Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Master Untangler
    Join Date
    Oct 2010
    Posts
    115

    Default Very high ping times - any way to find out what is causing this??

    Over the last week I've noticed our office internet connection (11MB) has been slower than usual. In the last few days I've been carrying out various tests and have noticed that ping response times are unusually high - much much higher than usual.

    Our setup is like this:

    Internet
    |
    ISP Router (BT 2Wire)
    |
    Untangle
    |
    Network Switch (LAN)
    |
    Workstations/Servers


    A ping to www.google.co.uk from Untangle gives an average response time of 700ms - much higher than usual.

    If I unplug the Untangle server from the router, thereby isolating the LAN from the internet, and plug a laptop directly into the router, a ping to www.google.co.uk gives an average response time of 39ms - i.e. normal and what I would expect.

    So it seems that it's something related to the LAN traffic that's causing this problem.

    I was wondering if there was any way to use the Untangle Firewall or Web monitor to perhaps try and pinpoint what might be causing this? Is there a way to view all traffic/port types coming from workstations through Untangle?

    We've eliminated a virus infection.


    Thanks in advance.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,553

    Default

    Turn on attack blocker, sort by reputation score descending, start fixing machines in order of the list.

    ICMP isn't processed by the Untangle software, so if you're seeing latency, it's a hardware issue, or you're simply swamping untangle with sessions.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Master Untangler
    Join Date
    Oct 2010
    Posts
    115

    Default

    I've actually got the attack blocker already running.

    In the list (see screenshot below), the client 168.62.214.132 is not on machine on our network - what is this system likely to be?

    You also mention to start fixing the machines. Presumably you mean disconnecting each one in turn to see what the ping times are?



    Capture.PNG

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,553

    Default

    Do you have a web server on your network?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Master Untangler
    Join Date
    Oct 2010
    Posts
    115

    Default

    Untangle is essentially the web server but in terms of the overall network layout it's as follows:-

    Internet
    |
    Router
    |
    Untangle
    |
    Network Switch --- Domain Controller and Member Server
    |
    |
    Workstations

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,553

    Default

    Then you've got something very wrong going on, because the only way for a public address to show up in the list, is for it to be connecting to something. You've got a port forward going somewhere that's allowing that address in. I also see reputation scores that are stupidly high, I consider anything over 100 to be a problem. But I hear it changes from network to network.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,375

    Default

    Maybe the host 192.168.1.24 is infected by same botnet and create sessions with 168.62.214.132.
    Resolving this public ip I can said is owned by Microsoft
    The world is divided into 10 kinds of people, who know binary and those not

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,553

    Default

    No, attack blocker is listing the origination source of the sessions, not the destination. He has a port forward that's allowing a public unsolicited session through to get those numbers.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Master Untangler
    Join Date
    Oct 2010
    Posts
    115

    Default

    I wasn't in the office yesterday so am continuing with this today.

    I've been monitoring ping times on and off for a couple of hours and it's very low today - sub 40ms - the speed of the internet is absolutely fine (so far).

    In terms of port forwards we just have these set up on our router and untangle server:

    TCP - 443 (SSL)
    TCP - 25 (SMTP)
    TCP - 143 (IMAP)

    No other port forwards configured.

    The Attack Blocker is showing a high value of 114 today so far and a low of 62.

  10. #10
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,553

    Default

    TCP 443 doesn't do much to Untangle, it's encrypted and so basically ignored.

    TCP 25 is filtered by a ton of stuff, and if your box isn't up to the load, can bury you. The same goes for TCP 143. Fascinating that you do not list TCP 110. Nor do you list any alternate SMTP ports for external encrypted clients.

    Do you have a mail server on site? If so, you really want your authenticated users NOT using TCP 25, it causes issues. Still, that doesn't explain attack blocker going ballistic and everything slowing down. You're going to have to look at the network sessions when the box is over loaded and figure out what's what. I suspect you have a virus running around that's trying to DOS something intermittently. Untangle is detecting this, and limiting things. That's what it's SUPPOSED to do.

    Either that or you're getting bursts of Spam that your filters cannot handle.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2