Page 2 of 6 FirstFirst 1234 ... LastLast
Results 11 to 20 of 57
  1. #11
    mdh
    mdh is offline
    Untangle Ninja mdh's Avatar
    Join Date
    Aug 2007
    Posts
    4,752

    Default

    Wolf,

    If you have all the modules loaded and configured properly, your reports can often give you a lot of information that helps you to ID the problem better. I usually focus on Attack Blocker and Protocol Control here. You can also determine whether the pipe closed, or dropped to a trickle by pinging from a box behind UT as well as both ways from UT itself. You can look for NIC issues sometimes with IFCONFIG. There's a lot of info there for you that will take an investment in time from you to go through, but it will likely yield a better result in the long run and may even possibly highlight issues on your network that really need to be resolved.

  2. #12
    Untangler
    Join Date
    Dec 2007
    Posts
    79

    Default

    Thanks for the info. While I am not new to Linux at all I am curious as to what info, aside from ethernet errors, I could get from ifconfig. I have access to my switch as well and I see no errors anywhere.

    As far as the rest is concerned I'll have to look through the reports to see what's there. However, why would the Attack Blocker shut off access to my entire internal subnet?

  3. #13
    mdh
    mdh is offline
    Untangle Ninja mdh's Avatar
    Join Date
    Aug 2007
    Posts
    4,752

    Default

    IFCONFIG would tell you about collisions and errors. Some people are not aware those stats are available there...obviously you are. Attack Blocker is designed to protect your network against attacks...from the inside and from the outside. If it sees traffic levels from a machine (or machines) that are above levels that it considers "normal", it will delay, block or reject traffic from the specified address to keep levels normal. You would think that this is only acting on traffic coming in from the outside world, but it works both ways because attacks can come from anywhere. If you have an internal machine that is showing up in the Attack Blocker event log, you may think that its okay because its internal, and tell Attack Blocker to consider the levels normal by saying that it represents the load of 5 machines, or 25, or 100, or unlimited. You may not even have Attack Blocker installed. Either of these can cause problems.

    Untangle has a limit on the number of concurrent sessions that can be processed, and some traffic types create session counts that can be above and beyond what Untangle can handle. The most common offender is bit torrent-type traffic. If a client is trying to download a 4.3GB DVD in 16KB blocks from every Tom, Dick & Harry who is sharing it, he/she will create a huge number of sessions coming through Untangle, and Untangle would be pre-occupied dealing with the traffic from one client only, and the client is generating traffic faster than Untangle can process it, causing the session count to rise.
    Once the count hits the maximum, it becomes a queueing process to allow one new session after the previous session dies, until all sessions are handled. You would likely have noticed that your network stopped passing traffic and rebooted the box. Then, everything seemed fine for a brief period until the whole process started unraveling again.

    So, what you can do (to determine if this is affecting you) is:

    1. Turn on Protocol Control, and set it to log all Peer-to-peer traffic, NNTP and any other traffic types that commonly would send/receive large amounts of data. You CAN block, but its often good to know your enemy before your enemy knows you are watching. Also, log IRC traffic.

    2. Turn on Attack Blocker and look for consistent patterns of events from individual internal machines...that may even coincide with the problems you are having. If machines show up in the event log often, try to determine why. Don't assume they're okay because they're on the inside.

    3. In your firewall, make sure that only your mail server can communicate to destination port 25 in the outside world. Specifically block everyone else in your LAN from doing this. You may stop spambots this way.

    4. In Reports, look for huge session counts in the platform summary, and compare traffic pattern graphs from good days against bad days. Look for the difference in patterns, traffic volume, session counts. Look for the volume of spam you are processing. Too high a number may mean too much memory in use.

    5. Do ifconfig on your box periodically to see if collisions and errors mount up.

    6. Watch your disk space with "df" commands to make sure you aren't running low on disk space.

    This is probably a good start, and probably more than you wanted. Let's see what you find out.

  4. #14
    Untangler
    Join Date
    Dec 2007
    Posts
    79

    Default

    Thanks again for the well written response.

    First off, this UT5.3 box only deals with email traffic. All other traffic traverses another firewall.

    As I mentioned before I've used both the netstat command and looked directly at the switchport to see what's going on and there are zero errors in both places.

    Disk space is nowhere near and issue and the reports show nil as far as suspicious traffic is concerned. However I did not have detailed reports turned on. That has been changed but I'll have to wait until tomorrow to see what that yields.

    Again, when I lose connectivity to the interface it's the entire internal subnet that loses connectivity.

  5. #15
    mdh
    mdh is offline
    Untangle Ninja mdh's Avatar
    Join Date
    Aug 2007
    Posts
    4,752

    Default

    Don't rule out Attack Blocker and Protocol Control. You may be surprised. I don't know how it would play in your LAN without seeing a network diagram though.

  6. #16
    Untangler
    Join Date
    Dec 2007
    Posts
    79

    Default

    Well I haven't seen the report as I didn't get it due to connectivity loss however I was able to KVM over IP into the machine and here's what I've found.

    Results of ifconfig:

    RX Packets:424929 errors:0 dropped:0 overruns:18155 frame:0
    TX Packets:491758 errors:3677 dropped:0 overruns:0 carrier:0 collisions:0

    Bringing the interface down then up yields no fix. There is an "ignoring" message that comes up and the interface still doesn't work.

    Yesterday I turned off non essential services such as Web Blocker and Packet Filter as the reading I've done suggests they're not essential for running a mail only gateway.

    I also took a look at the switch port again which says there are zero errors suggesting this is a problem with the NIC on this machine itself. I may be replacing the NIC at this rate however I am wondering if you suggest anything else to look at first?

  7. #17
    mdh
    mdh is offline
    Untangle Ninja mdh's Avatar
    Join Date
    Aug 2007
    Posts
    4,752

    Default

    Checked in with a guru and he said that these are signaling errors, which are usually associated with bad cables, link speed setup issues or possibly NICs. If you have locked in a link speed, try setting it to auto. Swap out a cable. If neither work, go for the NIC.

  8. #18
    Untangler
    Join Date
    Dec 2007
    Posts
    79

    Default

    Link is set to auto on both ends. The cable has been used for at least a year with another machine without errors. The weak link is probably the NIC as it's an older one that's been sitting around, unused for quite a while. When this happens again I'll replace the cables first then the NIC.

    Thanks again for all your help.

  9. #19
    Master Untangler hdallen55's Avatar
    Join Date
    Nov 2007
    Location
    Georgia
    Posts
    185

    Default

    When we setup Untangle on a server platform - even a low-end server like the Dell SC440, which is our standard platform for Untangle - we never have to reboot. When we set it up for a customer that wants to use a $200 PC, we find that we run into the "Untangle not responsive" problem. Can't get into or out of the network, can't access the Untangle box.

    We have confirmed this with several different makes and models of machines. We never have to reboot servers - in at least 50% of PC installs we need to reboot anywhere from every few weeks to every few months.

    I know the issue is more specific than this but we just let customers know that this may be the case if they go with a PC. Haven't taken the time to track down the root of the problem because most of our clients choose a server and the rest see it as OK if they save money and rebooting fixes the problem when they see it.

    Doug
    www.vbcnetworks.com

  10. #20
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,482

    Default

    In my experience the issue is almost always related to a cheap network interface. This software isn't a desktop... it needs network power. You're not getting this with integrated controllers a good portion of the time. Even cheap servers tend to stick with solid interfaces. It makes a huge difference.

    Anyway if you suspect a module issue with your network driver try..

    /etc/rc.d/network restart

    This will pull all the interfaces down and push them back up after clearing all caches. If it brings things back online you have a network card that uses a kernel module that simply isn't up to the task of Untangle.
    Last edited by sky-knight; 09-24-2008 at 01:54 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 2 of 6 FirstFirst 1234 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2