Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Problem after upgrading to 8.2.0 (Problem after upgrading to 8.2.0)
  •  
clevergod

Messages: 13

Karma: 0
Send a private message to this user
please help!
Good weekend to all.
After upgrade Kerio Control to 8.2.0 appeared freezes Internet traffic.

making the analysis revealed that a ping to a single server with kerio control from LAN too big.
After upgrade Kerio Control to 8.2.0:
Ответ от proxy: число байт=32 время=2мс TTL=64
Ответ от proxy: число байт=32 время<1мс TTL=64
Ответ от proxy: число байт=32 время=16мс TTL=64
Ответ от proxy: число байт=32 время=20мс TTL=64

On early versions:
Обмен пакетами с proxy с 32 байтами данных:
Ответ от proxy: число байт=32 время<1мс TTL=64
Ответ от proxy: число байт=32 время<1мс TTL=64
Ответ от proxy: число байт=32 время<1мс TTL=64
Ответ от proxy: число байт=32 время<1мс TTL=64

Then the more Internet users, the higher the response time icmp command ping.

What did:
1. At the beginning of the renewed the old to the new version Kerio Control, upgrade the rules http, filtering off.
2. Disable sophos, snort, web filter, cleaned all cashes and http, and dns.
3. Install again - the result is the same.

Please help, what could be the problem. Because downgrade to the previous version - everything works fine.

  • Attachment: 1.txt
    (Size: 1.00KB, Downloaded 246 times)
  •  
sorat

Messages: 59
Karma: 2
Send a private message to this user
Is it repeating pattern for whole day, or specific time of day?
What %'s in CPU load? How many users connected?
Try this.
Make a rule, that blocks all traffic from your clients, except only your test pc, then check "ping 192.168.1.7 -t" (i.e. scenario 'kerio server<->single user')

Btw, do you have "block IP of password guessing attacks" option enabled?

[Updated on: Tue, 26 November 2013 08:02]

  •  
clevergod

Messages: 13

Karma: 0
Send a private message to this user
Is it repeating pattern for whole day, or specific time of day?
Always, every day, no matter what

What %'s in CPU load? How many users connected?
CPU and RAM look in screen
rghost.ru/50455757.view
Users - 20-150 users in different times.

Make a rule, that blocks all traffic from your clients, except only your test pc, then check "ping 192.168.1.7 -t" (i.e. scenario 'kerio server<->single user')
Done, nothing has changed. The more Internet users in the network, the higher the response =10-500ms. Without users, ping тще too big =5ms.

Btw, do you have "block IP of password guessing attacks" option enabled?
I turned off this option, nothing has changed.

  • Attachment: kerio_820.txt
    (Size: 17.15KB, Downloaded 240 times)
  •  
sorat

Messages: 59
Karma: 2
Send a private message to this user
Disable 'https cache'
  •  
clevergod

Messages: 13

Karma: 0
Send a private message to this user
Disable 'https cache'

Good evening.
Disabled the cache of http, until no visible effect, 'll check tomorrow at full load.
Thank you that someone will answer my questions.

Good morning.
Checked at full load, nothing has changed.
Ping is still high.

[Updated on: Wed, 27 November 2013 04:43]

  •  
sorat

Messages: 59
Karma: 2
Send a private message to this user
Now we measure bandwidth of lan connection with iperf
Go to status->system health->holding shift click on Tasks->enable SSH
Download iperf 32 bit for linux (kerio as server), and for windows (your PC as client), unpack linux's gz archive with total commander.
Download WinSCPPortable
Download putty

With WinSCP connect to 192.168.1.7 (root,'password') copy iperf to tmp folder
Click properties->set permission to enable X (execution)-> OK.

With putty, connect to firewall, go to folder with iperf (cd tmp), start iperf in server mode with
./iperf -s
Make sure traffic rules allow port 5001 to firewall.

Now start iperf from your PC, in client mode with
iperf.exe -c 192.168.1.7 -P 10 -w 100k

Test will show capacity of your LAN to transmit packets
  •  
clevergod

Messages: 13

Karma: 0
Send a private message to this user
If i just ping from proxy to my localhost?!
tatus->ip-tools->ping
object : 192.168.1.17
protocol: automatic
amount : 10
quantity: 100
Ping results:
PING 192.168.1.17 (192.168.1.17) 100(128) bytes of data.
108 bytes from 192.168.1.17: icmp_req=1 ttl=128 time=7.47 ms
108 bytes from 192.168.1.17: icmp_req=2 ttl=128 time=0.379 ms
108 bytes from 192.168.1.17: icmp_req=3 ttl=128 time=0.372 ms
108 bytes from 192.168.1.17: icmp_req=4 ttl=128 time=0.380 ms
108 bytes from 192.168.1.17: icmp_req=5 ttl=128 time=0.392 ms
108 bytes from 192.168.1.17: icmp_req=6 ttl=128 time=0.391 ms
108 bytes from 192.168.1.17: icmp_req=7 ttl=128 time=2.98 ms
108 bytes from 192.168.1.17: icmp_req=8 ttl=128 time=6.20 ms
108 bytes from 192.168.1.17: icmp_req=9 ttl=128 time=19.4 ms
108 bytes from 192.168.1.17: icmp_req=10 ttl=128 time=0.330 ms

--- 192.168.1.17 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9006ms
rtt min/avg/max/mdev = 0.330/3.838/19.470/5.795 ms
  •  
clevergod

Messages: 13

Karma: 0
Send a private message to this user
when I drop iperf in the tmp folder - give right to 0777 and do a ./iperf -s - console putty and winscp freezes.
  •  
sorat

Messages: 59
Karma: 2
Send a private message to this user
Thats not normal. Executable failed to start.

Maybe same thing happened when you tried to update from 8.1 to 8.2 using image file.
Some scripts, or executables failed, and update was incomplete, or worse.

At this point you should consider to re-install 8.2 afresh from cd-rom. Export your setting, then import. Everything will be preserved, except statistics data will be cleaned. Really simple.
  •  
clevergod

Messages: 13

Karma: 0
Send a private message to this user
I already wrote that I am reistall again from cd-rom.
This is the first that came to my mind.
There is an assumption that the problem is in the driver network card version 8.2.0
  •  
sorat

Messages: 59
Karma: 2
Send a private message to this user
Is it a dedicated PC install or vmware?
  •  
clevergod

Messages: 13

Karma: 0
Send a private message to this user
sorat wrote on Thu, 28 November 2013 01:05
Is it a dedicated PC install or vmware?


This is a physical machine.
  •  
clevergod

Messages: 13

Karma: 0
Send a private message to this user
And yet noticed that the mail stopped flowing and go on after update to 8.2.0. Unplug the Protocol inspector of the traffic rules then everything works.

I can provide screenshots policies traffic and filtering.

HTTP Policy
http://rghost.ru/50466465.view
http://rghost.ru/50466505.view
http://rghost.ru/50466523.view
http://rghost.ru/50466537.view

Traffic Policy
http://rghost.ru/50466550.view
http://rghost.ru/50466575.view
http://rghost.ru/50466593.view
http://rghost.ru/50466609.view

[Updated on: Thu, 28 November 2013 06:47]

  •  
sorat

Messages: 59
Karma: 2
Send a private message to this user
The protocol inspector was the last culprit and resort to try to disable. I didn't told yet, cause most would just refuse to drop it. But seems like you found yourself.
Additionally, you can try this.
Divide your traffic rules, so that you have only ports HTTP and HTTPS with protocol inspector enabled (try 'http' instead of just 'default'). And clone the rule, with all other ports like, SMPT etc. to be below the first, and set inspector to 'none'.
See if that helps, and report back.
One guy on this forum also noticed that inspector on mail port doesn't work as expected.

EDIT: disable protocol inspector on every rule, leaving only those that use 80,443 ports.
Also, no need to inspect traffic on deny rules.

[Updated on: Thu, 28 November 2013 10:26]

Previous Topic: Kerio is not restricting websites
Next Topic: Protocol inspector Problem after upgrade
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 17 01:56:10 CEST 2017

Total time taken to generate the page: 0.00552 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.