Problem:
Twice now my Astaro Security Gateway VMWare Virtual Appliance performance has dramatically decreased any traffic through and reports “ICMP x.x.x.x unreachable - need to frag (mtu 1500)”
Solution:
Change your VMWare virtual appliance network adapters from the pre-configured “Flexible” to “E1000” by editing the .vmx file.
Description:
I have four virtual machines that run on VMWare ESX 4. One of these VM’s is the ASG virtual appliance connected to a public (Internet) interface and a private (virtual network) interface. Each of the remaining three systems are connected to the private virtual network as well. One is a web server, another a database server.
Using a DNAT rule I make my web server accessible to external (Internet) users. Using the SSL VPN I made my database server accessible to internal (company) users.
For some reason, and after performing very well for months, the ASG starts exhibitng awful performance is passing the traffic back and forth. Web pages that external users try to access rarely display and more often timeout. (Interesting note is that Windows clients seems to timeout 93% but Mac clients display the web page, after a few extra seconds, 99% of the time).
Users connected via SSL VPN and accessing the database server also see horrible performance as well. If I do a SCP of a 3MB file from the database server to my laptop over the SSL VPN it transfers in 30 seconds. However uploading this same 3MB file from my laptop to the database server requires a transfer time of 12 minutes!
The ASG stats show very little load on the system during these transfers:
CPU: 4% RAM: 31% Swap: 1% Log disk: 2% Data disk: 5%
Using SSH on the Astaro I run a tcpdump to see what’s going on. I’m able to narrow it down by using:
tcpdump -ni any -s0 -v -f 'icmp[icmptype] == 3 and icmp[icmpcode] == 4'
After shutting down the ASG virtual appliance, then changing the network adapter type to “E1000” and restarting the ASG virtual appliance the problem vanishes.
Astaro Support Rant
At this point I just want to rant a little about Astaro Support. I’ve been working with Astaro products since 2005 and really, really like them. They’ve always been, in my opinion, an EXCELLENT value for the feature set you receive and the price that you pay, just excellent.
In those 6 years I’ve worked with Astaro products (6 different Astaro product installs) I’ve had to contact their support about 10 times, which I don’t think is bad. In almost all cases the support follow-up, communication and technical ability of the engineers has really been excellent.
However, in the past four months I’ve had to contact Astaro three times. In each instance the response and communication was pathetic, meaning that I either didn’t hear anything from Astaro or I had to call them to get any response.
In another instance I opened a ticket on July 6th, received a response back on that same day with some comments on the case, exchanged a few more emails on the 6th and 7th, then I didn’t receive another response until July 15th!
I called Astaro support again and spoke to a gentlemen that said all of the engineers were in a meeting and weren’t available. He said he would note the case and leave a note on the engineers desk to have him call me back after the meeting. I didn’t receive a phone call that day before I left at 5:40pm nor later then evening although I had my work phone forwarded to my cell expecting the call.
The next day, Thursday, I called again. I spoke to the same gentlemen that wasn’t sure why the engineer hadn’t contacted me. He said the engineer wouldn’t arrive until later today, as he does west coast support, and would contact me by 1:00pm. Again he said he would note the case, leave a note for the engineer on his desk and would ask him directly to contact me. I never received another call from the engineer.
After sending off an email to the sales rep and the support manager I was finally able to get someone’s attention and later the following day a new engineer was assigned to my case.
This instance has damaged my faith in Astaro support. I’m not sure if this has anything to do with Sophos aquiring Astaro, but it sure seems like since then the support has plummeted.
I’ll continue to use Astaro for my existing projects, however the next new project that comes along will have me looking for a competing device to try.
No comments:
Post a Comment