New untangle install using 22gig of ram?

[95vr6man]

I have recently replaced our campus firewall with an untangle appliance. it was all seeming to be working well with less than 1k users but im getting hesitation and other little weird hiccups like dropped connections to the dmz and slow down on the internet sometimes that doesn't happen when bypassing the untangle.

The system is reporting that its using 22 of the 24gig of ram available on the system. the system is a dell r300 with (3) 2tb drives in raid 5. 24gig of memory, and (1) quad core X3363, all networks running off a quad port intel gigabit server card. the internet speed is 50 meg both directions.

where should i start? ive disabled all applications on the untangle other than web filter and im running the basic free package. also, cpu load stays between 0.2 and 2.8 usually. Thanks!

[sky-knight]

You have ram... don't you want the OS to use it?

Linux, Windows Server 2008, and Windows 7 take the same tactic. The difference with Windows? Windows lies...

What happens, linux is filling spare ram with caches from the hard disk. These caches reduce as the system needs real ram to function. The end result... if you have enough ram linux will load the entire file system into ram. Why not? It's there!

Drop to a terminal and run the top command. It will show you the caches value, you should see that number nice and high. If that number ever gets very small, that's when you want to start to worry. Once the caches go away, paging starts as ram gets put to hard disk to make more room. Paging is very bad for Untangle, it will slow everything down.

If this is a virtualized configuration, control the memory foot print by reducing the amount of ram available to the Untangle VM. Heck for that matter you need to look at your windows servers too! They will eat whatever ram you throw at them. It's there... they're going to use it!

[dmorris]

How are you checking memory?

Try disabling the Web Filter Lite, or scan less categories.
Unlike the Web Filter, it does not scale seemlessly as you check more categories because of the format of the database.

When you say "hiccups" what does that mean?
TCP slow? UDP slow? DNS offline? HTTP slow? the internets are down?

[95vr6man]

when i say "hiccups" i mean, dropped tcp connections between internal and dmz, dropped connections to the internet, and slow dns resolutions from internet based dns servers as well. also, this is a physical server only.

if it uses all the ram i give it all of the time, should i reduce the amount of ram in the server? i have been looking around the forums and haven't seen anybody using more than 12 gigs of ram on their untangle and im using twice that, unnecessarily so.

also, i have a higher end poweredge r710 with (2) 3.46ghz quad cores and 48gig of ram that my boss is pushing me to go install in place of the r300, could this have a positive effect on network performance as far as the untangle goes? thanks!

[95vr6man]

btw, i have been checking through the web interface of the untangle for these stats. sessions stay around 800 to 2000. disabling the web filter lite has made no effect. the hiccups are at random intervals. It hasn't happened in at least an hour or so.

[dmorris]

if it uses all the ram i give it all of the time, should i reduce the amount of ram in the server? i have been looking around the forums and haven't seen anybody using more than 12 gigs of ram on their untangle and im using twice that, unnecessarily so.

also, i have a higher end poweredge r710 with (2) 3.46ghz quad cores and 48gig of ram that my boss is pushing me to go install in place of the r300, could this have a positive effect on network performance as far as the untangle goes? thanks!

How are you measuring? Are you looking at the top of the rack? Are you running 'free -m' ?
sky-knights whole point is that if you put it in there its going to use it. So if you don't want Untangle to use it I would not put it in the machine. I wouldn't reduce your RAM. No matter how much you put in its going to use it all.

On large network I would start by bypassing everything except what you explicitly want to scan. This is the reverse of how it is typically done (everything is scanned except what is bypassed).
To do this add a bypass rule that passes everything. Above it add rules to scan the traffic you want to scan (presumably port 80 etc)

[sky-knight]

Well the appliance Jim and I sell that is designed for a 2000 user network has 4gb of ram and a quad core CPU if that is any indication as to the level of over kill.

That said, the more ram you have the more bandwidth you can push generally. So it isn't useless. Just keep an eye on top like I described before.

Dmorris has a good idea, bypassing everything except explicit traffic types does wonders for large networks. It's easier... the alternative is a long hard look at your network structure, and bypass rules crafted to get certain traffic types and destinations out of the filters. This reduces load, and smooths out those hiccups. However, it makes things like the firewall module useless, and can generally reduce the effectiveness of Untangle as a whole. So be careful!

Unfortunately, the process of doing all that requires a bit more brain power and experience than you're going to find on these forums. It's more of a technique than a solution. The technique of getting Untangle to integrate with a network.

[95vr6man]

I have added my exchange server that all the outlook clients are connected to into the bypass, also a few other high usage servers. I just went through the attack blocker logs and found the highest rep IPs that were actually my own known good servers and added them to the bypass. Is using the attack blocker logs a good way to identify the higher bandwidth users/servers? I'm pretty paranoid so i will only be opening up things one at a time so i don't have any security holes. Its been pretty stable so far, ill update in the morning because that combined with directly after lunch seems to be the highest traffic times. thanks!

[sky-knight]

The attack blocker doesn't control bandwidth use, it monitors sessions. The exchange servers I have behind Untangle are working fine without any bypasses, but I did have to give them a 5 user exemption in the attack blocker.