Hi,
Whenever we start wingate on our server, we see the following:
1. Thousands of connections from the server itself.
2. The server becomes very very slow because of very high memory and CPU consumption by WinGate.
3. Client access through WinGate slows down to a crawl.
4. Attempts to stop the WinGate service fails... machine needs to be restarted.
We have faced this problem earlier, but usually, deleting the 2 history files in the WinGate folder and restarting WinGate used to do the trick. However, this time, stopping the service itself is failing and even after a restart of the machine (with WinGate services set to manual start) and deleting the 2 history files, the problem is not getting solved. We still see thousands of connections from the server.
We have even tried disabling History logging. But that doesn't help either.
Our work is getting severely hampered because of this problem. Can you please provide some solution?
Thanks.
Ani.
PS: We have WinGate 6.0.4 running on a Windows 2000 Server.
Problems with WinGate
Moderator: Qbik Staff
12 posts
• Page 1 of 1
Re: Problems with WinGate
by Nev » Apr 17 05 9:03 pm
Hi, couldn't possibly be resolved by this post? http://forums.qbik.com/viewtopic.php?t=2723&highlight=dns+loop
or: http://forums.qbik.com/viewtopic.php?t=2851&highlight=dns+loop
or: Malware, sasser, etc?
Report back how it goes.
or: http://forums.qbik.com/viewtopic.php?t=2851&highlight=dns+loop
or: Malware, sasser, etc?
Report back how it goes.
--
Nev.
Nev.
- Nev
- WinGate Guru
- Posts: 861
- Joined: Sep 22 03 11:35 pm
- Location: Mudgee ~ NSW ~ Australia
Re: Problems with WinGate
by Pascal » Apr 18 05 8:16 am
aniruddha wrote:1. Thousands of connections from the server itself.
2. The server becomes very very slow because of very high memory and CPU consumption by WinGate.
3. Client access through WinGate slows down to a crawl.
4. Attempts to stop the WinGate service fails... machine needs to be restarted.
Like Nev indicated, that sounds exactly like a DNS loop. To be safe though, what type of sessions is it showing? If it's not a particular type, to which port is it trying to connect?
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by aniruddha » Apr 19 05 1:29 am
Hi,
It's connecting to port 53 (UDP).
Basically, we are seeing this problem mainly when the Firewall is being disabled. Presently, the DNS Service within WinGate has also been stopped. Everything was working fine till day before yesterday. After that no changes to the system were made.
Regards,
Aniruddha.
It's connecting to port 53 (UDP).
Basically, we are seeing this problem mainly when the Firewall is being disabled. Presently, the DNS Service within WinGate has also been stopped. Everything was working fine till day before yesterday. After that no changes to the system were made.
Regards,
Aniruddha.
- aniruddha
- Posts: 40
- Joined: Aug 28 04 5:21 pm
by Pascal » Apr 19 05 4:59 pm
So DNS is pointing at:
* a machine on the internet?
* a machine on the local network?
* back at itself?
A lot depends on how things are setup. If, for example, you have it pointing back at itself as a DNS Server when it is one that is bound to cause problems. Ditto if there is a loop.
So, what we're trying to do is work out why there is so many DNS requests going out. 9 times out of 10 that is caused by DNS being incorrectly setup. The other time is because something malicious is busy making requests like mad. There must be other reasons too ...
Where did you track the requests? In WinGate itself, looking at the activity screen in GateKeeper or by using monitoring software?
* a machine on the internet?
* a machine on the local network?
* back at itself?
A lot depends on how things are setup. If, for example, you have it pointing back at itself as a DNS Server when it is one that is bound to cause problems. Ditto if there is a loop.
So, what we're trying to do is work out why there is so many DNS requests going out. 9 times out of 10 that is caused by DNS being incorrectly setup. The other time is because something malicious is busy making requests like mad. There must be other reasons too ...
Where did you track the requests? In WinGate itself, looking at the activity screen in GateKeeper or by using monitoring software?
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by aniruddha » Apr 19 05 5:06 pm
Hi,
The machine has been configured the point at the DNS of our ISP, so that's a machine on the Internet.
We could see the hyper-activity on the WinGate Activity screen itself.
We have screened the machine for viruses, malware, etc.... it has come out clean.
The machine has been configured the point at the DNS of our ISP, so that's a machine on the Internet.
We could see the hyper-activity on the WinGate Activity screen itself.
We have screened the machine for viruses, malware, etc.... it has come out clean.
- aniruddha
- Posts: 40
- Joined: Aug 28 04 5:21 pm
by Pascal » Apr 19 05 5:18 pm
Hmm. Just read through everything. This seems very strange. Connections from the local machine (WinGate Host, outbound) are not shown in activity unless you explicitly proxy them.
Is it possible for you to:
(a) Send me a registry export of your current WinGate setup
(b) A screen-shot of this activity when it occurs (Assume from your post it is 100% constant)
Is it possible for you to:
(a) Send me a registry export of your current WinGate setup
(b) A screen-shot of this activity when it occurs (Assume from your post it is 100% constant)
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by adrien » Apr 22 05 2:46 pm
Hi Ani
As Pascal said, in normal circumstances you won't see traffic from the WinGate machine itself in WinGate activity. The traffic will be coming from somewhere else.
Especially if it is NAT traffic, UDP on port 53.
What is the client IP? This is the machine that is creating the traffic, you may be looking on the wrong machine if you think the problem is in WinGate.
Or it could be a combination of issues.
Are you running any other DNS server software on your network? Even on the WinGate machine itself?
It is possible to set up a DNS loop between multiple machines if they each ask each other to resolve DNS queries. E.g if you have an AD server on your LAN, and have it point to WinGate for DNS, then you have the DNS settings in the WinGate machine set to use the AD server for DNS, you then have a loop.
To get around this, you can stop WinGate itself from using the AD server as a DNS server (since WinGate normally only wants to resolve internet addresses) by using WGOptions.exe from the WinGate install directory, and adding the IP address of the AD server in the DNS exclusions list.
Regards
Adrien
As Pascal said, in normal circumstances you won't see traffic from the WinGate machine itself in WinGate activity. The traffic will be coming from somewhere else.
Especially if it is NAT traffic, UDP on port 53.
What is the client IP? This is the machine that is creating the traffic, you may be looking on the wrong machine if you think the problem is in WinGate.
Or it could be a combination of issues.
Are you running any other DNS server software on your network? Even on the WinGate machine itself?
It is possible to set up a DNS loop between multiple machines if they each ask each other to resolve DNS queries. E.g if you have an AD server on your LAN, and have it point to WinGate for DNS, then you have the DNS settings in the WinGate machine set to use the AD server for DNS, you then have a loop.
To get around this, you can stop WinGate itself from using the AD server as a DNS server (since WinGate normally only wants to resolve internet addresses) by using WGOptions.exe from the WinGate install directory, and adding the IP address of the AD server in the DNS exclusions list.
Regards
Adrien
- adrien
- Qbik Staff
- Posts: 5448
- Joined: Sep 03 03 2:54 pm
- Location: Auckland
12 posts
• Page 1 of 1
Who is online
Users browsing this forum: Google [Bot] and 10 guests