[isapros] Re: applying changes takes ages
- From: "Gerald G. Young" <g.young@xxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Tue, 4 Sep 2007 16:47:19 -0400
Greg,
I didn’t mean the SQL Server or MSDE for logging. There is a configuration
server piece that should use SQL Server or MSDE to hold the policies. As I
understand it – and please, someone correct me if I am wrong – applying changes
submit the changes made to policies to the configuration server. These changes
are then committed to the database in which the policy is stored. If you have
an I/O problem on that database server, that could be the issue, especially if
you aren’t seeing CPU utilization spike to 100% but only a delay that feels
like it’s spiked.
Is the configuration server and ISA firewall on the same box? Do you have only
one server? Is this a new server that has had this problem since installation
or did this just recently start to occur? Are you using standard or enterprise
edition?
Sorry about all the extra questions; I’m just trying to dig to help find the
scope.
Cordially yours,
Jerry G. Young II
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application Engineer
Platform Engineering & Architecture
NTT America, an NTT Communications Company
=====================================
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
"The truth is that there is nothing noble in being superior to somebody else.
The only real nobility is in being superior to your former self."
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Greg Mulholland
Sent: Tuesday, September 04, 2007 4:32 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: applying changes takes ages
Thanks Gerald
I was logging to flat txt but have since turn it off. The funny thing was the
last time I looked the task manager didn’t show any service with above average
cpu utilization which was bizarre, hence why I never bothered with procmon.
I’ll try it again in case my eyes lies.
Greg
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Gerald G. Young
Sent: Tuesday, 4 September 2007 11:52 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: applying changes takes ages
EDITED
Oops… I lied about ProcMon showing loaded DLLs, although, it will give you a
LOT more insight on what a given process is doing. The other piece, which DOES
show DLLs loaded for a process, is Process Explorer. That’s found at the
following location:
http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx
-------
Previously on RE: [isapros] applying changes takes ages…
Task Manager isn’t showing the name of the process that is using all CPU
resources?
If it is and you just have no insight into what that process is doing, take a
look at Process Monitor from Sysinternals/Microsoft. It provides a lot more
detail about what a process is doing, even going as far as showing which DLLs
are loaded for it. This tool can be found at the URL below.
http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx
A couple of other questions. Where is the database sitting? Is it SQL Server
of MSDE? If it’s on a different server, what does its performance counters
look like? If SQL Server (whether local or remote), have you checked SQL logs
and locks? Anything at all in the Event Logs on the ISA box?
Cordially yours,
Jerry G. Young II
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application Engineer
Platform Engineering & Architecture
NTT America, an NTT Communications Company
=====================================
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
"The truth is that there is nothing noble in being superior to somebody else.
The only real nobility is in being superior to your former self."
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Greg Mulholland
Sent: Tuesday, September 04, 2007 6:28 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] applying changes takes ages
Hey gang got an issue here I’m trying to work through.
I have an isa 2006 std box running in firewall mode that takes an exorbitant
amount of time to apply any changes. Like I’m talking 5-10 minutes.
A little background:
It’s a basic win2k3 sp2 install with around 20 rules (least privilege), a few
published services like smtp,web, owa, VPN clients (pptp). I read about an
issue on multi core processors but this is pure single core. I also read about
when a number of web servers are published with multiple link translations it
can take time, but we aren’t using any link translation atm. The server seems
to go CPU bound in a big way when I apply any rule or config changes, sits
around 100%. Incidentally there are no simultaneous or subsequent ISA alters
nor are there any system or app log events fired.
I’m not sure what’s pinning the CPU, the task manager doesn’t give me any real
heads up on anything, the box at load is sitting around 300-500mb ram free,
we’ve recently added a new disk for logging but in this case I’ve even turned
off logging for the time being to try and get to the bottom of the performance.
My gut feeling was that there was a bad rule or something in the ruleset but
I’ve reviewed these and they seem to be OK. I have run an ISABPA and didn’t
find anything more than the usual you are using strict rpc, and a few other red
herrings. I haven’t as yet ran a sniff whilst the changes are being applied but
I would have assumed that would be somewhat fruitless anyway.
Can anyone shed any more light or give me any pov’s.
Thanks
Greg
=================================
This email message is intended for the use of the person to whom it has been
sent, and may contain information that is confidential or legally protected. If
you are not the intended recipient or have received this message in error, you
are not authorized to copy, distribute, or otherwise use this message or its
attachments. Please notify the sender immediately by return e-mail and
permanently delete this message and any attachments. NTT America makes no
warranty that this email is error or virus free. Thank you.
=================================
This email message is intended for the use of the person to whom it has been
sent, and may contain information that is confidential or legally protected. If
you are not the intended recipient or have received this message in error, you
are not authorized to copy, distribute, or otherwise use this message or its
attachments. Please notify the sender immediately by return e-mail and
permanently delete this message and any attachments. NTT America makes no
warranty that this email is error or virus free. Thank you.
Other related posts: