I'm far from an IOS expert, so I'm hoping that someone can tell me if I have a configuration problem or a hardware problem.
Our office network is behind a Cisco 871 router connected to a T1, with 512 Kb/s dedicated to internet bandwidth (the rest is for voice lines). Over the past several months, we have been having problems with slow internet downloads. At first, it was just large files (2+ Mb, not THAT large...), and only sometimes. The file starts downloading fine, and then the download speeds drops off to nothing. I know the speed indication in the IE download dialog isn't exactly a scientific measurement, but it would start off at 100+ Kb/s, but after a few hundred Kb, it would start dropping until it reached bytes/sec speeds, and eventually fail. Now it's degraded to the point that web pages with a lot of graphics take a long time to load, and downloading a file of any size (like AV updates) is practically impossible!
If I bypass the router and connect my PC directly to the ISP's WAN connection, the problem disappears.
The weird thing is, internet speed tests (connected through the router) show a download rate that is well within normal parameters for our connection, even if I run it while a simple PDF download has slowed to 90 bytes/sec!
I've replaced cables to and from the router, power cycled everything multiple times, and unplugged everything but the router and my PC, with no effect.
The IOS configuration (below) has not been altered in at least 6 months. Can anyone see anything there that would cause a cumulative problem, or does it sound like the 871 is FUBAR?
Any other suggestions?
Thanks
Our office network is behind a Cisco 871 router connected to a T1, with 512 Kb/s dedicated to internet bandwidth (the rest is for voice lines). Over the past several months, we have been having problems with slow internet downloads. At first, it was just large files (2+ Mb, not THAT large...), and only sometimes. The file starts downloading fine, and then the download speeds drops off to nothing. I know the speed indication in the IE download dialog isn't exactly a scientific measurement, but it would start off at 100+ Kb/s, but after a few hundred Kb, it would start dropping until it reached bytes/sec speeds, and eventually fail. Now it's degraded to the point that web pages with a lot of graphics take a long time to load, and downloading a file of any size (like AV updates) is practically impossible!
If I bypass the router and connect my PC directly to the ISP's WAN connection, the problem disappears.
The weird thing is, internet speed tests (connected through the router) show a download rate that is well within normal parameters for our connection, even if I run it while a simple PDF download has slowed to 90 bytes/sec!
I've replaced cables to and from the router, power cycled everything multiple times, and unplugged everything but the router and my PC, with no effect.
The IOS configuration (below) has not been altered in at least 6 months. Can anyone see anything there that would cause a cumulative problem, or does it sound like the 871 is FUBAR?
Any other suggestions?
Thanks
Code:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 <<password cipher>>
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.16.61 192.168.16.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.16.0 255.255.255.0
dns-server 216.135.95.2 64.132.94.250
default-router 192.168.16.1
!
ip dhcp pool <<server>>
host 192.168.16.2 255.255.255.0
hardware-address 00c0.9f10.d8a6
!
ip dhcp pool <<A PC>>
host 192.168.16.3 255.255.255.0
hardware-address 0016.41ef.439d
!
ip dhcp pool <<Another PC>>
host 192.168.16.4 255.255.255.0
hardware-address 000d.6071.7798
!
ip dhcp pool <<Yet Another PC>>
host 192.168.16.14 255.255.255.0
hardware-address 0040.ca36.35b3
!
ip dhcp pool <<Printer>>
host 192.168.16.13 255.255.255.0
hardware-address 0000.f0a2.9947
!
ip dhcp pool <<Another Printer>>
host 192.168.16.30 255.255.255.0
hardware-address 0880.1fff.22b1
!
ip dhcp pool <<Yet Another Printer>>
host 192.168.16.60 255.255.255.0
hardware-address 0000.aaad.9445
!
ip dhcp pool Shop
host 192.168.16.5 255.255.255.0
hardware-address 0040.f473.55aa
!
ip dhcp pool maintenance2
host 192.168.16.6 255.255.255.0
hardware-address 0009.6bf3.a799
!
ip dhcp pool shopmgr
host 192.168.16.7 255.255.255.0
hardware-address 0040.2b4d.cfea
!
ip dhcp pool mezzanine
host 192.168.16.8 255.255.255.0
hardware-address 0001.29d3.9cd4
!
!
ip inspect name DEFAULT100 appfw DEFAULT100
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 802-11-iapp
ip inspect name DEFAULT100 http
ip inspect name DEFAULT100 https
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 216.135.95.2
ip name-server 64.132.94.250
ip name-server 192.168.16.2
ip ssh time-out 60
ip ssh authentication-retries 2
!
appfw policy-name DEFAULT100
application http
strict-http action allow
audit-trail on
!
!
crypto pki trustpoint TP-self-signed-1834174675
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1834174675
revocation-check none
rsakeypair TP-self-signed-1834174675
!
!
crypto pki certificate chain TP-self-signed-1834174675
certificate self-signed 01
<<All the Certificate Stuff>>
quit
username admin privilege 15 secret 5 <<Password>>
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local SDM_POOL_1
!
crypto isakmp client configuration group SHAFERVPN
key <<VPN Key>>
dns 192.168.16.1 192.168.16.2
wins 192.168.16.2
domain <<Our Domain>>
pool SDM_POOL_1
acl 105
include-local-lan
pfs
max-users 3
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 600
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$$ETH-WAN$
ip address 66.192.xxx.xxx 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.16.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 192.168.17.50 192.168.17.55
ip classless
ip route 0.0.0.0 0.0.0.0 66.192.43.1
!
no ip http server
ip http authentication local
ip http secure-server
ip nat inside source static tcp 192.168.16.14 80 interface FastEthernet4 80
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.16.2 8082 interface FastEthernet4 8082
ip nat inside source static tcp 192.168.16.2 8085 interface FastEthernet4 8085
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp any any eq www
access-list 100 remark GoChart Schedule
access-list 100 permit tcp any any eq 8085
access-list 100 remark Permit shafers website
access-list 100 permit tcp any any eq 8082 log
access-list 100 permit udp host 192.168.16.2 eq domain any
access-list 100 permit tcp any any eq 4443
access-list 100 deny ip 66.192.xxx.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for NTP (123) ntp.twtelecom.net
access-list 101 permit udp host 207.250.222.200 eq ntp host 66.192.xxx.xxx eq ntp
access-list 101 permit ip host 192.168.17.50 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.17.51 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.17.52 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.17.53 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.17.54 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.17.55 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.50 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.51 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.52 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.53 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.54 192.168.16.0 0.0.0.255
access-list 101 permit ip host 192.168.16.55 192.168.16.0 0.0.0.255
access-list 101 permit udp any host 66.192.xxx.xxx eq non500-isakmp
access-list 101 permit udp any host 66.192.xxx.xxx eq isakmp
access-list 101 permit esp any host 66.192.xxx.xxx
access-list 101 permit ahp any host 66.192.xxx.xxx
access-list 101 remark Auto generated by SDM for NTP (123) nist1-ny.witime.net
access-list 101 permit udp host 208.184.49.9 eq ntp host 66.192.xxx.xxx eq ntp
access-list 101 permit udp host 64.132.94.250 eq domain any
access-list 101 permit udp host 216.135.95.2 eq domain any
access-list 101 permit tcp any any eq www
access-list 101 remark GoChart Schedule
access-list 101 permit tcp any any eq 8085
access-list 101 permit tcp any any eq 8082 log
access-list 101 remark SSL
access-list 101 permit tcp any any eq 4443
access-list 101 permit ip 192.168.16.0 0.0.0.255 any
access-list 101 permit icmp any host 66.192.xxx.xxx echo-reply
access-list 101 permit icmp any host 66.192.xxx.xxx time-exceeded
access-list 101 permit icmp any host 66.192.xxx.xxx unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.16.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=2
access-list 103 deny ip 192.168.16.0 0.0.0.255 host 192.168.17.50
access-list 103 deny ip 192.168.16.0 0.0.0.255 host 192.168.17.51
access-list 103 deny ip 192.168.16.0 0.0.0.255 host 192.168.17.52
access-list 103 deny ip 192.168.16.0 0.0.0.255 host 192.168.17.53
access-list 103 deny ip 192.168.16.0 0.0.0.255 host 192.168.17.54
access-list 103 deny ip 192.168.16.0 0.0.0.255 host 192.168.17.55
access-list 103 deny ip 192.168.16.0 0.0.0.255 host 192.168.16.50
access-list 103 deny ip 192.168.16.0 0.0.0.255 host 192.168.16.51
access-list 103 deny ip 192.168.16.0 0.0.0.255 host 192.168.16.52
access-list 103 deny ip 192.168.16.0 0.0.0.255 host 192.168.16.53
access-list 103 deny ip 192.168.16.0 0.0.0.255 host 192.168.16.54
access-list 103 deny ip 192.168.16.0 0.0.0.255 host 192.168.16.55
access-list 103 permit ip 192.168.16.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 permit ip 192.168.16.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.16.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
banner login ^CCCCCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175186
ntp server 207.250.222.200 source FastEthernet4 prefer
end