871 Java download sloweness

[Beamer030608]

All,

I have viewed several other threads and I have decided to start my own thread. We currently have a 871 router setup to handle all traffic due to the firewall feature and our N2H2 filter. On any computer we start up if we allow java to go out and download the update, it reports that it will take over 5 hours to download. This happens on both the wired and wireless side. This happens during business and after business hours. Our download speed is around 21megs. At the sametime I keep getting this error :
IP_VFR-4-FRAG_TABLE_OVERFLOW: Vlan400

I believe the two are related but I can not be sure. Thank you for any help you can provide.
My ios ver is c870-advipservicesk9-mz.124-4.t4.bin
I have been thinking about upgrading to a much newer ios ver since that is what is recommended in previous posts.I do see very high proc util. during business hours but i dont believe this to be the issue with the large download slowness.

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname <<Router>>
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
logging console critical
enable secret 5 <<password hash>>
!
no aaa new-model
!
resource policy
!
clock timezone EDT -4
clock summer-time PCTime date Apr 6 2003 3:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
no ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool AP_Management
network 10.20.64.0 255.255.255.0
default-router 10.20.64.1
dns-server 192.168.1.20 192.168.1.10
domain-name <<domain>>
option 43 hex f104.0a14.00d2
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name <<domain>>
ip name-server 192.168.1.20
ip name-server 192.168.1.10
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW https
ip inspect name SDM_LOW http java-list 51
ip urlfilter server vendor n2h2 172.17.20.10
!
!
<<crypto stuff>>


username <<user1>>
username << user2>>
!
!
!
!
!
!
interface FastEthernet0
switchport mode trunk
!
interface FastEthernet1
switchport access vlan 750
!
interface FastEthernet2
switchport access vlan 750
!
interface FastEthernet3
switchport access vlan 5
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address <<cable internet IP>>
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.20.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip virtual-reassembly max-fragments 64 max-reassemblies 32
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan5
description $FW_INSIDE$
ip address 10.20.99.2 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface Vlan750
ip address 172.17.20.1 255.255.252.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan400
description AP Management Vlan
ip address 10.20.64.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan401
description Wireless Data Vlan
ip address 172.17.144.1 255.255.252.0
ip helper-address 172.17.24.66
ip nat inside
ip virtual-reassembly
!
interface Vlan402
description Wireless Guest Vlan
ip address 172.17.152.1 255.255.255.0
ip access-group restrict-internet in
ip helper-address 172.17.24.66
ip nat inside
ip virtual-reassembly
!
interface Vlan4
no ip address
ip access-group 102 in
shutdown
!
router eigrp 100
passive-interface FastEthernet4
passive-interface Vlan1
network 10.20.0.0 0.0.0.3
network 10.20.0.0 0.0.0.255
network 10.20.64.0 0.0.0.255
network 10.20.99.0 0.0.0.3
network 172.17.20.0 0.0.3.255
network 172.17.144.0 0.0.3.255
network 172.17.152.0 0.0.3.255
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 173.163.198.226
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 172.17.20.10 3389 interface FastEthernet4 3389
!
ip access-list extended restrict-internet
permit udp any host 172.17.24.66 eq bootps
permit udp any host 172.17.20.10 eq domain
permit tcp any host 172.17.20.10 eq 9014
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 192.168.0.0 0.0.255.255 log
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.17.20.0 0.0.3.255
access-list 1 permit 172.17.144.0 0.0.3.255
access-list 1 permit 172.17.152.0 0.0.0.255
access-list 1 permit 10.20.0.0 0.0.0.3
access-list 51 deny any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 172.17.20.10 eq 4005 host 10.20.0.2
access-list 101 permit udp host 192.168.1.10 eq 4005 host 10.120.0.2
access-list 101 deny ip 172.17.20.0 0.0.3.255 any
access-list 101 deny ip 172.17.144.0 0.0.3.255 any
access-list 101 deny ip 172.17.152.0 0.0.0.255 any
access-list 101 remark Deny traffic destined to the Wirless Guest Network
access-list 101 permit ip host 172.17.24.66 172.17.152.0 0.0.0.255
access-list 101 permit ip host 192.168.1.10 172.17.152.0 0.0.0.255
access-list 101 permit ip host 192.168.1.20 172.17.152.0 0.0.0.255
access-list 101 deny ip any 172.17.152.0 0.0.0.255
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 172.17.20.10 eq 4005 host 172.17.20.1
access-list 102 deny ip 10.20.0.0 0.0.0.3 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny ip 172.17.20.0 0.0.3.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp host 192.168.1.10 eq domain any
access-list 104 permit udp host 192.168.1.20 eq domain any
access-list 104 deny ip 10.20.0.0 0.0.0.3 any
access-list 104 deny ip 172.17.20.0 0.0.3.255 any
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip any any log
snmp-server community <<info>> RO
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17174812
ntp server 172.17.32.32 prefer
end

 

[baddos]

A couple of things I noticed is that you are using some vpn connections and have adjust-mss enabled one of your interfaces.

Being that your Intenet is a cable connection you should do a couple of things to first check your cable modem MTU. Try pinging 173.163.198.226 with a large 1500 byte ping.

ping 173.163.198.226 size 1500 df-bit

Using the command above the router will attempt to ping your ISP's router with a 1500 byte packet but it will not attempt to fragment it. If the pings are unsuccessfull, try a lower size pack until you get successfull pings. When you get a sucessfull ping write that number down and apply that as your MTU on your interface FastEthernet4.

Now that you have established your WAN's real MTU you need to adjust the internal interfaces MSS value for that size minus any vpn overhead. If you're using IPSEC subtract 52 bytes from that number and apply that to your internal interfaces via the "ip tcp adjust-mss (wanmtu-52)" command.

Once you have that done, try pinging a host through your VPN tunnels and check the mtu size again. If you do not get responses when using the df-bit you may need to lower your MSS again as the other side of your vpn connection may have an even lower MTU.

By reducing your routers fragment processing you will dramatically increase it's performance especially when using vpn connections.

 

[Beamer030608]

Well, I actually do not even use VPN so I can just remove those statements .?.?

I went ahead and removed "ip tcp adjust-mss 1452" from int vlan1 and 750.

 

[baddos]

You still need to adjust the mss even without using the vpn. You can see this yourself with that fragment overload error message.