Greg, I didn’t mean the SQL Server or MSDE for logging. There is a configuration server piece that should use SQL Server or MSDE to hold the policies. As I understand it – and please, someone correct me if I am wrong – applying changes submit the changes made to policies to the configuration server. These changes are then committed to the database in which the policy is stored. If you have an I/O problem on that database server, that could be the issue, especially if you aren’t seeing CPU utilization spike to 100% but only a delay that feels like it’s spiked. Is the configuration server and ISA firewall on the same box? Do you have only one server? Is this a new server that has had this problem since installation or did this just recently start to occur? Are you using standard or enterprise edition? Sorry about all the extra questions; I’m just trying to dig to help find the scope. Cordially yours, Jerry G. Young II ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application Engineer Platform Engineering & Architecture NTT America, an NTT Communications Company ===================================== 22451 Shaw Rd. Sterling, VA 20166 Office: 571-434-1319 Fax: 703-333-6749 Email: g.young@xxxxxxxx ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "The truth is that there is nothing noble in being superior to somebody else. The only real nobility is in being superior to your former self." =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland Sent: Tuesday, September 04, 2007 4:32 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: applying changes takes ages Thanks Gerald I was logging to flat txt but have since turn it off. The funny thing was the last time I looked the task manager didn’t show any service with above average cpu utilization which was bizarre, hence why I never bothered with procmon. I’ll try it again in case my eyes lies. Greg From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young Sent: Tuesday, 4 September 2007 11:52 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: applying changes takes ages EDITED Oops… I lied about ProcMon showing loaded DLLs, although, it will give you a LOT more insight on what a given process is doing. The other piece, which DOES show DLLs loaded for a process, is Process Explorer. That’s found at the following location: http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx ------- Previously on RE: [isapros] applying changes takes ages… Task Manager isn’t showing the name of the process that is using all CPU resources? If it is and you just have no insight into what that process is doing, take a look at Process Monitor from Sysinternals/Microsoft. It provides a lot more detail about what a process is doing, even going as far as showing which DLLs are loaded for it. This tool can be found at the URL below. http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx A couple of other questions. Where is the database sitting? Is it SQL Server of MSDE? If it’s on a different server, what does its performance counters look like? If SQL Server (whether local or remote), have you checked SQL logs and locks? Anything at all in the Event Logs on the ISA box? Cordially yours, Jerry G. Young II ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application Engineer Platform Engineering & Architecture NTT America, an NTT Communications Company ===================================== 22451 Shaw Rd. Sterling, VA 20166 Office: 571-434-1319 Fax: 703-333-6749 Email: g.young@xxxxxxxx ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "The truth is that there is nothing noble in being superior to somebody else. The only real nobility is in being superior to your former self." =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Greg Mulholland Sent: Tuesday, September 04, 2007 6:28 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] applying changes takes ages Hey gang got an issue here I’m trying to work through. I have an isa 2006 std box running in firewall mode that takes an exorbitant amount of time to apply any changes. Like I’m talking 5-10 minutes. A little background: It’s a basic win2k3 sp2 install with around 20 rules (least privilege), a few published services like smtp,web, owa, VPN clients (pptp). I read about an issue on multi core processors but this is pure single core. I also read about when a number of web servers are published with multiple link translations it can take time, but we aren’t using any link translation atm. The server seems to go CPU bound in a big way when I apply any rule or config changes, sits around 100%. Incidentally there are no simultaneous or subsequent ISA alters nor are there any system or app log events fired. I’m not sure what’s pinning the CPU, the task manager doesn’t give me any real heads up on anything, the box at load is sitting around 300-500mb ram free, we’ve recently added a new disk for logging but in this case I’ve even turned off logging for the time being to try and get to the bottom of the performance. My gut feeling was that there was a bad rule or something in the ruleset but I’ve reviewed these and they seem to be OK. I have run an ISABPA and didn’t find anything more than the usual you are using strict rpc, and a few other red herrings. I haven’t as yet ran a sniff whilst the changes are being applied but I would have assumed that would be somewhat fruitless anyway. Can anyone shed any more light or give me any pov’s. Thanks Greg ================================= This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. NTT America makes no warranty that this email is error or virus free. Thank you. ================================= This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. NTT America makes no warranty that this email is error or virus free. Thank you.