Sql Server locking up with newly installed firewall

greenspun.com : LUSENET : SQL Server Database Administration : One Thread

Hi there Eric,

I hope you can help me with this probelm..... First i should say that i am new to the SQL/server/networking side of things. I am working in an office that runs coldfusion, NT 4.0 - IIS 4.0 and SQL Server 7.0. We have recently installed a Sonic Firewall. Since then, we have had a very irritating, intermittent problem. about 10 times a day, our SSL pages lock up (anywhere from 30 seconds to 5 minutes at a time). all other pages run just fine.... including other coldfusion pages that are not SSL. I have read that there may be a problem with protocol of the SQL Server. I have also read that Sonic Firewall may not be too good with interfacing with SQL Servers. Any clues? Any advice you could render would be greatly appreciated!

Chris Novelli Programmer/Systems Analyst MSRS Sunnyside, WA

-- Anonymous, April 27, 2001



That's a tough one. All I can do is quote verbatim some usenet advice on use and troubleshooting of firewalls with SQL Server using SSL.

Good Luck,


From: Pat Filoteo (patf@nwlink.com) Subject: Re: Firewall w/ SQL SERVER and ADO/IIS slowing queries down 10x? Newsgroups: microsoft.public.inetserver.iis, microsoft.public.inetserver.iis.activeserverpages, microsoft.public.siteserver.commerce, microsoft.public.siteserver.general, microsoft.public.sqlserver.clients, microsoft.public.sqlserver.connect, microsoft.public.sqlserv Date: 1998/10/05

I would say that the firewall should go. I would set it up to reverse proxy the web machine. This would put both machines in a protected area and you would not need to deal with maintaining the elaborate security. Also, you would be able to close all of the ports but 443 (ssl) & 80(http).

Also, if the FW is based on BSD, I have seen these periodically go VERY slow for no apparent reason even though the processor is running fine (SideWinder FW's use it).

Another thing you can do is verify that the FW is leaving the port open all the time (poorer security but faster) and not just when data is passing. This will hammer your site under a load of any kind.

Personally, if a FW HAS to be there, you should use a dedicated hardware solution (cisco 1600 or 2500 series comes to mind w/the FW software).

Finally, have you run a network trace to find the bottleneck? Does the FW have a packet queue reporting method (most do)? I doubt very seriously that your FW can pass much more the 1MBit/sec even w/the P- II (this would be consistent with the results you are seeing). Have your tried just doing file transfers between the boxes to determine throughput (you should use LOTS of small files for this)?

Hope that helps,

Pat Filoteo, MCSE

Tom Kubik wrote in message <#r$nn6K89GA.259@uppssnewspub05.moswest.msn.net>... Hi everybody,

We've been developing a Site Server 3.0 commerce store that features a fairly extensive query engine. We've run into problems with query performance after introducing the a Cisco Centri Firewall to the mix. For security reasons, the DB and COMMERCE SERVER are in two separate zones and talk to each other through the firewall. Without a firewall, we get about 3 second response times on our queries, with the firewall this number has gone to almost 30 seconds (we fetch a fair amount of data). We've dropped the packet size on the SQL server to 512 but that has only resulted in a marginal improvement. Anyone know if there is something we can do on the Commerce Server (IIS) end to speed things up? The firewall box is a dual PII 350 w/ three 10/100 NICS. Using Performance Monitor on all three machines shows no irregularities. All three machines have very low usage.. Any ideas what is causing this bottleneck and how to remedy it? BTW, nothing in the CENTRI configs with respect to packet size and performance.


Tom Kubik, MCP Director, Development Web Front Communications Inc.

-- Anonymous, April 27, 2001

Moderation questions? read the FAQ