Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Mar 29, 2024 3:43 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 3 posts ] 
Author Message
PostPosted: Thu Sep 20, 2007 2:12 am 
Offline
Newbie

Joined: Wed Sep 05, 2007 1:20 am
Posts: 23
Hi,

I had setup almost 20 boxes on my network to be monitored via openaudit from a similar winxp box. After some time, the machine's audits started going really slow. By slow I mean like 15-20 minutes per machine. I started investigating and almost all outgoing connections were dead slow, except windows/samba shares for some reason. Also incoming connections like remote desktop work fine.

For example simplest ICMP:
[code]
>ping 192.168.0.1

Pinging 192.168.0.1 with 32 bytes of data:

Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
[/code]

Here I'm pinging the box's gateway. Looks perfectly fine, right? Actually this command took about 50 seconds to execute! Between each of the four replies there was more than a 10 second long gap. By default ping does one icmp echo per second, but it didn't. It's like there's a timeout while ping is sending the command to the network stack. Ping localhost (127.0.0.1) works fine. Pinging it's own external interface does not. The command ipconfig takes half a minute to produce the network information.

There's no traffic, the machine is idling, nothing really seams wrong.

Now I've heard of EvID4226. That Windows limits the rate of new outgoing connections to 10 per second, but I tried to change this to 80 and even 1000. Didn't have any effect at all. I used this patch: http://www.lvllord.de/?lang=en&url=downloads Anyhow I haven't seen this event in the logs either.

A reboot usually helps for a short bit of time, then when I start using networking like browsing or even pinging it goes slow again pretty quickly. The last time I rebooted the box and by the time I had logged in (via rdesktop which works always OK) it had already achieved this slow state. I then let the box idle a few days and when I logged in today it had miraculously healed itself. I was even able to browse the web a bit. But as soon as I fired up openaudit it went dead slow again.

I'm not blaming openaudit for this, as it's not the only one which cause the problem to appear. I'm hoping some of you have ideas what the hell is going on or how to investigate this. For now I can say that this affects TCP, ICMP and UDP (DNS). For some reason windows networking works fine (samba file shares). Openaudit however doesn't work fine, although it uses pretty much the same stuff that samba shares do.

This box houses F-Secure Client Security servers and the f-secure client. I have tried turning them all off and this had no impact what so ever. The windows firewall was turned off as well. I've done reboots between each change of settings. As far as I can remember nothing was changed on the system when it went slow for the first time.

The box in question is a 1U server with Entry Level Intel board with two integrated network adapters. Both use the same type of chip unfortunately, maybe even the same one. The driver windows installed is "Intel 8255x". I haven't tried reinstalling the driver as it came with Windows. I'll have to look at the board to figure out what network chip is used and try another driver from intel.com, but I doubt this will help as it does work OK for some time. I did however try both of the network cards, no difference. I also made sure it's not the switch that's broken (3Com 4200G).

I have tried changing the number_of_audits to no avail in hopes that it won't crash the system.

So any ideas?

Thanks for reading through this!


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 20, 2007 3:52 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
I would start with the Intel Drivers. I have seen similar issues, take care here, as installing the wrong drivers can cause even more issues. Get the most recent ones from the Intel site and from the manufacturers site, try both.

What manufacturer is the box, is there anything on their web site. Could also be the motherboard chipset drivers. Again I have seen on some NoName PCs where this was the issue, again Intel Chipset, but could be other chipsets suffer. Look in the device manager, check all of the logs, anything might help.

Swap out the NIC if you can, use a different brand and chipset.

Run the audit from different locations, is the issue still there?

Fire up Wireshark http://www.wireshark.org/, on two boxes, watch the packets going between them. Look for lots of lost packets, bad headers or the like.

If you cant see anything there, eliminate (swap) the switch, put another switch straight on to the test two boxes (or better still if you have one, an old 100Mb hub as it will show all of the traffic from both nodes at both ends, switches switch, but hubs dont, so everything goes everywhere ).

Let us know the results.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Sat Sep 22, 2007 1:45 am 
Offline
Newbie

Joined: Wed Sep 05, 2007 1:20 am
Posts: 23
I've tried different drivers for the integrated Intel NICS, a PCI NIC with a Realtek chip while the integrated ones were disabled from the BIOS. Installed all kinds of Intel crap that they offer for the board and nothing helped.

Anyhow, I now discovered, contrary to what I had tried earlier, when number_of_audits is set to 1, 2 and even 4 the problem does not seam to appear. However with 8 it does. I haven't tried 5-7 yet, but 4 is actually acceptable for me, for now at least.

I haven't looked at the traffic (wireshark) though, my bad.

I'm pretty sure it's a software issue with Windows and not hardware related. This box earlier was running linux for years as a gateway without problems after all. Nor is the switch at fault here, I'm very sure.

So I'm giving up after a several days of battling with Windows, hopefully number_of_audits = 4 will last.

Thanks for your input Andrew!


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 3 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group