IIS Warm Up Period

[Arsen V.]

Hi,

We have a website with a very high volume of traffic. The pages are ASP.NET.
There are some configuration settings that get loaded by the Global.asx file
on Application Start event. The load time for those settings is about 3
seconds.

When the site is running on IIS5 everything is okay.

When the site is running on IIS6 there are problems. It looks like when IIS
starts and all the requests start coming in it is trying to compile the
ASP.NET CLR and to load the settings in Global.asx. However, since there are
over 100 requests/second, soon it starts to give Service Unavailable and log
errors QueueFull in the HTTPERR file.

If I manually stop the IIS, set the directory security of the website to
accept only the local requests, execute one request, wait 5 seconds, and
then change the security to accept all requests, it works great.

Is there a way to give IIS a warm up time? I think it fails because there
are so many requests that come right away before the CLR is compiled and the
load settings in the Global.asx has time to execute.

Thanks,
Arsen

 

[David Wang [Msft]]

No, IIS does not have a "warm up period" feature. It is pretty easy to
script WAST or ACT to custom tailor such a warm-up optimized for your
website, though.

Websites that have high traffic volume usually devise their own mix of
requests to "warm up" a server and get various applications pre-compiled,
etc -- this is especially necessary for .Net applications, which incur a CLR
load-up cost as well as ASP.Net pre-compilation cost. After the server is
warmed up, then it is dropped into the live rotation.

There shouldn't be much difference between IIS5 and IIS6 in startup unless
you're using the health-monitoring features of IIS6 to recycle the worker
process.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
Hi,

We have a website with a very high volume of traffic. The pages are ASP.NET.
There are some configuration settings that get loaded by the Global.asx file
on Application Start event. The load time for those settings is about 3
seconds.

When the site is running on IIS5 everything is okay.

When the site is running on IIS6 there are problems. It looks like when IIS
starts and all the requests start coming in it is trying to compile the
ASP.NET CLR and to load the settings in Global.asx. However, since there are
over 100 requests/second, soon it starts to give Service Unavailable and log
errors QueueFull in the HTTPERR file.

If I manually stop the IIS, set the directory security of the website to
accept only the local requests, execute one request, wait 5 seconds, and
then change the security to accept all requests, it works great.

Is there a way to give IIS a warm up time? I think it fails because there
are so many requests that come right away before the CLR is compiled and the
load settings in the Global.asx has time to execute.

Thanks,
Arsen

 

[Arsen V.]

Hi David,

How can I prevent the IIS6 server from being "dropped into the live
rotation" until the warm up scripts run?

What happens now, is that when the computer comes up, IIS starts and
immediately attempts to process the requests which queue up and cause
problems.

Is there a way to tell the IIS to start accepting the requests only after
certain warm up? I need this to be automatic so if IIS is restarted in the
middle of the night it can come back up without problems.

Thanks,
Arsen

 

[John Alderson]

Arsen,

Do you have multiple web servers in a farm? It wasn't clear from your
posts. Are you using a hardware load balancer in front like a BigIP or
similar? If so, you could script up a custom restarter like:

1. IPSECCMD blocks on tcp/80 and tcp/443 - This should take it out of the
LB pool in a short time depending on how you have your LB setup to check
website health.
2. IISRESET
3. Locally, request your webpages to invoke custom code. Easily scriptable
with VBScript/WinHTTP or a variety of command line tools or even WAS as
David Wang suggests.
4. Drop IPSec blocks.

Have you looked at the web garden concept? Maybe it makes sense for you to
use > 1 process for this site if you have some semi-stable custom code that
needs restarting periodically. Regular restarts of IIS or the OS are
something that you don't need if you are running stable code. If you do
seem to need these restarts, this means you have a problem with your custom
code that you need to investigate. With stable web components, IIS will run
for very long periods.

John Alderson

 

[Arsen V.]

Hi John,

Thanks for your suggestion. This is pretty much what I was looking for. I
did not think of the idea to use IPSECCMD to block the requests! This is
great.

Yes, I do have a Load Balancer in front of the web farm. The code is
stable. However, sometimes due to load there is too much queueing (this only
occurs on IIS 6) and the IIS server shuts down the process.

Thanks,
Arsen

 

[Arsen V.]

Hi John,

Windows 2003 Server dos not come with "IPSECCMD". What can I use instead?

Could you point me to a simple example of how to block TCP/80 and then
unblock it using the command line?

Thanks,
Arsen

 

[John Alderson]

Hi Arsen,

IPSECCMD is a part of the Support Tools that can be found on your
installation CD ROM. The syntax is very similar to Windows 2000's
IPSECPOL - part of the Resource Kit. I do have a set of commands to do a
block on 80, 443 but I'll have to dig them up at work. I'll post them for
you.

John

 

[John Alderson]

Arsen,

Here's a set of commands to create a IPSec Filter policy to block tcp/80 and
tcp/443. Instead of using IPSECCMD, I used NETSH.

*********************************************
netsh ipsec static add policy name="Packet Filters - IIS" description="Web
Server Hardening policy" assign=no
netsh ipsec static add filterlist name="HTTP Server" description="Server
Hardening"
netsh ipsec static add filterlist name="HTTPS Server" description="Server
Hardening",
netsh ipsec static add filterlist name="ALL Inbound Traffic"
description="Server Hardening"
netsh ipsec static add filteraction name=SecPermit description="Allows
Traffic to Pass" action=permit
netsh ipsec static add filteraction name=Block description="Blocks Traffic"
action=block
netsh ipsec static add filter filterlist="HTTP Server" srcaddr=any
dstaddr=me description="HTTP Traffic" protocol=TCP srcport=0 dstport=80
netsh ipsec static add filter filterlist="HTTPS Server" srcaddr=any
dstaddr=me description="HTTPS Traffic" protocol=TCP srcport=0 dstport=443
netsh ipsec static add filter filterlist="ALL Inbound Traffic" srcaddr=any
dstaddr=me description="ALL Inbound Traffic" protocol=any srcport=0
dstport=0",
netsh ipsec static add rule name="HTTP Server Rule" policy="Packet Filters -
IIS" filterlist="HTTP Server" kerberos=yes filteraction=Block
netsh ipsec static add rule name="HTTPS Server Rule" policy="Packet
Filters - IIS" filterlist="HTTPS Server" kerberos=yes filteraction=Block
netsh ipsec static add rule name="ALL Inbound Traffic Rule" policy="Packet
Filters - IIS" filterlist="ALL Inbound Traffic" kerberos=yes
filteraction=SecPermit
netsh ipsec static set policy name="Packet Filters - IIS" assign=y"
*********************************************

Once it's created, you can enable and disable it by using NETSH to assign or
unassign the policy. The last command above assigns it so it enables it.

John Alderson

 

[Arsen V.]

Thank you very much!

Arsen,

Here's a set of commands to create a IPSec Filter policy to block tcp/80 and
tcp/443. Instead of using IPSECCMD, I used NETSH.

*********************************************
netsh ipsec static add policy name="Packet Filters - IIS" description="Web
Server Hardening policy" assign=no
netsh ipsec static add filterlist name="HTTP Server" description="Server
Hardening"
netsh ipsec static add filterlist name="HTTPS Server" description="Server
Hardening",
netsh ipsec static add filterlist name="ALL Inbound Traffic"
description="Server Hardening"
netsh ipsec static add filteraction name=SecPermit description="Allows
Traffic to Pass" action=permit
netsh ipsec static add filteraction name=Block description="Blocks Traffic"
action=block
netsh ipsec static add filter filterlist="HTTP Server" srcaddr=any
dstaddr=me description="HTTP Traffic" protocol=TCP srcport=0 dstport=80
netsh ipsec static add filter filterlist="HTTPS Server" srcaddr=any
dstaddr=me description="HTTPS Traffic" protocol=TCP srcport=0 dstport=443
netsh ipsec static add filter filterlist="ALL Inbound Traffic" srcaddr=any
dstaddr=me description="ALL Inbound Traffic" protocol=any srcport=0
dstport=0",
netsh ipsec static add rule name="HTTP Server Rule" policy="Packet Filters -
IIS" filterlist="HTTP Server" kerberos=yes filteraction=Block
netsh ipsec static add rule name="HTTPS Server Rule" policy="Packet
Filters - IIS" filterlist="HTTPS Server" kerberos=yes filteraction=Block
netsh ipsec static add rule name="ALL Inbound Traffic Rule" policy="Packet
Filters - IIS" filterlist="ALL Inbound Traffic" kerberos=yes
filteraction=SecPermit
netsh ipsec static set policy name="Packet Filters - IIS" assign=y"
*********************************************

Once it's created, you can enable and disable it by using NETSH to assign or
unassign the policy. The last command above assigns it so it enables it.

John Alderson