This won’t be a tutorial, however, the purpose of this post is to highlight some common TCP/IP issues that degrade network performance.
Network Congestion – If your firewall/router graphs your network usage, use that or obtain your current throughput (up/down) to your ISP. Use the current usage and then run a few speed tests in order to determine if your hardware is capable of hitting your maximum download/upload speeds you currently pay for. So if you have a 100 meg fiber circuit and your firewall is showing you are currently using about 60 megs at any given time, you should be able to get somewhere close to 40 megs on a download test from speedtest.net. If not, either your provider is not giving you the bandwidth you are paying for or you have a hardware issue. If you have SNMP capable devices, a really simple tool is STG
Maximum Segment Size (MSS) – I’ve run into this issue a number of time, mostly when dealing with GRE/DMVPN tunnels. It’s usually fixed on Cisco routers by issuing
ip tcp mss 1400. You can read more here: TCP MSS Adjustment
High TCP Retransmissions – This one you’ll probably have to take out Wireshark and start a packet capture from the device that is having issues in your network or use a network tap or even a span port on a switch. If TCP retransmissions are high, you have a problem somewhere in your network. Most commonly on wireless.
TCP Window Scaling – I’ve seen this most commonly on modern firewalls that use Deep Packet Inspection (DPI). Please read more here.
Slow DNS Responses – in most enterprise environments, PC’s will have a local DNS server to query from which would cut down on this problem, however if the server were having CPU/Memory/Disk issues, it can still happen. Likewise, if you do not have a local DNS resolver, and use a remote DNS server, this can also be a problem. I’ve used a tool from Google in the past to help troubleshoot and to point me to the best DNS server based on my network/location called Namebench.
Path MTU Discovery (PMTUD) – This is where the “secure by default” methodology of most firewall’s today may kick you in the butt. By disabling ICMP, you also disable Path MTU Discovery. It’s a simple fix but Cisco has the best explanation I’ve been able to find on it. You can read that here. Then someone felt very strongly about the subject and created a website dedicated to it here.
Routing Issues – In this case it would be poorly configured asymmetrical routing. Traffic goes out on a nice 100 meg connection but comes back to you on your backup 20 meg connection, likely due to a BGP configuration problem.
TCP Offload – Depending on how your servers are configured, this could be a blessing or a curse. I’ve most commonly had a problem with this on virtualized servers where the host/virtual NIC weren’t on the same page. Disabling it helped.
SMB 3.0 Multichannel – Read here for details on it, but simply put, add more network interfaces to your file server and you’ll have better performance.
I have re-created the wheel here somewhat but if you want a single source for some good information on most of these issues, please visit this site.
Also, learn Wireshark. It will become your best friend.
I am migrating a few XenServer VM’s between AMD and Intel pools for a customer and stumbled across a faster way to do the export than through XenCenter.
From the Windows host where XenCenter is installed, run the following command:
C:\Program Files (x86)\Citrix\XenCenter\xe.exe -s x.x.x.x -u root -pw xxx vm-export vm=SERVERNAME filename=C:\users\user\folder\SERVERNAME.xva --nossl
The trick here is that part of the slowness of the export is SSL encoding/decoding happening within XenCenter. By using the –nossl option, you are bypassing that
abstraction? application layer. Also making it less secure but let’s not dwell on the facts.
I’ve used this tool for quite some time but after talking with a number of people, have discovered that most have never heard of it. It’s a web service that automatically does tasks for you based on whatever rules you give it (they call them recipes). Here are some examples of processes you can automate with ifttt.com.
The recipes follow the simple IF…Then methodology.
You can check out sample recipes or create your own at http://ifttt.com.
I had once been a longtime user of OpenDNS for my home and some small businesses that I worked with. It served as a forward lookup DNS server and as a web filter for those networks. OpenDNS performed quite well. I don’t know why but I eventually drifted away from OpenDNS as a web filter and implemented Barracuda Web Filters or spun up Squid/Squidguard on pfSense if the need were to arise. Recently though, with my personal company, CloudFirst Technologies, I needed a reliable and AFFORDABLE web filter for my customers. I stumbled across SafeDNS. It seemed to have the same features as OpenDNS but until I tried it, I didn’t know how effective it was. I’m happy to report that it is a great alternative to OpenDNS. It blocks sites as expected, gives you control over the networks that belong to you, allows for custom profiles per network, etc. The price was not overly attractive initially, however, but they have recently reworked their K-12 pricing which made it the most cost effective filtering solution available.
In order to utilize the service you simply point your computer or DNS forwarder to SafeDNS’s servers
188.8.131.52 then configure the network (source IP address) in SafeDNS’s dashboard/control panel. You create a profile (site categories you want blocked) and assign a network to that profile. That’s it, you are done.
Give them a try at http://safedns.com
I’ve been trying to get the look and feel of this site to a point where I’m happy again and something that has bothered me for some time now is the date at the top of the pages. This was a weird theme decision in my opinion. For what reason would a “static?” page need to have a date at the top of it?
Development and coding are not in my wheelhouse but I’ve always been to understand php and some other languages well enough that I can typically make small changes. In this case, I was able to remove the date from the top of the Page Template (page.php) file.
To do this, remove
<?php the_date(); ?) from the page.php template. Appearance –> Editor –> Page Template (page.php)
Click Update File and you’re done.
Note: There is probably a better way to accomplish this but until I discover it, I’ll just have to fix the template any time their is an update. Not a huge deal I suppose.
After upgrading to Windows 10 on my main work computer, I could no longer connect to 2 XenServer 6.2 hosts and found out that the error was “Could not create SSL/TLS Secure Channel”. After a bit of lazy searching I found a forum post that fixed the problem.
The actual fix for this is as follows.
service xapissl stop
mv /etc/xensource/xapi-ssl.pem /etc/xensource/xapi-ssl.pem.bak
/opt/xensource/libexec/generate_ssl_cert "/etc/xensource/xapi-ssl.pem" '10.10.6.27'
service xapissl start
Replace the 10.10.6.27 with the IP of the server host you are attempting to fix. This should resolve your ability to connect from XenCenter.
Please do not bother responding with how worthless this is. This is purely academic. A few of the guys at my office were curious and I was idle for a little while this weekend and got started with the basics of the basics in bitcon mining.
Go setup yourself a bitcoin wallet here –> http://www.trybtc.com There will be some tutorials, feel free to go through those.
You’ll end up here –> https://coinbase.com This is where you can keep track of your account. First let’s pop in there and grab the bitcoin address that we will use in a bit. You can find it under Account Settings –> Bitcoin Addresses. This is how others can give you money.
Create an account here –> https://mining.bitcoin.cz/ This is the only way that CPU mining is even relevant….which it’s really not. This is a pool of individuals that work on mining bitcoin blocks.
Ok, now that you have setup the accounts, here is the basic how-to for setting up CPUMINER on Ubuntu 12.04 Server. I have this deployed on 16 VM’s running 1 processor and 512 Megs of RAM each for testing.
Install Ubuntu 12.04 Server and get root
chmod o+x bcminingprep.sh
edit bcminingprep.sh for your worker user/pass found under “My Account” in the bitcoin.cz site.
Now you are mining. Please feel free to comment how fast or slow your mining is going. I have 16 VM’s on modern hardware under XenServer 6.2 running on AMD processors all getting 4.57 khash/s. Please note…this is very slow and you will likely never make your money back once power is concerned.
Added Cycling to my “Projects” dropdown and Pins for Pinterest (they are actually my wifes but I like most of them). Stay tuned…
A few days ago I received a pretty new Google Chrome Notebook model CR-48. I was, completely caught off guard by a very nicely packaged device sitting the table when I got home. I still had no idea what I was because I forgot that I signed up for this program. Ecstatic doesn’t quite cut how happy I was when I discovered what it was. I was actually selected as a Google Chrome Notebook pilot user. I doubt this is a rare thing, however I almost never get selected to test stuff that I think is cool.
So far the experience has been pretty good. When I first booted the system, I had a bit of a hard time connecting to my wireless. I have a WRT-160N running DD-WRT with WPA2 AES/TKIP enabled. I reconfigured it to just TKIP and it seemed to work after that and then I was able to login and get the notebook updated. Pretty neat that EVERYTHING is handled under Chrome.
My wife said it’s the perfect computer for her. It’s small and light enough to take around the house and we pretty much use Google Docs exclusively for document creation and sharing. We both use Hulu for video’s, Picasa for photos and I use WordPress for blogging. I have not found a telnet/ssh client for the browser yet so I may take a stab at creating one or finding someone who can. Since I’m a network engineer, this is an essential function for me. I’m happy to see the Cisco ASA Clientless SSL VPN now supports Chrome as a browser since that will be my primary view into my work network.
I’ll put up some more posts as time goes on about the use of the Google Chrome Notebook CR-48.
Well, it has been over a year since I have last posted something worthwhile and I feel a little bad about that. Even if nobody is reading this, I use it to help me remember things that I know I’ll need later. So if I haven’t posted in a while then I’ll probably forget everything I’ve learned over the last year :). Hopefully not.
OK, so a few new things have happened. My daughter, Kacy was born 8/24/2009 and is now the fire in my life…literally she makes me burn inside with love, anger, cheer, fear, and laughs. She’s pretty awesome. My wife who stays at home with her has been very patient and we are now making good progress towards potty training.
I am now employed at KeyOn Communications, Inc as the Sr. Network Engineer. I updated my about me section so you can check some details there, but in short, I’ll be posting some things up here about what I’m doing at work. This change is bigger than it sounds. I used to work in SMB/SME systems where I was the “go to” person for everything under the sun. Servers, Exchange, Outlook, Quickbooks, etc…you name it, I had to support it. Now, I get to focus on something and move away from the “Jack of All Trades, Master of None” mentality to finally becoming an expert on something…and I feel GREAT… Working for a smaller ISP that is growing pretty rapidly, I think, is the perfect place for me.
I now have my CCNA. This took me 6 years too long to get. I should have taken it while I was in the Marine Corps but didn’t, then I feel into two jobs that didn’t care one way or another…therefor I took the path of least resistance…not anymore. Now I am working towards my CCNP and then off to CCIP and CCIE in time.
</update> Until next time…