It''s now been over a week, and we are nearly at wits end trying to track down our performance issues here. We now have a P3/667 (single CPU! SMP was definitely the source of previous lockups) with 256Mb RAM. It is running along with a load avg of less than 0.1 even at peak times. Max ip_conntrack is around 1500-2000. Sounds fine, but, we have also tried 3 different squid proxies (2 NT, 1 linux), and 3 different DNS servers (bind and djbdns), and are still getting sporadic long delays at various times of the day, often when the proxy is under light load. Is there *any* chance that the firewall could be at fault here? It almost seems like it''s taking 10+ seconds to setup the connection, but once that happens, the browser page loads quickly. Any content from different servers on the same page introduces another delay (usually). Sounds like DNS, but squid is showing very good dns avg response times (under 100ms). The reason I still suspect the firewall is *some* tests result in similarly slow speeds either through the proxy, or direct. At other times direct is faster, but often suffers from serious initial delays. Is there some config error that could lead to this type of behaviour? Thanks. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Shawn Wright, I.T. Manager Shawnigan Lake School http://www.sls.bc.ca swright@sls.bc.ca
still sounds like a DNS problem to me ! I guess you need to investigate this further, take care of round robin if using more than one DNS. Philipp Shawn Wright schrieb:>It''s now been over a week, and we are nearly at wits end trying >to track down our performance issues here. We now have a >P3/667 (single CPU! SMP was definitely the source of previous >lockups) with 256Mb RAM. It is running along with a load avg >of less than 0.1 even at peak times. Max ip_conntrack is >around 1500-2000. Sounds fine, but, we have also tried 3 >different squid proxies (2 NT, 1 linux), and 3 different DNS >servers (bind and djbdns), and are still getting sporadic long >delays at various times of the day, often when the proxy is >under light load. >Is there *any* chance that the firewall could be at fault here? It >almost seems like it''s taking 10+ seconds to setup the >connection, but once that happens, the browser page loads >quickly. Any content from different servers on the same page >introduces another delay (usually). Sounds like DNS, but squid >is showing very good dns avg response times (under 100ms). > >The reason I still suspect the firewall is *some* tests result in >similarly slow speeds either through the proxy, or direct. At >other times direct is faster, but often suffers from serious initial >delays. > >Is there some config error that could lead to this type of >behaviour? > >Thanks. > >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >Shawn Wright, I.T. Manager >Shawnigan Lake School >http://www.sls.bc.ca >swright@sls.bc.ca > > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > > >
Shawn Wright wrote:> > It''s now been over a week, and we are nearly at wits end trying > to track down our performance issues here. We now have a > P3/667 (single CPU! SMP was definitely the source of previous > lockups) with 256Mb RAM. It is running along with a load avg > of less than 0.1 even at peak times. Max ip_conntrack is > around 1500-2000. Sounds fine, but, we have also tried 3 > different squid proxies (2 NT, 1 linux), and 3 different DNS > servers (bind and djbdns), and are still getting sporadic long > delays at various times of the day, often when the proxy is > under light load. > Is there *any* chance that the firewall could be at fault here? It > almost seems like it''s taking 10+ seconds to setup the > connection, but once that happens, the browser page loads > quickly. Any content from different servers on the same page > introduces another delay (usually). Sounds like DNS, but squid > is showing very good dns avg response times (under 100ms). > > The reason I still suspect the firewall is *some* tests result in > similarly slow speeds either through the proxy, or direct. At > other times direct is faster, but often suffers from serious initial > delays. > > Is there some config error that could lead to this type of > behaviour?It does sound like DNS, the only way I would try to tackle it is by doing it from scratch since it could be a number of things. Since you''ve been using djbdns, I would try dnscache first, then, if it''s working as it should, I would add tinydns but not make the mistake of issuing the same listening ip adress on both. Then there is the $DNSCACHEIP variable as a workaround.. http://cr.yp.to/djbdns/resolve.html Then I would continue with squid''s configuration and look at the DNS resolving options within squid.conf - http://squid.visolve.com/squid/squid24s1/externals.htm#dns_nameservers I had problems with this since I only have a private network, not a FQDN, so I disabled those options in squid.conf altogether. It worked just fine on a PentiumII with 64 RAM and *LOTS* of swapfile space.. ;) Good Luck! -- Patrick Benson Stockholm, Sweden