dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
7463
share rss forum feed

colinl79

join:2010-06-30
Elk River, MN

[HELP] Cisco 800/837 Slow Upload Speeds Various Download Speeds

First post.....

For as long as I can remember I have had slow upload speeds mostly anywhere and slow download speeds to certain sites, in particular *.google.com domains. *.google.com domains almost always timeout in either direction. I use internal Win 2003 DNS Servers and have tried my ISP's DNS servers with no change in performance. I also used to have more IP Inspect rules but have limited it to just 2. This appeared to help the situation, but did not remedy it permanently. I did implement VOIP a few months back, but the problem existed before and my policy isn't being applied now. NAT was just enabled recently for troubleshooting purposes, I don't use it as I have another NAT device. I have a 16 block of IP's. I have a Q1000 and 2700HG-D at home and when I plug and set them up the problem disappears. So it has to be the 837/my config, please help me!

Network (ISP > Cisco 837 > Wireless Router > PC)

IOS Ver.
Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)

Building configuration...

Current configuration : 5945 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname CISCO837
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
logging queue-limit 250
no logging monitor
enable secret
enable password
!
clock timezone CST -5
clock summer-time CDT recurring
no aaa new-model
ip subnet-zero
no ip source-route
!
!
ip dhcp excluded-address 10.0.0.1 10.0.0.99
!
ip dhcp pool pool1
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server LOCAL_DNS_IP ISP_DNS_1_IP ISP_DNS_2_IP
lease 0 4
!
!
ip cef
ip name-server LOCAL_DNS_IP
ip name-server MY_LOCAL_DNS_IP
ip name-server ISP_DNS_1_IP
ip name-server ISP_DNS_2_IP
no ip bootp server
ip inspect dns-timeout 10
ip inspect name INSPECT_ACL tcp
ip inspect name INSPECT_ACL udp timeout 15
ip ips po max-events 400
ip ssh time-out 60
no ftp-server write-enable
!
!
username
username
!
!
class-map match-any VoIP
match destination-address mac xxxx.xxxx.xxxx
!
!
policy-map VoIP-QoS
class VoIP
priority percent 50
set dscp ef
class class-default
fair-queue
!
!
no crypto isakmp ccm
!
!
!
interface Ethernet0
description Internal Network
ip address 10.0.0.1 255.255.255.0 secondary
ip address PUBLIC_IP_1 IP_SUBNET_1
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no cdp enable
hold-queue 100 out
!
interface ATM0
description Connection to QWEST
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
dsl enable-training-log
pvc 0/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer0
description Connection to ISP
bandwidth inherit
ip unnumbered Ethernet0
ip access-group 101 in
no ip redirects
no ip unreachables
ip nat outside
ip inspect INSPECT_ACL out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname ISPUSERNAME
ppp chap password 7 ISPPASSWORD
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
!
logging trap debugging
logging SYSLOG_IP_SERVER
access-list 101 remark ----------------------------------------------------------3
access-list 101 remark Deny private IP Ranges and Traffic
access-list 101 deny tcp any any eq 445
access-list 101 deny udp any any eq 445
access-list 101 deny ip 0.0.0.0 0.255.255.255 any log
access-list 101 deny ip 10.0.0.0 0.0.0.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 224.0.0.0 31.255.255.255 any log
access-list 101 deny ip 169.254.0.0 0.0.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny icmp any any log fragments
access-list 101 remark ----------------------------------------------------------4
access-list 101 remark Allow access to Avaiable services
access-list 101 permit udp any host MY_LOCAL_DNS_IP_2 eq domain
access-list 101 permit tcp any host MY_LOCAL_DNS_IP_2 eq domain
access-list 101 permit udp any host MY_LOCAL_DNS_IP eq domain
access-list 101 permit tcp any host MY_LOCAL_DNS_IP eq domain
access-list 101 permit tcp any host MY_LOCAL_MAIL eq smtp
access-list 101 permit tcp any host MY_LCOAL_WEB_1 eq www
access-list 101 permit tcp any host MY_LCOAL_WEB_2 eq www
access-list 101 permit tcp any host MY_LCOAL_WEB_3 eq www
access-list 101 remark ----------------------------------------------------------5
access-list 101 remark ---
access-list 101 permit tcp host ALLOWED_IP_1 any eq 3389
access-list 101 permit tcp host ALLOWED_IP_1 any eq 22
access-list 101 permit tcp host ALLOWED_IP_1 any eq ftp
access-list 101 permit tcp host ALLOWED_IP_1 any eq ftp-data
access-list 101 permit tcp host ALLOWED_IP_1 any eq 2000
access-list 101 permit tcp host ALLOWED_IP_1 any eq www
access-list 101 permit tcp host ALLOWED_IP_1 any eq 443
access-list 101 permit icmp host ALLOWED_IP_1 any
access-list 101 remark ----------------------------------------------------------6
access-list 101 remark ---
access-list 101 permit tcp host ALLOWED_IP_2 any eq 3389
access-list 101 permit tcp host ALLOWED_IP_2 any eq 22
access-list 101 permit tcp host ALLOWED_IP_2 any eq ftp
access-list 101 permit tcp host ALLOWED_IP_2 any eq ftp-data
access-list 101 permit tcp host ALLOWED_IP_2 any eq 2000
access-list 101 permit tcp host ALLOWED_IP_2 any eq www
access-list 101 permit tcp host ALLOWED_IP_2 any eq 443
access-list 101 remark ----------------------------------------------------------9
access-list 101 remark Deny all
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
snmp-server community README RO
snmp-server enable traps tty
no cdp run
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
password
login
no modem enable
stopbits 1
line aux 0
password
login
stopbits 1
line vty 0 4
access-class 100 in
exec-timeout 30 0
privilege level 15
password
login local
transport preferred none
transport input ssh
transport output none
!
no scheduler max-task-time
ntp server 0.0.0.0
end


HELLFIRE
Premium
join:2009-11-25
kudos:18

Re: [HELP] Cisco 800/837 Slow Upload Speeds Various Download Spe

First the basics:
1) check your interface to the ISP, is it
- half / full duplex?
- any errors / collisions / drops / etc?
- is it set for the right speed?

2) check the cable to the ISP with a fluke meter if possible

3) check your LAN connections for the same above two points

4) check the following
- show proc cpu hist
- show proc mem

5) do extending pings to the resource(s) that are slow, how variable
is the RTT?

For more advanced options:

6) build a monitor station with MTRG or similar and monitor the
device's performance longterm. Correlate the slowness to specific
times of day / load on the device / etc.

7) if you think it's your config, take yourself offline and strip the
configs to two interfaces and run iperf or similar. Keep adding
elements one at a time and see where the performance starts to drop
off. For comparison, I'd also run iperf on the Q1000 and 2700HG and
see how they fare.

8) check routerperformance.pdf. The 830 is rated for about 4Mbit
of traffic, though take that with a grain of salt. The more complex
the services you run eg. ip inspect, QOS / ACL entries, etc. the
heavier the load on the router's CPU.

Just how big is your pipe and what kind of loads are you putting on
your 837?

Considering the number of times this has been asked, we may have to
consider making this a FAQ item

Regards


colinl79

join:2010-06-30
Elk River, MN
reply to colinl79

I have gone through most of this already. I was hoping a second set of eyes would pickup on something, but it looks like it won't be that easy. And to give my issue a twist. It seems like I burst, then slow to a crawl with uploads/downloads to/from *.google.com. Other sites seem ok.

1 - Since I am using unnumbered mode, the eth0 interface is showing Full-duplex, 10Mb/s. All the fast eth's I switched to full duplex with auto speed. The other interfaces respond with "Half-duplex (sub)command not supported for INTERFACE".

2 Don't have it.

5 Latency seems ok considering.

6 It's been running about a week. It's defintely more common during the day. But I am not on a lot at night so that's relative.

-Dialer0, `Weekly' Graph (30 Minute Average)
In 6966.0 B/s (99.5%) 332.0 B/s (4.7%) 940.0 B/s (13.4%)
Out 6975.0 B/s (99.6%) 433.0 B/s (6.2%) 225.0 B/s (3.2%)

7 That's something I am just going to have to do. I find a lot of others running NAT without a 16 block so it's harder to find successful configs I can use. While I do run NAT in it's current config, it's not being utilized.

I am getting about 3-5 down via various speed tests. It's not consistent.

Connection status....
Interleave Fast Interleave Fast
Speed (kbps): 7168 0 896 0


colinl79

join:2010-06-30
Elk River, MN
reply to colinl79

CISCO837#show proc cpu hist

CISCO837 09:10:53 AM Sunday Mar 17 2002 CST

111
3333333333333334444433333333333333377777666665555577777777
100
90
80
70
60
50
40
30
20 *****
10 *************************
0....5....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5
CPU% per second (last 60 seconds)
1
3222222223212222222222 22222221222222223275632225022233422
1777838470727498888884982825878673588834649116770088714479
100 *
90 *
80 *
70 * *
60 *** *
50 *** ** *
40 *** ** * *#
30 ***** * *** * ******* * * *** ** **** ***#****************#
20 *********** ********** ******************##*****##*********#
10 ###########*##########*#######**############################
0....5....1....1....2....2....3....3....4....4....5....5....
0 5 0 5 0 5 0 5 0 5
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%
1 1 1
96660996578777586070
97900209089580448030
100 * * * *
90 * *** * * *
80 * *** **** * * *
70 *** **** ***** *****
60 ******** ***** *****
50 ********************
40 ********************
30 ********************
20 ********************
10 ####################
0....5....1....1....2....2....3....3....4....4....5....5....6....6....7.
0 5 0 5 0 5 0 5 0 5 0 5 0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%


colinl79

join:2010-06-30
Elk River, MN
reply to colinl79

CISCO837#show proc mem
Processor Pool Total: 18773648 Used: 12050668 Free: 6722980
I/O Pool Total: 2515968 Used: 1057360 Free: 1458608

PID TTY Allocated Freed Holding Getbufs Retbufs Process
0 0 13181524 3974480 7798080 0 0 *Init*
0 0 12044 90460 12044 0 0 *Sched*
0 0 12907904 10246188 2820952 943888 0 *Dead*
1 0 109696 34484 82128 0 0 Chunk Manager
2 0 188 188 3916 0 0 Load Meter
3 0 364912 268148 121636 0 0 VTEMPLATE Backgr
4 2 520868 479764 59716 0 0 SSH Process
5 0 0 0 6916 0 0 Check heaps
6 0 61116 83052 13552 18432 25332 Pool Manager
7 0 188 188 6916 0 0 Timers
8 0 188 188 6916 0 0 Serial Backgroun
9 0 188 188 6916 0 0 AAA high-capacit
10 0 0 0 12916 0 0 Policy Manager
11 0 0 0 24916 0 0 Crash writer
12 0 8340 0 6992 780 0 ARP Input
13 0 328 188 7056 0 0 DDR Timers
14 0 188 188 6916 0 0 ATM Idle Timer
15 0 1960 0 8876 0 0 Entity MIB API
16 0 0 0 6916 0 0 SERIAL A'detect
17 0 188 188 6916 0 0 GraphIt
18 0 0 0 6916 0 0 Critical Bkgnd
19 0 124032 0 116200 0 0 Net Background
20 0 188 188 12916 0 0 Logger
21 0 188 336 6916 0 0 TTY Background
22 0 0 4820 9916 0 0 Per-Second Jobs
23 0 0 0 6916 0 0 DHCPD Timer
24 0 188 188 6916 0 0 LED Timers
25 0 0 0 3916 0 0 dev_device_inser
26 0 0 0 3916 0 0 dev_device_remov
27 0 324 188 6916 0 0 AUX
28 0 0 0 6916 0 0 Multi-ISA Event
29 0 0 0 6916 0 0 Multi-ISA Cleanu
30 0 0 0 9916 0 0 ATM Periodic
31 0 0 0 9916 0 0 ATM ARP INPUT
32 0 188 188 12916 0 0 ATM OAM Input
33 0 188 188 12916 0 0 ATM OAM TIMER
34 0 2784 188 9512 0 0 AAL Coalesce
35 0 0 0 6916 0 0 Net Input
36 0 188 188 6916 0 0 Compute load avg
37 0 0 0 6916 0 0 Per-minute Jobs
PID TTY Allocated Freed Holding Getbufs Retbufs Process
38 0 0 0 9916 0 0 Crypto Device Up
39 0 0 0 6916 0 0 DSL State Machin
40 0 188 188 6916 0 0 AAA Server
41 0 0 0 6916 0 0 AAA ACCT Proc
42 0 0 0 6916 0 0 ACCT Periodic Pr
43 0 0 0 6916 0 0 AAA_SERVER_DEADT
44 0 188 188 6916 0 0 AAA Dictionary R
45 0 1934032 2440 109160 0 0 IP Input
46 0 0 0 6916 0 0 ICMP event handl
47 0 0 0 6916 0 0 IP NAT Ager
48 0 0 0 12916 0 0 L2X Data Daemon
49 0 400 400 12916 0 0 PPP Hooks
50 0 0 0 12916 0 0 VPDN call manage
51 0 0 0 12916 0 0 L2X Socket proce
52 0 0 0 12916 0 0 L2X SSS manager
53 0 188 188 12916 0 0 L2TP mgmt daemon
54 0 0 0 12916 0 0 SSS Manager
55 0 0 0 12916 0 0 SSS Test Client
56 0 0 0 6916 0 0 SSS Feature Mana
57 0 0 0 6916 0 0 SSS Feature Time
58 0 0 0 6916 0 0 AC Mgr
59 0 188 188 9916 0 0 EAPoUDP Process
60 0 0 1221852 9916 0 0 IP Background
61 0 156 0 10072 0 0 IP RIB Update
62 0 29520 188 22416 0 0 DHCPD Receive
63 0 1056 1056 12916 0 0 PPP IP Route
64 0 2616 188 15344 0 0 PPP IPCP
65 0 0 1220 12916 0 0 TCP Timer
66 0 57580 0 14344 0 0 TCP Protocols
67 0 0 0 6916 0 0 RARP Input
68 0 0 0 6916 0 0 Socket Timers
69 0 916 0 10832 0 0 HTTP CORE
70 0 0 62020 6916 0 0 IP Cache Ager
71 0 188 188 9916 0 0 Adj Manager
72 0 188 188 6916 0 0 PPP Bind
73 0 188 188 6916 0 0 Dialer Forwarder
74 0 0 0 12916 0 0 L2F management d
75 0 106984 0 100088 0 0 PPTP Mgmt
76 0 188 188 12916 0 0 PPTP Data
77 0 188 188 6916 0 0 PPP SSS
78 0 0 0 6916 0 0 SNMP Timers
79 0 188 188 12916 0 0 ILMI Input
80 0 188 188 6916 0 0 ILMI Request
81 0 188 188 6916 0 0 ILMI Response
PID TTY Allocated Freed Holding Getbufs Retbufs Process
82 0 0 0 6916 0 0 ILMI Timer Proce
83 0 6180 636 18460 0 0 ATM PVC Discover
84 0 376 376 6916 0 0 Crypto HW Proc
85 0 0 549680 6916 0 0 Inspect Timer
86 0 172 0 7088 0 0 DHCPD Database
87 0 1104 188 7832 0 0 URL filter proc
88 0 0 0 6916 0 0 Authentication P
89 0 0 0 6916 0 0 Auth-proxy AAA B
90 0 0 0 6916 0 0 IPS Timer
91 0 308 188 7036 0 0 SDEE Management
92 0 0 0 24916 0 0 COPS
93 0 0 0 6916 0 0 IPv6 Inspect Tim
94 0 2372 4712 6916 0 0 LOCAL AAA
95 0 188 188 6916 0 0 ENABLE AAA
96 0 188 188 6916 0 0 LINE AAA
97 0 0 0 6916 0 0 Key chain liveke
98 0 5976 188 12704 0 0 TPLUS
99 0 0 0 6916 0 0 IP NAT WLAN
100 0 188 188 6916 0 0 Crypto Support
101 0 72244 188 80972 0 0 Crypto WUI
102 0 0 0 6916 0 0 encrypt proc
103 0 0 0 6916 0 0 EM Background Pr
104 0 0 0 8916 0 0 Key Proc
105 0 1388 580 9724 0 0 Crypto CA
106 0 0 0 8916 0 0 Crypto PKI-CRL
107 0 0 0 8916 0 0 Crypto SSL
108 0 51944 4584 72592 0 0 Crypto ACL
109 0 0 0 6916 0 0 CRYPTO QoS proce
110 0 6444 188 19172 0 0 Crypto IKMP
111 0 341012 35916 317204 0 0 IPSEC key engine
112 0 0 0 6916 0 0 IPSEC manual key
113 0 0 0 6916 0 0 Crypto PAS Proc
114 0 24864 0 37780 0 0 Crypto Delete Ma
115 0 0 0 6916 0 0 crypto engine pr
116 0 188 188 6916 0 0 AAA SEND STOP EV
117 0 0 0 6916 0 0 Syslog Traps
118 0 360 204 7072 0 0 IpSecMibTopN
119 0 0 0 6916 0 0 VPDN Scal
121 0 0 0 12916 0 0 TCP Driver
122 0 0 0 6916 0 0 TCP Listener
123 0 15252 0 11308 0 0 SSH Event handle
124 0 74880 1632 73248 0 0 CEF process
125 0 156 0 7088 0 0 CEF Scanner
126 0 0 0 6916 0 0 IP VFR proc
PID TTY Allocated Freed Holding Getbufs Retbufs Process
127 0 10232 188 22960 0 0 PPP manager
128 0 18928 1760 30084 0 0 PPP Events
129 0 188 188 6916 0 0 Multilink PPP
130 0 188 188 6916 0 0 Multilink event
131 0 112396 1440 99012 0 0 PPPoA Manager
132 0 1112 188 13840 0 0 IP SNMP
133 0 0 0 12916 0 0 PDU DISPATCHER
134 0 3401828 3401828 12916 0 0 SNMP ENGINE
135 0 0 0 12916 0 0 SNMP ConfCopyPro
136 0 0 0 12916 0 0 SNMP Traps
137 0 496 188 7224 0 0 NTP
138 0 0 0 12916 0 0 Crypto Hardware
139 0 958760 960164 9472 0 0 crypto sw pk pro
13101388 Total
CISCO837#


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to colinl79

Troubleshooting general slowness rarely is, and believe me, I'd rather
troubleshoot no connectivity than slow connectivity. Lot fewer
possibilities to run through :)

Couple questions from your output colinl79

1) is the eth0 interface doing auto speed / duplex or is it being hardcoded?

2) where are you getting this data, and how do you interpret it?

-Dialer0, `Weekly' Graph (30 Minute Average)
In 6966.0 B/s (99.5%) 332.0 B/s (4.7%) 940.0 B/s (13.4%)
Out 6975.0 B/s (99.6%) 433.0 B/s (6.2%) 225.0 B/s (3.2%)
 

If you can, chart the 5min input / output rates for your WAN interface
and post them up. What I'm looking to confirm is whether the 837 can
move the maximum rated speed of the pipe.

And again I reiterate my question of how big a pipe do you have with
your ISP?

3) if you need a NAT config for DSL, lookup the doc "Cisco DSL Router
Configuration and Troubleshooting Guide" on Cisco.com or check out the
forum FAQ.

4) Can you do a 'sh proc cpu sort' and give the top 5 or 6 processes running?

Regards

colinl79

join:2010-06-30
Elk River, MN

I would rather too. Problems like these are never easy.

1) Full-duplex, 10Mb/s. Hard coded, not changeable via the ios.

2) MRTG. Dialer0 and Virtual Access interfaces haven't gone above 7.2Kb for in/Out, so I would say I am not maxing out my line. Pipe is 1 UP/7 Down.

4) I ran this as I downloaded chrome from dl.google.com, one of the problem sites. Downloaded without an issue this morning.

PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
5 8221712 418702 19636 0.79% 2.96% 2.87% 0 Check heaps
4 1848 284 6507 0.00% 0.13% 0.29% 2 SSH Process
45 412760 350728 1176 0.71% 0.18% 0.06% 0 IP Input
132 11108 18610 596 0.00% 0.01% 0.00% 0 IP SNMP


jmillermo

join:2010-05-02
Tokyo, Japan
reply to colinl79

Problem could be related to Path MTU Discovery, try adjusting the maximum segment size on your Ethernet0 int:

ip tcp adjust-mss <500-1460>
 

Drop it down to something like 1412 and see if that helps out.

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to colinl79

At this point I'd say run the iperf test and see what you get, and
compare it to the Q1000 and 2700HG-D. Like I said, 830s are rated
for ~4Mbit with 64byte packets. Toss in add'n services and the
performance obviously drops.

Regards


colinl79

join:2010-06-30
Elk River, MN

I am getting much better network performance with the Q1000. Unfortunately it doesn't suit my needs since I have some advanced ACL rules that I can't mimic to the Q1000 and the lack of QOS is a bummer. The 2700 was a improvement, not as much as the Q1000 but noticeable.

I have been getting better performance after moving my DNS to a NAT'd IP. Also set the bandwidth to a static number instead of inheriting the speed. Also made the suggested tcp adjustment on the eth0 interface. Overall performance was quite good for a while around the 4th, less voip traffic. Now it's still good, but no where near where I would like it to be.

Wondering if there is another Cisco 800 series that would be better for my needs?



OVERKILL

join:2010-04-05
Peterborough, ON

860 series would be a good entry-level choice.


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to colinl79

Got the results of the testing between the 837 vs the Q1000 vs the 2700? I'm
actually pretty curious what bog-standard kit can do that telcos get in bulk
and give away when they sign you up.

Regards


colinl79

join:2010-06-30
Elk River, MN

I don't have anything I can post.

While I say performance was better, I meant the WAN. Being the all three were connecting at 896/7168. I got the fastest downloads from the Q1000, near the 7MB cap during download. Where as the best I was getting with the 837 was 5MB, on a good day. The 2700HG-D was faster than the 837, but I didn't have any numbers to back up my comment.

Internal performance wasn't comparable due to the fact the Q1000 has 4x Gig interfaces where as the 837 and 2700HG-D only have 10/100.


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to colinl79

At this point you're either looking at stripping functionality out of your config or looking
at better gear. Not much else I can think of at this point.

Regards


colinl79

join:2010-06-30
Elk River, MN

What kind of better equipment are you referring to?

I have a Cisco 3600 with a ADSL WIC. I was also looking at the 871/877 series, but have found information I may be setting myself up for the same problem with nicer equipment.


colinl79

join:2010-06-30
Elk River, MN

I also have a 2600 with that same ADSL WIC.



Juancho_CR

@ice.co.cr
reply to colinl79

Have you checked DSL stats? SNR, CRCs, attenuation? Try getting a show dsl interface atm, that will be very helpful.

Regards.


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:8
reply to colinl79

[I know it a two month old thread, but I'll chime in]

Two things jump out at me:
ip inspect dns-timeout 10
ip inspect name INSPECT_ACL udp timeout 15

Those seem to be insanely low timeouts. (10s and 15s)

Also, what's with the dialer being unnumbered? You didn't say who your ISP was, but in Bellsouth land, the ppp interface is assigned a p-t-p address and the static block routed to it. Is anything actually attached to E0? Unless explicitly set 'full-duplex', it's not. 'sh int e0' should confirm it (number of collisions should be zero if it's full-duplex.)

I have a 1720 doing almost exactly what's going here, minus IPS. It manages "line speed." (6M/512k)

The primary causes of slowness are ips, nat, and acls. Remove IPS and the ACL and see if that improves anything. On my 1760, if I enable IPS, throughput goes to hell -- the processor and memory are slow. Even a beefy 2851 will suffer with ips enabled; and nat will kill it. This is especially true when you're inspecting all tcp and udp connections. (read: every packet)

(I setup a 2851 to replace a pix 520. The pix sits at less than 5% cpu all the time. The 2851 was pegged constantly -- the DS3 went from 45Mbps to 18Mbps.)


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to colinl79

@colinl79
Check routerperformance.pdf as a first stop to see what equipment can do "bare metal."
870s and 262xs are rated for the same performance at 12.8Mbps, and I can verify that a
2621 can run a reflexive ACL / NAT / IPS config at 8Mbps sustained -- I will admit I've
never had the time or nerve to configure CBAC inspection on a 2621 to see how much it
choked the throughput.

3620 / 3640 / 3660 is rated for 10 - 20, 25 - 36 and 51 - 61Mbps respectively, though
I'd take those numbers with a BIG grain of salt, especially if you plan to run the same
config on it as your 837.

Above those, you're looking at the 89x / 181x / 19xx / 29xx series -- speaking from
personal experience, an 1811 took a 25 / 2Mbit line at 15Mbit sustained thruput and
CPU util at a steady 40%. 30+ torrents, web browsing and an online game of WoW was
running simultaneously at the time, all without a hiccup.

@cramer
IMHO, 10sec timeout for DNS and 15sec timeout for UDP is about right -- once a DNS reply
has been received there's no reason for it to be managed any more, and there's not alot
of longterm UDP traffic I can think of except a torrent connection, depending on your
client.

Regards


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:8

1 edit

I just ran my 1811 "as fast as possible" and it did 10.8MB/s (that's BYTES) @ 99% But it wasn't do anything else. (nat, obviously)

As I understand it, the timeouts apply "per packet". So that'd be 10s to get a DNS reply before the mapping goes away. That certainly applies to the generic "udp" inspection; 15s is way low. I have dns set to 60. In cisco's words, "the length of time a DNS name lookup session will still be managed after no activity." (the default is an insane 5 seconds.)


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to colinl79

Having seen sniffer captures of DNS queries, once a PC has a DNS query reply, it caches it for
however long the OS default is for -- I think Windows is 1day. So basically why should a DNS
query inspection session be held for any longer than it has to?

That's just my 00000010 bits anyways.

Regards


colinl79

join:2010-06-30
Elk River, MN
reply to colinl79

ISP = Qwest

I was using ip unnumbered to eth0 because my local network was all public. I had another device handling NAT for local machines. Separated out for security. It was only setup and enabled because I was working on the config. I had some collisions on eth0, nothing to be alarmed about.

ip inspect and the ACL were removed from the Dialer interface. I am losing anywhere from 2-3MB down and 500kbs up with them enabled. I can't get inet with the ACL enabled and without inspect enabled out so I will looking at another problem.

I tried the 3600 with a similar config, not much, if any, better performance if at all.


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:8

said by colinl79:

I was using ip unnumbered to eth0 because my local network was all public.
I gathered that. I was asking if the ISP was giving a dynamic address to the dialer and routing the subnet vs. pppoe assigning the netblock. If they are, then you don't need to do that -- let routing handle it.

You'd be better off letting the router do the routing and something else do the security. Full inspection is a lot of work for those tiny processors. Process switching is slow on every router. And ethernet interfaces (standard ethernet ethernet, 10M ethernet) are like PC ISA cards; they take a lot of work from the platform.