-17 12:55:21.257739 192.168.0.1 192.168.0.8 TCP 80 > 2603 [SYN, ACK] Seq=40819644 Ack=2891099382 Win=8760 Len=0
12 2002-12-17 12:55:21.257922 192.168.0.8 192.168.0.1 TCP 2603 > 80 [ACK] Seq=2891099382 Ack=40819645 Win=64240 Len=0
13 2002-12-17 12:55:21.258298 192.168.0.8 192.168.0.1 HTTP GET http://www.digitalspy.co.uk/ HTTP/1.0, NTLMSSP_NEGOTIATE
14 2002-12-17 12:55:21.259081 192.168.0.1 192.168.0.8 HTTP HTTP/1.1 407 Proxy authentication required, NTLMSSP_CHALLENGE
15 2002-12-17 12:55:21.260379 192.168.0.8 192.168.0.1 HTTP GET http://www.digitalspy.co.uk/ HTTP/1.0, NTLMSSP_AUTH
16 2002-12-17 12:55:21.409869 192.168.0.1 192.168.0.8 TCP 80 > 2603 [ACK] Seq=40820385 Ack=2891100122 Win=8020 Len=0
17 2002-12-17 12:56:06.275080 192.168.0.1 192.168.0.8 HTTP HTTP/1.1 504 Proxy Error ( Connection timed out )
18 2002-12-17 12:56:06.275111 192.168.0.1 192.168.0.8 HTTP Continuation
19 2002-12-17 12:56:06.275352 192.168.0.1 192.168.0.8 TCP 80 > 2603 [FIN, ACK] Seq=40821979 Ack=2891100122 Win=8020 Len=0
20 2002-12-17 12:56:06.275600 192.168.0.8 192.168.0.1 TCP 2603 > 80 [ACK] Seq=2891100122 Ack=40821979 Win=64240 Len=0
21 2002-12-17 12:56:06.275621 192.168.0.8 192.168.0.1 TCP 2603 > 80 [ACK] Seq=2891100122 Ack=40821980 Win=64240 Len=0
22 2002-12-17 12:56:06.276773 192.168.0.8 192.168.0.1 TCP 2603 > 80 [FIN, ACK] Seq=2891100122 Ack=40821980 Win=64240 Len=0
23 2002-12-17 12:56:06.276836 192.168.0.1 192.168.0.8 TCP 80 > 2603 [ACK] Seq=40821980 Ack=2891100123 Win=8020 Len=0



after this i looked on the proxy and discovered that the authentication on the IIS default web site (which has something to do with proxy) is set to basic and NT challenge response.
I'm wondering if that's why it gets denied the first time
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Connectivity // Telecommunications // Internet News All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Looking for more Windows Networking info?

Sign up to the WindowsNetworking.com Monthly Newsletter, written by Enterprise Security MVP Deb Shinder, containing news, the hottest tips, Networking links of the month and much more. Subscribe today and don't miss a thing!
View a sample newsletter.

Become a WindowsNetworking.com member!

Discuss your Windows Networking issues with thousands of other Windows Newtorking experts. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred data recovery solution?

Follow TechGenix on Twitter