Hi,
I had setup almost 20 boxes on my network to be monitored via openaudit from a similar winxp box. After some time, the machine's audits started going really slow. By slow I mean like 15-20 minutes per machine. I started investigating and almost all outgoing connections were dead slow, except windows/samba shares for some reason. Also incoming connections like remote desktop work fine.
For example simplest ICMP:
[code]
>ping 192.168.0.1
Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Reply from 192.168.0.1: bytes=32 time<1ms TTL=64
Ping statistics for 192.168.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
[/code]
Here I'm pinging the box's gateway. Looks perfectly fine, right? Actually this command took about 50 seconds to execute! Between each of the four replies there was more than a 10 second long gap. By default ping does one icmp echo per second, but it didn't. It's like there's a timeout while ping is sending the command to the network stack. Ping localhost (127.0.0.1) works fine. Pinging it's own external interface does not. The command ipconfig takes half a minute to produce the network information.
There's no traffic, the machine is idling, nothing really seams wrong.
Now I've heard of EvID4226. That Windows limits the rate of new outgoing connections to 10 per second, but I tried to change this to 80 and even 1000. Didn't have any effect at all. I used this patch:
http://www.lvllord.de/?lang=en&url=downloads Anyhow I haven't seen this event in the logs either.
A reboot usually helps for a short bit of time, then when I start using networking like browsing or even pinging it goes slow again pretty quickly. The last time I rebooted the box and by the time I had logged in (via rdesktop which works always OK) it had already achieved this slow state. I then let the box idle a few days and when I logged in today it had miraculously healed itself. I was even able to browse the web a bit. But as soon as I fired up openaudit it went dead slow again.
I'm not blaming openaudit for this, as it's not the only one which cause the problem to appear. I'm hoping some of you have ideas what the hell is going on or how to investigate this. For now I can say that this affects TCP, ICMP and UDP (DNS). For some reason windows networking works fine (samba file shares). Openaudit however doesn't work fine, although it uses pretty much the same stuff that samba shares do.
This box houses F-Secure Client Security servers and the f-secure client. I have tried turning them all off and this had no impact what so ever. The windows firewall was turned off as well. I've done reboots between each change of settings. As far as I can remember nothing was changed on the system when it went slow for the first time.
The box in question is a 1U server with Entry Level Intel board with two integrated network adapters. Both use the same type of chip unfortunately, maybe even the same one. The driver windows installed is "Intel 8255x". I haven't tried reinstalling the driver as it came with Windows. I'll have to look at the board to figure out what network chip is used and try another driver from intel.com, but I doubt this will help as it does work OK for some time. I did however try both of the network cards, no difference. I also made sure it's not the switch that's broken (3Com 4200G).
I have tried changing the number_of_audits to no avail in hopes that it won't crash the system.
So any ideas?
Thanks for reading through this!