ok we've found the issue more completely now, is a DOS attack on a segment of the network and was flooding out that port from the outside coming in, and it is making for a congestion point. We have added a 2nd link there so it can cope with it while we work to stop the DOS attack.
I have edited the topic to reflect the current situation as the impact to multiple servers is not ongoing now, only web2 is an issue, the impact to others was resolved very quickly.