Help with (what should be simple) bandwidth issues on NS-5GT



  • I manage the 5GT for our SOHO environment.  It’s a very simple network.  Cable modem service, single public IP.  Private 10 net behind the netscreen.  We have a few policies for incoming VNC, HTTP and mail functions.  Nothing fancy at all.  Public IP and DNS servers are received via DHCP.  (we have a dynamic DNS update service for our domain name).  Minus a few reserved IPs, our 10 net is DHCP.  Our network switch and devices are all 100/full and our switch has no vlans or other complexities.

    Basically:
    –-> Cable Modem —> 5GT —> Switch —> Devices

    ANYWAY - We recently rebooted our cable modem and saw a big drop in bandwidth.  Speedtests were showing between 2-4 Mbps down.  We used to get 18-20!  Not sure how this might have affected our router.  So in running some tests, plugging a laptop DIRECTLY into the cable modem links up at 100/full and gets the 18-20 speeds we were seeing before.

    Like This:
    —> Cable Modem —> Laptop

    Completely confused by this I poked around at the config a bit.  After many frustrated hours I blew away the entire config and started from scratch.  As I added things in I would periodically re-test the bandwidth.  It wasn’t until somewhere around where I added the VIPs that I saw the drop.  Not sure why that  would have ANY effect on download speeds.  I’m formerly a cisco guy and inherited this network.  I’m in NO way a Netscreen expert.  I was just wondering if someone could have a look at my config and let me know if there was something obvious that was in there the might be inadvertently throttling bandwidth.  I’m also open to other suggestions to improve my config, but I’m primarily looking for help on the bandwidth issue.  THANKS!

    Eric.

    unset key protection enable
    set clock ntp
    set clock timezone -7
    set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
    set vrouter trust-vr sharable
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset auto-route-export
    exit
    set service "IMAP SSL" protocol tcp src-port 0-65535 dst-port 993-993 
    set service "VNC 1" protocol tcp src-port 0-65535 dst-port 5900-5900 
    set service "VNC 2" protocol tcp src-port 0-65535 dst-port 5901-5901 
    set service "VNC 3" protocol tcp src-port 0-65535 dst-port 5902-5902  
    unset alg sip enable
    unset alg mgcp enable
    unset alg sccp enable
    unset alg sunrpc enable
    unset alg msrpc enable
    unset alg xing enable
    unset alg tftp enable
    unset alg talk enable
    unset alg sql enable
    unset alg rtsp enable
    unset alg rsh enable
    unset alg real enable
    unset alg appleichat enable
    unset alg appleichat re-assembly enable
    unset alg dns enable
    unset alg http enable
    unset alg h323 enable
    unset alg sctp enable
    set auth-server "Local" id 0
    set auth-server "Local" server-name "Local"
    set auth default auth server "Local"
    set auth radius accounting port 1646
    set admin name "admin"
    set admin password "<hash_removed>"
    set admin port 8080
    set admin ssh port 2222
    set admin auth web timeout 10
    set admin auth server "Local"
    set admin format dos
    set zone "Trust" vrouter "trust-vr"
    set zone "Untrust" vrouter "trust-vr"
    set zone "VLAN" vrouter "trust-vr"
    set zone "Untrust-Tun" vrouter "trust-vr"
    set zone "Trust" tcp-rst 
    set zone "Untrust" block 
    unset zone "Untrust" tcp-rst 
    set zone "MGT" block 
    unset zone "V1-Trust" tcp-rst 
    unset zone "V1-Untrust" tcp-rst 
    unset zone "VLAN" tcp-rst 
    set zone "Untrust" screen tear-drop
    unset zone "Untrust" screen syn-flood
    set zone "Untrust" screen ping-death
    set zone "Untrust" screen ip-filter-src
    set zone "Untrust" screen land
    set zone "V1-Untrust" screen tear-drop
    set zone "V1-Untrust" screen syn-flood
    set zone "V1-Untrust" screen ping-death
    set zone "V1-Untrust" screen ip-filter-src
    set zone "V1-Untrust" screen land
    set interface trust phy full 100mb
    set interface untrust phy full 100mb
    set interface "trust" zone "Trust"
    set interface "untrust" zone "Untrust"
    unset interface vlan1 ip
    set interface trust ip 10.0.0.1/24
    set interface trust nat
    set interface untrust ip <ip from="" provider="">/21
    set interface untrust route
    unset interface vlan1 bypass-others-ipsec
    unset interface vlan1 bypass-non-ip
    set interface trust ip manageable
    set interface untrust ip manageable
    set interface trust manage mtrace
    set interface untrust vip interface-ip 22 "SSH" 10.0.0.5
    set interface untrust vip interface-ip 25 "SMTP" 10.0.0.5
    set interface untrust vip interface-ip 80 "HTTP" 10.0.0.5
    set interface untrust vip interface-ip 143 "IMAP" 10.0.0.5
    set interface untrust vip interface-ip 993 "IMAP SSL" 10.0.0.5
    set interface untrust vip interface-ip 5900 "VNC 1" 10.0.0.5
    set interface untrust vip interface-ip 5901 "VNC 2" 10.0.0.3
    set interface untrust vip interface-ip 5902 "VNC 3" 10.0.0.6
    set interface untrust dhcp client enable
    set interface trust dhcp server service
    set interface trust dhcp server auto
    set interface trust dhcp server option domainname <from provider="">set interface trust dhcp server option dns1 <dns1>set interface trust dhcp server option dns2 <dns2>set interface trust dhcp server ip 10.0.0.16 to 10.0.0.254 
    set interface trust dhcp server ip 10.0.0.6 mac <mac removed="">set interface trust dhcp server ip 10.0.0.7 mac <mac removed="">set interface trust dhcp server ip 10.0.0.8 mac <mac removed="">set interface trust dhcp server ip 10.0.0.9 mac <mac removed="">set interface trust dhcp server ip 10.0.0.10 mac <mac removed="">set interface trust dhcp server ip 10.0.0.14 mac <mac removed="">set interface trust dhcp server ip 10.0.0.15 mac <mac removed="">unset interface trust dhcp server config next-server-ip
    set flow tcp-mss
    unset flow tcp-syn-check
    unset flow tcp-syn-bit-check
    set flow reverse-route clear-text prefer
    set flow reverse-route tunnel always
    set domain <from provider="">set hostname NS5GT
    set dbuf usb filesize 0
    set pki authority default scep mode "auto"
    set pki x509 default cert-path partial
    set dns host dns1 0.0.0.0
    set dns host dns2 0.0.0.0
    set dns host dns3 0.0.0.0
    set crypto-policy
    exit
    set ike respond-bad-spi 1
    set ike ikev2 ike-sa-soft-lifetime 60
    unset ike ikeid-enumeration
    unset ike dos-protection
    unset ipsec access-session enable
    set ipsec access-session maximum 5000
    set ipsec access-session upper-threshold 0
    set ipsec access-session lower-threshold 0
    set ipsec access-session dead-p2-sa-timeout 0
    unset ipsec access-session log-error
    unset ipsec access-session info-exch-connected
    unset ipsec access-session use-error-log
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit
    unset alg ftp enable
    set url protocol websense
    exit
    set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit 
    set policy id 1
    exit
    set policy id 2 from "Untrust" to "Trust"  "Any" "VIP(untrust)" "HTTP" permit 
    set policy id 2
    exit
    set policy id 3 from "Untrust" to "Trust"  "Any" "VIP(untrust)" "IMAP SSL" permit 
    set policy id 3
    exit
    set policy id 4 from "Untrust" to "Trust"  "Any" "VIP(untrust)" "SMTP" permit 
    set policy id 4
    exit
    set policy id 5 from "Untrust" to "Trust"  "Any" "VIP(untrust)" "IMAP" permit 
    set policy id 5
    exit
    set policy id 6 from "Untrust" to "Trust"  "Any" "VIP(untrust)" "SSH" permit 
    set policy id 6
    exit
    set policy id 7 from "Untrust" to "Trust"  "Any" "VIP(untrust)" "VNC 1" permit 
    set policy id 7
    exit
    set policy id 8 from "Untrust" to "Trust"  "Any" "VIP(untrust)" "VNC 2" permit 
    set policy id 8
    exit
    set policy id 9 from "Untrust" to "Trust"  "Any" "VIP(untrust)" "VNC 3" permit 
    set policy id 9
    exit
    set policy id 10 from "Untrust" to "Trust"  "Any" "VIP(untrust)" "UDP-ANY" permit 
    set policy id 10
    exit
    set nsmgmt bulkcli reboot-timeout 60
    set ssh version v2
    set ssh enable
    set config lock timeout 5
    unset license-key auto-update
    set telnet client enable
    set ntp server "time.apple.com"
    set ntp server src-interface "untrust"
    set modem speed 115200
    set modem retry 3
    set modem interval 10
    set modem idle-time 10
    set snmp port listen 161
    set snmp port trap 162
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    unset add-default-route
    exit
    set vrouter "untrust-vr"
    exit
    set vrouter "trust-vr"
    exit</from></mac></mac></mac></mac></mac></mac></mac></dns2></dns1></from></ip></hash_removed> 
    


  • I’m also seeing a lot of “in CRC” errors on the untrust interface… and some “out defer” errors.


  • Engineer

    Although computers notoriously fail to exhibit the slightest bit of evidence that they experience anything resembling an emotion such as hate, it must be noted that they will not hesitate to conspire to destroy you (space odyssey style).

    Due to early adoption and various non-technical factors, compliance with the autonegotiation specification has been uneven at best. The most common result includes a connecting pair of interfaces wherein one side’s speed & duplex is hard-coded and the other side is set to autonegotiate. Within that scenario, the side set to autonegotiate (i prefer “autonegate,” but the rest of the computing community fails to recognize that particular bit of wordsmithmanship) refuses to communicate on any terms not including half-duplex, and performance suffers as a result.



  • Let me add to this comedy of errors.

    I unset the hardcoded 100/full on the physical untrust interface (even though I know the cable modem supports this setting) and suddenly my down speeds went up to 12Mb/s!  Not where it was but a completely a$$ backwards improvement.

    I hate computers.



  • @aweck:

    Looks pretty simple.  Do you know if many users are connecting from outside to the VIP services?  These VIP services might be eating away at your down bandwidth if they being utilized heavily on the client-to-server path.  A more likely case may be some user/device using up the bandwidth from inside (bittorrent…?).

    Is there a reason for policy 10?  I don’t see any VIP services defined for UDP applications.

    Well I was hacking away at the config late last night.  No one was using the network at all ruling out bittorrent or something else sopping up network bandwidth.  Unless I’m getting scanned/bruteforced there shouldn’t be too heavy a load from outside.  Without the heavy load, we are able to get away with a cheaper cable package and the dynamic DNS.

    I guess I don’t need the UDP policy.  I think that was a carry over from the previous config and I just didn’t think about whether it should be there or not.  I just put it back in.  That being said, it shouldn’t be affecting anything.  One weird thing is that I had this issue when we upgraded from a 5XT to a 5GT (just for the 100 instead of 10mbit).  It was solved by forcing 100/Full on the interfaces.  Those are still there in the newest config…. so thats not the issue.



  • Hi,

    Perhaps you can enable ‘counting’ on your policies, and verify what is causing the problems.
    you’ll need to check regularly what the counters are showing…… perhaps give the counters some extra memory by disabling logging. (if you have any enabled).

    Also, you can find the bandwidth used on the interfaces in the reports section. (though you might need to configure the actual bandwidth on the interfaces for this to be accurate.

    Anyway, that’s some tools you can use to investigate…

    Cheers,



  • Looks pretty simple.  Do you know if many users are connecting from outside to the VIP services?  These VIP services might be eating away at your down bandwidth if they being utilized heavily on the client-to-server path.  A more likely case may be some user/device using up the bandwidth from inside (bittorrent…?).

    Is there a reason for policy 10?  I don’t see any VIP services defined for UDP applications.


 

25
Online

38.4k
Users

12.7k
Topics

44.5k
Posts