Broadband connectivity problem with "ISP"

Networking/Security Forums -> Connectivity // Telecommunications // Internet News

Author: browolf PostPosted: Mon Dec 16, 2002 1:27 pm    Post subject: Broadband connectivity problem with "ISP"
At work we have a problem, apparently we are not the only site with this problem. Even stranger, the "ISP" dont know what is causing it.
I figure this is a chance to get some brownie points if i can figure out anything.

I will describe the problem as it effect us. I dont expect anyone to say "oh yeah its..." but any ideas on what to look for would help.

The Setup:
We have a nt proxy 2 (running on a p3/700isj 128mb ram) connected to a router which connects to a microwave broadband dish. (10mb+). There is another router connected to the dish which connects to about 9 sdsl modems which go through bt and allow another sites to use the dish.

I have a connection on my pc that bypasses the proxy (for testing purposes)

The problem:
At times during the day trying to access pages thru the proxy becomes slow and useless. we used to get proxy error msgs like "the specified network name could no longer be found" but now we get proxy timeouts. And you sit there waiting.....
At the time the proxy bypass connection works perfectly well.

The Temporary solution:
Change the external ip address of the proxy(i just add one) and reboot.
We used to switch to the backup proxy which had the same effect.
But evert day it would be ...change to the other proxy.

Stuff i've noticed so far:

I've got performance monitor running on the proxy. I dont exactly know what i'm looking for but i have noticed today. but i need to confirm. When "it" was happening earlier, the processor usage on the proxy was stuck at 100%. normally it's around 15-20% for the same 50 odd users.

I've used ethereal b4 to check the traffic but i dont remember seeing anything conclusive. There were some strange router packets which i'm gonna have to ask about when i get it going again.
I shall continue to add to this thread as my investigation progresses.


Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Mon Dec 16, 2002 1:40 pm    Post subject:
I had similar problems a while ago with the same product, I had to reboot it virtually every day or it would just start timing out everyone.

Changed it to a *nix machine and it was fine.

But I guess that's not the answer you were looking for Very Happy

Author: Jason PostPosted: Mon Dec 16, 2002 1:44 pm    Post subject:
Could be a bug in the proxy software.

I would give a try, to see if you can get any patches for the proxy, + general windows updates, bug fixes etc.

Also, is it possible to remove the router from the equation, and have the proxy direct into the Wan Link?


Why go through a proxy if you have so much bandwidth available?
Could you not set the PC's to use the router as the default gateway?


Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Mon Dec 16, 2002 1:46 pm    Post subject:
jasonlambert wrote:

Why go through a proxy if you have so much bandwidth available?
Could you not set the PC's to use the router as the default gateway?

To allow limitation to net access by Domain logon I imagine, if that is not required there is no real reason to be using a proxy (apart from caching or content control).

Author: browolf PostPosted: Mon Dec 16, 2002 2:09 pm    Post subject:
We dont own the wan equipment and we're not allowed to touch it.
Some other sites do have non-proxied connections to the WAN but We didnt do this cos we wanted to restrict access to some user groups.

We have an account named "internet" and a perl script that changes the password on the account every hour. if certain groups want access their teacher (it's a school) has to phone for the password.

crickey we're upto 81 connections thru the proxy now. Surprised
processor time is averaging at 8%
current average milliseconds per request is .8ms when it gets bad it can be as much as 45s!!

There's at least 5 routers between our proxy and the proxy upstream. So the problem could be anywhere. the fact its happening to other people tends to indicate it must be inbetween somewhere. if I could at least find out why the proxy gets killed that would be something.


Author: browolf PostPosted: Mon Dec 16, 2002 4:29 pm    Post subject:
i've found out what CDP and STP are and have managed to find out

the router is a cisco ws-c3550-24

it is setup to :
performs level 3 routing
doesnt perform level 2 transparent bridging
doesnt perform level 2 source-route bridging
performs level 2 switching
doesnt send or receive packets for network-layer protocols
doesnt forward igmp report packets on nonrouter ports
doesnt provide level 1 functionality

I think over the summer the whole network was reconfigured. B4 it was operated by someone else and was a whole lot less secure.
By that I mean I could do SMTP scans and get lots more info off public keys. now it's all private.

the best it seems i can hope for it seems is to try different stuff in performance mon and watch ethereal to see if anything obvious happens.

someone else says the 100% processor usage could be os related so i'm gonna go look for stuff about that.

Author: browolf PostPosted: Tue Dec 17, 2002 1:54 pm    Post subject:
I remembered something else from b4.

when i packet sniffed the connection to our proxy we used to get http
1.1 errors. specifically 407 Proxy Access Denied

I still see these occasionally but now it tends to be
504 proxy error (connection timed out)

here a new one.

407 proxy authentication required, NTLMSSP_CHALLENGE

another odd thing. I'm sniffering the external connection from the proxy to the router.

the proxy has tried to do a DNS query to the upstream dns on my
internal ip address
proxy > dns "standard query PTR"
dns > proxy "standard query response, no such name"


my computer is trying to send ICMP packets to the external address of the proxy (me) > (ext-proxy) ICMP Destination Unreachable

in the packet:>> Internet control message protocol >> User datagram protocol the src and dest port is netbios-ns (137)
what's going on here?

I found another one where it's trying to resolve internal addresses
with the upstream dns.

hmm is this is happening a lot could it be some sort of routing problem i thinking ?

also how does changing the proxy-external ip address and rebooting fix this?

another strange thing i've noticed is that there are a lot of dns requests for invalid addresses like:

standard query A
standard query A
standard query A
standard query A
standard query A

that's very very wierd. i'#m trying to get ethereal running on the internal side of the proxy so i can see what's going in.

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Tue Dec 17, 2002 2:30 pm    Post subject:
Mate that looks completely buggered.

Anyway I've done an in-depth technical analysis of what you've posted and I've come up with a solution


Twisted Evil

Author: browolf PostPosted: Tue Dec 17, 2002 4:17 pm    Post subject:
i'm inclined to agree with you but no-one ever believes me.

i got a packet trace from the proxy showing what happens when i request a website and get a timed out msg (internally)

No. Time Source Destination Protocol Info
1 2002-12-17 12:55:21.252960 TCP 2602 > 80 [SYN] Seq=2891062162 Ack=0 Win=64240 Len=0
2 2002-12-17 12:55:21.253060 TCP 80 > 2602 [SYN, ACK] Seq=40819638 Ack=2891062163 Win=8760 Len=0
3 2002-12-17 12:55:21.253227 TCP 2602 > 80 [ACK] Seq=2891062163 Ack=40819639 Win=64240 Len=0
4 2002-12-17 12:55:21.253608 HTTP GET HTTP/1.0
5 2002-12-17 12:55:21.254268 HTTP HTTP/1.1 407 Proxy Access Denied
6 2002-12-17 12:55:21.254517 TCP 80 > 2602 [FIN, ACK] Seq=40819765 Ack=2891062367 Win=8556 Len=0
7 2002-12-17 12:55:21.254683 TCP 2602 > 80 [ACK] Seq=2891062367 Ack=40819766 Win=64114 Len=0
8 2002-12-17 12:55:21.256452 TCP 2602 > 80 [FIN, ACK] Seq=2891062367 Ack=40819766 Win=64114 Len=0
9 2002-12-17 12:55:21.256511 TCP 80 > 2602 [ACK] Seq=40819766 Ack=2891062368 Win=8556 Len=0
10 2002-12-17 12:55:21.257685 TCP 2603 > 80 [SYN] Seq=2891099381 Ack=0 Win=64240 Len=0
11 2002-12-17 12:55:21.257739 TCP 80 > 2603 [SYN, ACK] Seq=40819644 Ack=2891099382 Win=8760 Len=0
12 2002-12-17 12:55:21.257922 TCP 2603 > 80 [ACK] Seq=2891099382 Ack=40819645 Win=64240 Len=0
13 2002-12-17 12:55:21.258298 HTTP GET HTTP/1.0, NTLMSSP_NEGOTIATE
14 2002-12-17 12:55:21.259081 HTTP HTTP/1.1 407 Proxy authentication required, NTLMSSP_CHALLENGE
15 2002-12-17 12:55:21.260379 HTTP GET HTTP/1.0, NTLMSSP_AUTH
16 2002-12-17 12:55:21.409869 TCP 80 > 2603 [ACK] Seq=40820385 Ack=2891100122 Win=8020 Len=0
17 2002-12-17 12:56:06.275080 HTTP HTTP/1.1 504 Proxy Error ( Connection timed out )
18 2002-12-17 12:56:06.275111 HTTP Continuation
19 2002-12-17 12:56:06.275352 TCP 80 > 2603 [FIN, ACK] Seq=40821979 Ack=2891100122 Win=8020 Len=0
20 2002-12-17 12:56:06.275600 TCP 2603 > 80 [ACK] Seq=2891100122 Ack=40821979 Win=64240 Len=0
21 2002-12-17 12:56:06.275621 TCP 2603 > 80 [ACK] Seq=2891100122 Ack=40821980 Win=64240 Len=0
22 2002-12-17 12:56:06.276773 TCP 2603 > 80 [FIN, ACK] Seq=2891100122 Ack=40821980 Win=64240 Len=0
23 2002-12-17 12:56:06.276836 TCP 80 > 2603 [ACK] Seq=40821980 Ack=2891100123 Win=8020 Len=0

after this i looked on the proxy and discovered that the authentication on the IIS default web site (which has something to do with proxy) is set to basic and NT challenge response.
I'm wondering if that's why it gets denied the first time

Networking/Security Forums -> Connectivity // Telecommunications // Internet News

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group