Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15
  1. #11
    Newbie
    Join Date
    Jun 2018
    Posts
    14

    Default

    So I made another test
    -Disabled shield in untangle completely
    -Raised servers load to about 150k sessions and 300-400Mb/s

    The results:
    -Cpu load this time skyrocket to 12.0-15 .0
    -When pinging from one of the servers to default gateway I am seeing lots of timeouts (2-3 timeouts out of 5 pings)
    -When I am logging in to untangle interface (not remotely, by simply using vga cable and mouse/keyboard) login takes long time, about 5 minutes to launch dashboard.
    -RAM usage is minimal, just 4Gb, swap usage is 0%
    -Overall it seems that test confirmed it is our untangle server and not ISP problem...

    Any ideas?

    I am lost here, we have powerful server with no firewall features enabled, but it can't handle more than 150k sessions :/

  2. #12
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,635

    Default

    Your hardware is not up to the task... Why?

    Have you tried using two ports on that Intel i350? Those cards have a good driver, and a good track record. The HP interface is less well known. But honestly I'm grasping at straws here.

    CPU is latency
    RAM is throughput

    A LOAD of 15 on a 16 core system is an overload indicator, so you do have a CPU bottleneck. But, unless you've not actually bypassed anything... This load is happening in the Linux Kernel? Top will confirm.

    You'd have to run TOP via SSH while you ramp up your sessions and see what sticks. While the load is high you need to ping external from OUTSIDE the network, and internal from the INSIDE of the network. Who drops out? If only 1 NIC is having trouble, either that interface is defective or you've saturated it. Note defective in this case could be a bad patch cable.

    Finally, what Untangle version? If you're on v15.0, an upgrade to v15.1 might help. Newer drivers in there!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #13
    Newbie
    Join Date
    Jun 2018
    Posts
    14

    Default

    Thanks for your comments.

    -Cable wise, we already tested and different cables makes no difference. Everything is connected with cat. 6A cables.
    -Talking about hardware faults, as mentioned, we tried same test on other untangle server with different network cards and issue is the same, so I doubt it is faulty hardware.

    Another strange thing I noticed that this time after we stopped the test, we still had 10.0-13.0 CPU load, even though there were no problems with untangle. No ping drops, no lag in using interface, etc.
    After about 2 hours of finishing test, load went back to 0.2-1.0 with ~100k sessions active and 100Mb/s.

    I also tried same test with QoS and fair flow. With these settings cpu usage was lower than 3.0, but same problems (pings dropping, when pinging untangle server from locsl network, connection problems, slow untangle dashboard).

    Really strange situation, right now I am thinking about actually trying that ISP device Fortigate 60F, but it just doesn't make logical sense to change our 16 cores 32Gb untangle server with entry level business firewall with 2Gb RAM, even though its specs shows that without web filtering it should handle 700k sessions...
    Last edited by falco; 06-22-2020 at 12:12 PM.

  4. #14
    Newbie
    Join Date
    Jun 2018
    Posts
    14

    Default

    I can confirm that issue is soved!

    It was related to nf_conntrack_max limits and you can't change them yourself, only Untangle support can do this.
    If somebody else would have similar problems with packets dropping, when sessions amount is high (More than 150k), you have to create Untangle support request and they will take care of it, however this increases server resource usage, so you first have to make sure that you are not simply hitting your hardware limits, for us it was settings based limit because hardware usage was far from overloaded.
    Jim.Alles likes this.

  5. #15
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,635

    Default

    Oh goodness not that old thing again, I thought those limits were increased years ago...

    Sorry about that I thought those were "fixed", otherwise I would have suggested getting them adjusted too, via support of course.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2