Cisco 851w internet connection slow

[rickrude11]

Hi Guys,
I bought a cisco 851w to replace my linksys router for my cable connection.

I am using one of those broadband speed testing sites to test my connection. When I plug the pc into the linksys router or directly to the cable modem, i get <> 24000kb/s. When I go through the cisco router I get 3000kb/s.

If I am using the cisco router, and download a file with 'down them all' firefox extension, which splits the file into multiple connections, it downloads at over 2MB/s (that is megabytes). So this means that the router is limiting bandwidth per connection or something ??

Any suggestions appreciated. Below is my config.

---------------------------------------------------------

Current configuration : 4229 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GW_Router
!
boot-start-marker
boot-end-marker
!
logging buffered 64000 debugging
enable secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$$
!
no aaa new-model
!
resource policy
!
clock timezone bris 10
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.5.1 10.0.5.100
ip dhcp excluded-address 10.0.5.110 10.0.5.254
!
ip dhcp pool LAN1
   import all
   network 10.0.5.0 255.255.255.0
   default-router 10.0.5.1
   domain-name home.local
   dns-server 4.2.2.2
   lease 14
!
!
ip cef
ip inspect log drop-pkt
ip inspect name OUTBOUND udp
ip inspect name OUTBOUND bootpc
ip inspect name OUTBOUND bootps
ip inspect name OUTBOUND icmp
ip inspect name OUTBOUND ftp
ip inspect name OUTBOUND http
ip inspect name OUTBOUND https
ip inspect name OUTBOUND pop3
ip inspect name OUTBOUND ssh
ip inspect name OUTBOUND telnet
no ip domain lookup
ip domain name home.local
ip ssh version 2
!
!
!
username admin secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxxxxxxx address x.x.x.x
!
crypto isakmp peer address x.x.x.x
!
!
crypto ipsec transform-set XXXXX esp-3des esp-sha-hmac
!
crypto map XXXXXMAP 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set XXXXX
 match address XXXXX_LAN
!
!
!
interface Loopback1
 ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0
 spanning-tree portfast
!
interface FastEthernet1
 spanning-tree portfast
!
interface FastEthernet2
 spanning-tree portfast
!
interface FastEthernet3
 spanning-tree portfast
!
interface FastEthernet4
 ip address dhcp
 ip access-group INCOMING in
 ip inspect OUTBOUND out
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1460
 speed 100
 full-duplex
 no cdp enable
 crypto map XXXXXMAP
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Vlan1
 ip address 10.0.5.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip classless
!
no ip http server
no ip http secure-server
ip nat inside source list NAT interface FastEthernet4 overload
ip nat inside source static tcp 10.0.5.102 56357 interface FastEthernet4 56357
ip nat inside source static udp 10.0.5.102 4882 interface FastEthernet4 4882
ip nat inside source static tcp 10.0.5.102 4992 interface FastEthernet4 4992
ip nat inside source static tcp 10.0.5.102 40000 x.x.x.x 40000 route-map
 NO_NAT_FLIN extendable
!
ip access-list standard SSH_IN
 permit x.x.x.0 0.0.0.255
 permit x.x.x.0 0.0.0.255
 permit 10.0.5.96 0.0.0.15
 permit 172.16.32.0 0.0.0.255
 permit x.x.x.0 0.0.0.255
!
ip access-list extended FLIN_TO_XXXXX
 deny   ip host 10.0.5.102 172.16.32.0 0.0.0.255
 deny   ip host 10.0.5.102 x.x.x.0 0.0.0.255
 permit ip 10.0.5.0 0.0.0.255 any
 remark DENIES NAT FOR FLIN TO XXXXX VIA TUNNEL
ip access-list extended INCOMING
 permit tcp x.x.x.0 0.0.0.255 any eq 22
 permit tcp x.x.x.0 0.0.0.255 any eq 3389
 permit tcp x.x.x.0 0.0.0.255 any eq 40000
 permit udp any any eq bootpc
 permit udp any any eq bootps
 permit tcp any any eq 56357
 permit ip x.x.x.0 0.0.0.255 any
 permit tcp host 172.16.32.40 any eq 40000
 permit tcp any any eq 4992
 permit udp any any eq 4882
ip access-list extended XXXXX_LAN
 permit ip 10.0.5.0 0.0.0.255 172.16.32.0 0.0.0.255
 permit ip 10.0.5.0 0.0.0.255 x.x.x.0 0.0.0.255
 permit ip 10.0.5.0 0.0.0.255 host x.xx.x
ip access-list extended NAT
 deny   ip 10.0.5.0 0.0.0.255 x.x.x.0 0.0.0.255
 deny   ip 10.0.5.0 0.0.0.255 172.16.32.0 0.0.0.255
 permit ip 10.0.5.0 0.0.0.255 any
!
route-map NO_NAT_FLIN permit 10
 match ip address FLIN_TO_XXXXX
!
!
control-plane
!
banner login ^C
**************************************
WARNING: UNAUTHORISED ACCESS PROHIBITED.
         LOG OUT IMMEDIATELY.
**************************************
^C
!
line con 0
 exec-timeout 60 0
 logging synchronous
 no modem enable
line aux 0
line vty 0 4
 access-class SSH_IN in
 exec-timeout 30 0
 logging synchronous
 login local
!
scheduler max-task-time 5000
end

 

[burtsbees]

Could there be a mistake the way you're reading the numbers? 24,000kbps=3000kBps...

Burt

 

[rickrude11]

not a chance

 

[burtsbees]

With DTA, you only get 16Mbps...
what site did you use for the dl test? I'm at a loss---that was an extreme shot in the dark, the 24 vs 3, but a coincidence that 8X3=24, 8 bits in a byte...

Burt

 

[rickrude11]

yea it is a bit of a coincidence, but now its testing at under 1000kb/s. Yes, lower case b = bits

After a reboot it was back up to 3mb/s. Again, i plugged directly into the modem and it was 22000kb/s... same site.

http://www.zdnet.com.au/broadband/speedtest.htm

I am going to wipe all my config and start from scratch... without cbac or crypto.

 

[burtsbees]

Well, I could maybe see cbac tax the proc a bit, and maybe slow the bw, and also ip virtual-reassembly in conjunction with cbac, but not the vpn config. But good idea. Please let me know. There was another post in here that was similar---a 10MB outgoing interface limited to 5---I'll try and find it.

Burt

 

[ADB100]

speed 100
full-duplex

Are you sure this is correct? Are you hard-coding the PC when you connect it directly?

I have an 877 which should be comparable in performance and via that website it tells me 7000+ consistently and I am in the UK.

Andy

 

[BuckWeet]

Yes.. take off hard coding of the link for the cable modem interface.. Unless the other end is hard coded this will cause problems.

do a 'show proc cpu history' when you are testing to see if there is high cpu usage.. If there is high usage do a 'show proc cpu sorted' to find what process is causing the high cpu.

You might also remove the crypto map when testing..

 

[rickrude11]

Thanks for the suggestions guys. I originally had it set to auto, and in my troubleshooting, changed it to static. I have changed it back now.

This was the highest output...
67 4100 8689 471 0.16% 0.07% 0.02% 0 IP Input

Re doing the config did nothing. I am thinking about downgrading the ios to an earlier version. Im at 12.4 with Adv security feature set.

What do you guys think, is it worth trying the downgrade?

 

[burtsbees]

Yes---it could be a buggy IOS. Hell, I'd even do something like i-mz or IP Plus (is-mz)...
Save the config, and wipe it clean, with only one pc attached, and do the most basic config to test it. This would take 10-15 minutes, maybe, and would eliminate a lot. If after a test like this the thing is still slow, then either there actually is a bug in that IOS that causes what you are experiencing, or perhaps you should set the fa4 interface to 10/half...
Also, why is this there...
ip tcp adjust-mss 1460
???
For adsl I know the max segment size should be 1452, as mtu should be 1492 (mss=mtu minus 40 bytes).

Burt

 

[rickrude11]

yea i'm not sure about the mss either, I was trying different things.

I will hunt down an older ios and keep you posted

 

[burtsbees]

Cool...

If anything, when adjusting mss, I'd go lower...

Burt

 

[rickrude11]

update..

I updated to a later revision of 12.4, and now I get around 12Mb/s when connecting through router, and 17Mb/s when connected directly to modem. This is using my ISPs speed testing site.

http://users.bigpond.net.au/speedtest/

So if I'm getting 17mb/s directly to my isp, I'm not sure how I was getting 24?

 

[burtsbees]

Try changing
ip tcp adjust-mss 1460
to
ip tcp adjust-mss 1452
and also on the vlan 1 interface...
ip mtu 1492

Burt

 

[rickrude11]

hey burt, I did what you suggested, and there was little difference. Apparently for my cable connection the correct mtu is 1500.

Appreciate your help all the same.

 

[ADB100]

I spoke to someone recently who has a 24Mb cable connection (in the UK) presented as 100Mbs Ethernet and they said the performance with his 1841 was nowhere near what it was previously when he used a PIX 501. He replaced the 1841 for an ASA 5505 and said the performance returned. It might just be the throughput limitation if the 851?

Andy

 

[BuckWeet]

You want the MSS command in there for the VPN tunnel that you have setup.. this prevents fragmentation.