Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

871 downloads get slower and slower 2

Status
Not open for further replies.

shaferbus

MIS
Dec 7, 2002
130
US
I'm far from an IOS expert, so I'm hoping that someone can tell me if I have a configuration problem or a hardware problem.

Our office network is behind a Cisco 871 router connected to a T1, with 512 Kb/s dedicated to internet bandwidth (the rest is for voice lines). Over the past several months, we have been having problems with slow internet downloads. At first, it was just large files (2+ Mb, not THAT large...), and only sometimes. The file starts downloading fine, and then the download speeds drops off to nothing. I know the speed indication in the IE download dialog isn't exactly a scientific measurement, but it would start off at 100+ Kb/s, but after a few hundred Kb, it would start dropping until it reached bytes/sec speeds, and eventually fail. Now it's degraded to the point that web pages with a lot of graphics take a long time to load, and downloading a file of any size (like AV updates) is practically impossible!

If I bypass the router and connect my PC directly to the ISP's WAN connection, the problem disappears.

The weird thing is, internet speed tests (connected through the router) show a download rate that is well within normal parameters for our connection, even if I run it while a simple PDF download has slowed to 90 bytes/sec!

I've replaced cables to and from the router, power cycled everything multiple times, and unplugged everything but the router and my PC, with no effect.

The IOS configuration (below) has not been altered in at least 6 months. Can anyone see anything there that would cause a cumulative problem, or does it sound like the 871 is FUBAR?
Any other suggestions?

Thanks

Code:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 <<password cipher>>
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.16.61 192.168.16.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.16.0 255.255.255.0
   dns-server 216.135.95.2 64.132.94.250 
   default-router 192.168.16.1 
!
ip dhcp pool <<server>>
   host 192.168.16.2 255.255.255.0
   hardware-address 00c0.9f10.d8a6
!
ip dhcp pool <<A PC>>
   host 192.168.16.3 255.255.255.0
   hardware-address 0016.41ef.439d
!
ip dhcp pool <<Another PC>>
   host 192.168.16.4 255.255.255.0
   hardware-address 000d.6071.7798
!
ip dhcp pool <<Yet Another PC>>
   host 192.168.16.14 255.255.255.0
   hardware-address 0040.ca36.35b3
!
ip dhcp pool <<Printer>>
   host 192.168.16.13 255.255.255.0
   hardware-address 0000.f0a2.9947
!
ip dhcp pool <<Another Printer>>
   host 192.168.16.30 255.255.255.0
   hardware-address 0880.1fff.22b1
!
ip dhcp pool <<Yet Another Printer>>
   host 192.168.16.60 255.255.255.0
   hardware-address 0000.aaad.9445
!
ip dhcp pool Shop
   host 192.168.16.5 255.255.255.0
   hardware-address 0040.f473.55aa
!
ip dhcp pool maintenance2
   host 192.168.16.6 255.255.255.0
   hardware-address 0009.6bf3.a799
!
ip dhcp pool shopmgr
   host 192.168.16.7 255.255.255.0
   hardware-address 0040.2b4d.cfea
!
ip dhcp pool mezzanine
   host 192.168.16.8 255.255.255.0
   hardware-address 0001.29d3.9cd4
!
!
ip inspect name DEFAULT100 appfw DEFAULT100
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 802-11-iapp
ip inspect name DEFAULT100 http
ip inspect name DEFAULT100 https
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 216.135.95.2
ip name-server 64.132.94.250
ip name-server 192.168.16.2
ip ssh time-out 60
ip ssh authentication-retries 2
!
appfw policy-name DEFAULT100
  application http
    strict-http action allow
    audit-trail on
!
!
crypto pki trustpoint TP-self-signed-1834174675
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1834174675
 revocation-check none
 rsakeypair TP-self-signed-1834174675
!
!
crypto pki certificate chain TP-self-signed-1834174675
 certificate self-signed 01
  <<All the Certificate Stuff>>
  quit
username admin privilege 15 secret 5 <<Password>>
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local SDM_POOL_1
!
crypto isakmp client configuration group SHAFERVPN
 key <<VPN Key>>
 dns 192.168.16.1 192.168.16.2
 wins 192.168.16.2
 domain <<Our Domain>>
 pool SDM_POOL_1
 acl 105
 include-local-lan
 pfs
 max-users 3
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec df-bit clear
!
crypto dynamic-map SDM_DYNMAP_1 1
 set security-association idle-time 600
 set transform-set ESP-3DES-SHA 
 reverse-route
!
!
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $FW_OUTSIDE$$ES_WAN$$ETH-WAN$
 ip address 66.192.xxx.xxx 255.255.255.0
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.16.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 192.168.17.50 192.168.17.55
ip classless
ip route 0.0.0.0 0.0.0.0 66.192.43.1
!
no ip http server
ip http authentication local
ip http secure-server
ip nat inside source static tcp 192.168.16.14 80 interface FastEthernet4 80
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.16.2 8082 interface FastEthernet4 8082
ip nat inside source static tcp 192.168.16.2 8085 interface FastEthernet4 8085
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp any any eq www
access-list 100 remark GoChart Schedule
access-list 100 permit tcp any any eq 8085
access-list 100 remark Permit shafers website
access-list 100 permit tcp any any eq 8082 log
access-list 100 permit udp host 192.168.16.2 eq domain any
access-list 100 permit tcp any any eq 4443
access-list 100 deny   ip 66.192.xxx.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for NTP (123) ntp.twtelecom.net
access-list 101 permit udp host 207.250.222.200 eq ntp host 66.192.xxx.xxx eq ntp
access-list 101 permit ip host 192.168.17.50 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.17.51 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.17.52 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.17.53 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.17.54 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.17.55 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.50 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.51 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.52 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.53 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.54 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.55 192.168.16.0 0.0.0.255
access-list 101 permit udp any host 66.192.xxx.xxx eq non500-isakmp
access-list 101 permit udp any host 66.192.xxx.xxx eq isakmp
access-list 101 permit esp any host 66.192.xxx.xxx
access-list 101 permit ahp any host 66.192.xxx.xxx
access-list 101 remark Auto generated by SDM for NTP (123) nist1-ny.witime.net
access-list 101 permit udp host 208.184.49.9 eq ntp host 66.192.xxx.xxx eq ntp
access-list 101 permit udp host 64.132.94.250 eq domain any
access-list 101 permit udp host 216.135.95.2 eq domain any
access-list 101 permit tcp any any eq www
access-list 101 remark GoChart Schedule
access-list 101 permit tcp any any eq 8085
access-list 101 permit tcp any any eq 8082 log
access-list 101 remark SSL
access-list 101 permit tcp any any eq 4443
access-list 101 permit ip 192.168.16.0 0.0.0.255 any
access-list 101 permit icmp any host 66.192.xxx.xxx echo-reply
access-list 101 permit icmp any host 66.192.xxx.xxx time-exceeded
access-list 101 permit icmp any host 66.192.xxx.xxx unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.16.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=2
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.17.50
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.17.51
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.17.52
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.17.53
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.17.54
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.17.55
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.16.50
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.16.51
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.16.52
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.16.53
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.16.54
access-list 103 deny   ip 192.168.16.0 0.0.0.255 host 192.168.16.55
access-list 103 permit ip 192.168.16.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 permit ip 192.168.16.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.16.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
banner login ^CCCCCCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175186
ntp server 207.250.222.200 source FastEthernet4 prefer
end

 
Alphacrasher - I'm a bit relieved that someone else is having the same problem, because I too couldn't find much info online regarding this behavior. I had resigned myself to it being a hardware problem until I started playing with the ACL's. Just curious - what IOS version is your 871 running?

I hesitate to think that Cisco would resort to something as tawdry as "planned obsolesence", but I'm at a loss to understand why both of our routers were fine for years until recently...?

Are there other similarities in our configs? Are you using VPN? Running web servers? Do you have to disable CBAC as well as the ACL to clear it up?

billyj1900 - I see what you're saying - erase the startup config and rebuild it step-by-step and see when the problem surfaces. I may just do that (although I have decided to reassign this router from the main office to other duties and replace with a new 881), but what's our next step from there?
 
Try the below:
(use protocols that you are using for CBAC instead of <protocol> :

ip inspect name DEFAULT100 <protocol> timeout 600
ip inspect tcp idle-time 600



Rassoul - Network/system engineer
CCNP
CCIP
CCNAV
IIUC2
LPI
 
Thanks for the suggestion Rassoul, but it didn't seem to have any effect.
 
Schaferbus, Billy, Rassoul,

I tried what you said Billy, to no avail. I suspect, but don't know for sure, that Flash fragmentation is not reset on erasure.

This is a repeatable occurrence, even with a plain-jane setup from a router resert shown below. Just add a minimal inbound inspection rule to FastEthernet4 and throughput drops to single digit bytes per second.

I am using: c870-advipservicesk9-mz.123-8.YI2.bin

----------
Current configuration : 2659 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname dsr2
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
username <deleted>
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
!
no ip domain lookup
ip domain name yourdomain.com
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
ip address dhcp client-id FastEthernet4
ip access-group sdm_fastethernet4_in in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip classless
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended sdm_fastethernet4_in
remark SDM_ACL Category=1
deny ip any any log
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
no cdp run
!
!
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco".

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to -----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end

I am not too sure where to go from here.
 
CBAC inspection has a big impact on performance, especially on such a small router. If you are only using ethernet for connectivity I would just replace this router with a small asa firewall if you want to use all the firewall features.
 
hmmm... but alphacrasher isn't running CBAC, and turning off only CBAC inspection on my router doesn't solve the problem - I have to turn off the inbound ACL to get adequate performance.

Is CBAC processor or memory intensive (since neither alphacrasher nor I are showing high CPU or memory utilization), or is it a matter of the internal path that the packets have to travel not having adequate hardware acceleration?
 
alphacrusher's posted config appears to be blocking every packet and logging it.

To answer your question about cbac though, yes it does slow your throughput down even though cpu and memory usage may not appear high.
 
Baddos,

ANY inspection rule causes the problem.

The problem persists even if I REPLACE the "deny any any" rule above with "permit icmp any any echo-reply" with no logging- the bandwidth still drops to single digit bytes per second.

If I remove all inspection rules, the bandwidth is normal.

As Shaferbus pointed out, the CPU and memory load is so low that it doesn't even register. The only thing I can think of that would tie up the router but might not show up on CPU usage is a badly fragmented Flash memory. (i.e. processor in wait state waiting for fetch commands to complete). But I am just guessing wildly here.

Again this is a relatively recent occurrence, and apparently a number of people with Cisco 871's are experiencing it.

In normal operation I have 3 vlans active in trunk mode, but the problem occurs even in simple router mode.

There does not seem to be a resolution and without being able to use inspection rules, a Cisco 871 makes for a very expensive 4 port hub.



 
I must admit, blocking every packet would have an adverse effect on throughput... :)

But seriously folks...

I think perhaps I'm not doing a very good job of describing what's going on.

One thing I'd like to reiterate is that the router has worked fine for a long time in it's current configuration (with the exception of adding the following lines in February of this year to permit access to some extranet pages running on the ports indicated)
Code:
ip nat inside source static tcp 192.168.16.2 8085 interface FastEthernet4 8085
ip nat inside source static tcp 192.168.16.2 8082 interface FastEthernet4 8082
.
.
.
access-list 100 remark GoChart Schedule
access-list 100 permit tcp any any eq 8085
access-list 100 remark Permit shafers website
access-list 100 permit tcp any any eq 8082
.
.
.
access-list 101 permit tcp any any eq 8085
access-list 101 permit tcp any any eq 8082

Gradually, over the course of the past summer, we have experienced slower and slower download performance.
Two examples would be Flash content that never loads, and large file downloads (large being, say, a 1 Mb PDF file).
On file downloads, The speed (indicated by the browser) starts out at a normal 50 - 100 Kbps, but immediately starts slowing down, until we reach the < 100 bps range (estimated download time shown as DOZENS of hours).

If I turn off the inbound ACL 101 on fe4 (outside interface), I can immediately download the same PDF (or whatever) at a normal rate.
If I then the ACL back on - I CAN SOMETIMES STILL DOWNLOAD AT A NORMAL RATE.... for a while. Eventually though, things return to the same unusable state. I can't say how long that takes, because I haven't had the opportunity to babysit it that closely LOL.
Here's an example of a PDF I tried this morning that showed this behavior - perhaps alphacrasher can try it and verify:


Now, Flash content seems to be a different story. I have to turn off both ACL 101 and the Inspect rules to get the following page to load (it's a Flash based login page to a vendor's site): Just in case that's not confusing enough, after turning off the Inspect rule, I can turn it back on AND STILL LOAD THE PAGE! Of course, once I turn on ACL 101 we're back to the page timing out.

Even though I couldn't see how the code added in February could be causing these problems, I reloaded the config from before the changes (when the router was working fine). No change in the crappy download performance! That would lead me to believe that something ELSE changed - but what?

alphacrasher - you might want to check out the "Memory Fragmentation Problem or Bug" section of this document and see if your sho mem is exhibiting this behavior. Mine isn't at the moment, but as I said I played with the ACL's this morning and am still getting good download spped at the moment.

Further thoughts anyone?
 
If it were a memory fragmentation issue it should resolve itself with a reboot.

Post the output of "show ip inspect statistics" and "show access-lists" when you get a chance.
 
Shaferbus, Baddos,

I am having identical symptoms to Shafer.

I have reset the router back to factory specs to no avail.

I suspect if it is a fragmentation problem, it is a low level memory addressing scheme that has no way to recombine it's addressing of memory into contiguous blocks, even when the memory is empty. This would explain why the problem gets worse over time.

The Cisco site states that there are no defrag routines. Their solution seems to be just add new unfragged memory and run until that gets too fragged to operate.

Would this qualify as planned obsolescence?

This might be confirmed in my case in that when I deleted the core dump files I noticed had accumulated when the problem first occurred, the problem seemed to go away for a while. But then the problem came back.

Thanks for the link to the fragmentation problem Shafferbus, it seems to confirm what I suspected.

----
Memory Fragmentation Problem or Bug

This situation means that a process has consumed a large amount of processor memory and then released most or all of it, leaving fragments of memory still allocated either by this process, or by other processes that allocated memory during the problem. If the same event occurs several times, the memory may fragment into very small blocks, to the point where all processes requiring a larger block of memory cannot get the amount of memory that they need. This may affect router operation to the extent that you cannot connect to the router and get a prompt if the memory is badly fragmented.

This problem is characterized by a low value in the "Largest" column (under 20,000 bytes) of the show memory command, but a sufficient value in the "Freed" column (1MB or more), or some other wide disparity between the two columns. This may happen when the router gets very low on memory, since there is no defragmentation routine in the IOS.

If you suspect memory fragmentation, shut down some interfaces. This may free the fragmented blocks. If this works, the memory is behaving normally, and all you have to do is add more memory. If shutting down interfaces doesn't help, it may be a bug. The best course of action is to contact your Cisco support representative with the information you have collected.

-----

I don't know how to read the show memory output but there it is below. What caught my attention for the processor line is the value in the "Lowest(b)" column which is just slightly less than the value in the "Free(b)" column - Might this have anything to do with the lowest addressable address block with respect to free memory?


dsr2#show memory
Head Total(b) Used(b) Free(b)
Processor 8238E114 84352748 15025128 69327620
Lowest(b) Largest(b)
69192660 64643608

Head Total(b) Used(b) Free(b)
I/O 7400000 12582912 2528348 10054564
Lowest(b) Largest(b)
10054564 10054464
 
It would be best if you made your own threat containing all the details of your setup. Make sure to put the IOS version, ROMMON version, running-config, etc.

If you are experiencing a slow down on your router, it is either a misconfiguration or a bug. Cisco doesn't have any time limit equipment that starts running terrible on purpose to get you to upgrade.
 
I'm having the same issue on a home router, however. It is a Linksys (cisco) WRT54G. My family has 4 pc's connected to this wireless router, but my pc is actually wired to it. Two of our pc's (mine and one wireless) have shown the diminishing download issue. The two other machines just are not used enough to know. My experience is trouble with updates to programs such as AVG-my anti virus, Java, and World of Warcraft (game). I suspect this began about early September with some dificulty updating, but definately by Ocober 12 no sizeable download will finish. The file starts to download at a completely normal speed then at about 5 seconds the speed just about halves, 10 sec again, 20 sec again... until the download speed is around 20-30 bytes/sec. The ports are all opened, for sake of experiment. Firewall appears to be set to allow what I want. I clean/defrag often enough. No clue other than your posts what may be happening. I will add to this post if I get results to share. Good luck with yours, I will watch to see what happens.
 
Baddos,

I don't know where you got the idea that this is a threat, it is a request for help.

1. Although the setup I use is more complex as I stated, I posted the minimal setup under which the problem occurs above.

2. The one-line "deny any any" inspection rule can be changed to "permit any any" (non logging) as the sole inspection rule and the problem persists,

3. The problem is identical to what Shaferbus stated: throughput drops to single bytes per second, etc.

4. If the inspection rule is removed entirely then the throughput is normal.

5. Although the setup I use is more complex, it worked fine for a couple years and only very recently did the problem appear.

6. The problem appears in any setup that has any kind of inspection rule.

Does any know if Cisco has a Flash defragmentation tool available for the 871?, If so, what is it and how much is it?

 
alphacrasher, I think baddos meant to say "thread". As in, create a new subject for your problem rather than hijacking someone else's thread.

CCNP, CCDP
 
Quadratic,

My apologies, they seemed to be the same problem according the symptoms and history.

Before I run off and create another thread, could you provide more information as to why they are different problems?
 
You have two different networks with undiagnosed problems. Similar or even identicle symptoms do not necessarily mean that they are the same problem. That kind of assumption can lead to reaching false conclusions (ie: we may rule out possibilities for one person's problem because it was ruled out in the other person's problem). I'm not an admin here, but in my opinion that is bad troubleshooting and should be avoided. I suspect that baddos asked you to create a new thread for the same reason.

CCNP, CCDP
 
Sorry for the typo lol I meant thread. Yes a complex router configuration needs to be looked over with more detail and deserves it's own thread.
 
Before I forget - thanks to all who are taking an interest in this problem! You've all been very generous with your time and advice.

The only thing I can think of to add to all of this is kind of a "what-if" based on a piece of anecdotal evidence that I haven't mentioned thus far because I couldn't figure out how it was related.

When we first started noticing a download "speed" problem earlier this year, it didn't seem to be particularly related to the size of the download, but seemed to be more an issue with downloads from particular websites. One of the first sites I had problems downloading from is sourceforge.net (which you're probably all familiar with).
I would be able to download a "large" file from WhateverWebsite.com, but ANY file I tried to download from SourceForge would slow down to a crawl and eventually time out.

Sounds like a problem with the Sourceforge.net website, doesn't it? However, if I bypassed the router, I could indeed download the file. Also, they have a ton of mirrors, and I had the same problem downloading the any file from all of them.
I was never able to identify any common element among the "problem" files or "problem" websites. It seemed unrelated to file type, geography, size... nothing seemed to predict what would download normally or what would time out.
Eventually it has become a problem with any large file from any website, or anything with lots of graphics or Flash. On the other hand, email (of any size) is unaffected. Online download speed tests from reputable sites show acceptable download performance with or without CBAC and ACL's applied, and always have. (toast.net just gave me 977 kb/s just now)

So here's my "what-if"

What if something outside of my network has changed, and the version of IOS I am running (12.4(4)T7) isn't handling it properly? Is this possible - that some newer technology has become more widely adopted in the recent past, thereby affecting my network more and more of the time?

The reason I ask is that I ran across something similar here in researching this problem. It doesn't apply to my network, but it's an example of something completely external to the router causing similar issues. In fact, some of the posts I've read about the problem in the article sounded so similar to what I'm dealing with that I started checking the TCP Window Scaling settings on our workstations (even though mine are XP and this issue deals with Vista, and my IOS version isn't supposed to be affected).

Okay, I know - now I'm REALLY reaching (Hey, they changed the internet while my back was turned! [evil])... but does it ring a chime with anyone?
 
What is your internet connection btw? Is your MTU setup correctly on your wan interface? If you disable your ip inspect but leave your access-lists in place how does it perform?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top