General Approach to Solving Performance Issues with the ISA Firewall Part 1
Yesterday I talked about how to deal with DNS issues that can have a negative impact on he ISA firewall’s performance. Today I’d like to go over a general approach you can use to solve performance issues with the ISA firewall.
The first thing you need to do is try to get something measurable. Instead of saying that the "Internet is slow", try to come up with a definitive measurement, such as "it took 10 seconds to download when the ISA firewall wasn’t in the path, but when I put the ISA firewall in the path, it now takes 60 seconds to download".
Confirm that the problem is not an ISA firewall issue. Make sure you use good network troubleshooting practices by working from the bottom of the OSI or DoD network stack. Check layer 1 issues first: bad cables, bad NICs, bad switches, bad routers, bad ISP router, bad ISP, and anything that might go wrong at the physical layer. This is the most common reason for network connectivity problems and you should start there.
Right above the physical layer is the MAC layer. The Windows stack doesn’t exactly map to the OSI or DoD models, but the MAC layer does closely map to the NIC drivers. One of the most common issues that lead to poor performance is a problem with the NIC driver. One thing that I’ve seen a lot is that the NIC won’t autonegotiate or autosense its duplex settings with a switch. Try manually configuring the speed/duplex settings on the NIC driver. If that doesn’t work, check for an updated driver for the NIC on the clients and ISA firewall.
If you can confirm its not a physical or MAC layer problem, then make sure that its not a problem with the client you’re testing from. Try to replicate the problem on a second, and then a third client. Many times performance issues attributed to the ISA firewall are actually problems with a misconfigured or compromised client system
After ruling out physical layer and client problems, then you can consider the ISA firewall device itself. The first thing to check is the Windows networking component. If you’re using a PPPoE or similar type of connection, then check that path MTU discovery is enabled. If it is not enabled, then enable it. Check out http://www.microsoft.com/technet/community/columns/cableguy/cg0704.mspx for more information about PMTU discovery.
If PMTU and black hole routers are ruled out as a problem, then check the DNS settings on the ISA firewall’s NICs. I discussed that in my last post, which you can read at http://blogs.isaserver.org/shinder/2006/05/08/dns-related-performance-problems-for-the-isa-firewall/
In my next post, we’ll drill down on ISA firewall related problems and how you can use performance counters and other metrics to figure out if there is a ISA firewall configuration or sizing problem that is causing your performance issues.
Thomas W Shinder, M.D.
MVP -- ISA Firewalls