Strange internet disconnection problem

[mmkhan]

Hi all,

This question is related to my first guestion (http://www.antionline.com/showthread...821#post810821).

Now the situation is the administrator of my local lan asked me to help him to solve the problem. As the internet connectivity is lost in the morning time and after 4P.M it agains works fine. During morning hours the 'SERVER' having 'ISA Server 2000 installed on it with an external modem and LAN interface' is able to run the internet while the clients are able to connect to internet. I have observed this thing myself. We cannot even ping the 'SERVER' as there are soo much timeouts and as it takes more than 1ms and some times 400ms but in evening hours this value is 1ms or around it. I have also saw the rules in ISA to ensure that the admin is not playing with us but there was none of the suspicious rules in that. One more thing msn and yahoo messenger both can connect during that hours. When u try to load a website (in status bar there is message web site found waiting for reply) that lasts). Now i need ur comments as how to solve the problem as i have full access to the 'SERVER'. Any type of comments will be appreciated.

Note: I have also checked for arp poisioning attacks (DOS) but there was none.

mmkhan

[hypronix]

Only thing I can think of is run a sniffer on the LAN to see if there's any reason for the drop... maybe a recurring event, something like an automated patch update or something like so. Let it run for a day then try to make out the logs around the hours that seem to give problems... other than that I'm not much help, I don't know enough about ISA to talk about internal issues that might exist.

[mmkhan]

@hypronix:
I have run sniffer (Ethereal) from my system (not from the SERVER) and i have not saw any unusual traffic. Only saw arp packets from other computers asking for SERVER.

[hypronix]

Try running it in promisc mode so that it sniffs all the traffic on the network. Alternatively if you don't want your logs to be huge have it log only traffic from/for the IP of the server. Ettercap is also nice to have around, and I think it works with winpdump [if you can't use *nix anywhere]. You can use both of these and many more off a LiveCD security distro like Knoppix-STD that you could pop in a machine and use it 'straight up'.

However there might be somewhere around here with a more direct solution to your problem so... check back

[nihil]

Firstly, let me say that I have no personal experience in this area, so my suggestions are "second hand" based on conversations with those working in this field, and a lot of guesswork.

Also, they are based on ADSL, rather than cable broadband, but the principles might be the same?

I would suggest that you look at resources usage on the server. Not the number of customers on at any one time, but the bandwidth that they are using.

It strikes me as interesting that the problems are during office/working hours, rather than in the evening, when students are playing games and downloading stuff

I know that my ADSL provider works on a contention ratio of 50:1. That is the resources are potentially shared between 50 users. Now, my contract says that I may connect one computer (at any one time) to the service.

If I set up a network and and attached to the service via a router, I do not think that my ISP would know? all they would see would be a lot of traffic/bandwidth usage coming from the router?

I wonder if there are a number of unscrupulous business users who have registered for the service as home customers, but are actually running networks through it? My friends who work in this area, have certainly encountered this.

I cannot quite remember the daily bandwidth allocation that I am allowed, but I do know that if there were 50 users (contention ratio is 50:1, remember) and they all used their allocation in the same time window (business hours or evening) it would bring the service to its knees.

Now, each user would not exceed their allocation, individually; so probably would not show up in the logs, but the combined peak usage would cause a problem.

I know that these services are set up to satisfy "average" demands, so creating an unusual peak could cause these problems.

Just a thought