Slow Internet!!!

[weinmatt]

I have a pix 515 and we seem to be having a problem with it stealing some of our bandwidth. I have connected my latop straight to the t1 and have gotten full speed, but when connected to the firewall we only get 1256kb/s down. (on the laptop i got about 1450 kb/s down).

I am no cisco expert, but can change a config to make it work.

Is there anything in this config that would be slowing down the internet?

We have a cavalier t1.

Thanks in advance!

PIX Version 7.1(1)
!
hostname PIX515E
domain-name marathonllc.com
enable password RPN.WPaKy.QDNIg/ encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 98.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.10.1 255.255.255.0
!
passwd RPN.WPaKy.QDNIg/ encrypted
boot system flash:/image.bin
ftp mode passive
dns server-group DefaultDNS
domain-name marathonllc.com
access-list 105 extended permit ip 10.0.10.0 255.255.255.0 10.10.12.0 255.255.25
5.0
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq smtp
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq www
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq https
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq imap4
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq 3389
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq 3389
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq 5721
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq www
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq https
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq 8081
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq 3389
pager lines 24
logging enable
logging timestamp
logging device-id hostname
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.0.11.1-10.0.11.254
icmp permit any outside
icmp permit host 98.xxx.xxx.xxx echo-reply outside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 98.xxx.xxx.xxx 10.0.10.252 netmask 255.255.255.255
static (inside,outside) 98.xxx.xxx.xxx 10.0.10.251 netmask 255.255.255.255
static (inside,outside) 98.xxx.xxx.xxx 10.0.10.130 netmask 255.255.255.255
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 98.141.237.113 1
timeout xlate 1:00:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server arkhonauth protocol radius
aaa-server arkhonauth host 10.0.10.252
group-policy vpnremote internal
group-policy vpnremote attributes
wins-server value 10.0.10.250
dns-server value 10.0.10.250 10.0.10.252
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
default-domain value arkhon.com
user-authentication-idle-timeout 1
username weinmatt password L4qZOK6SsIafyoVm encrypted privilege 15
http server enable
http 129.xxx.xxx.xxx 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
isakmp identity address
isakmp enable outside
tunnel-group 66.xxx.xxx.xxx type ipsec-l2l
tunnel-group vpnremote type ipsec-ra
tunnel-group 75.xxx.xx.xxx type ipsec-l2l
tunnel-group 76.xxx.xx.xxx type ipsec-l2l
telnet 216.xxx.xx.xx 255.255.255.255 outside
telnet 65.xxx.xx.x 255.255.255.255 outside
telnet 10.0.10.0 255.255.255.0 inside
telnet timeout 5
ssh 129.2.236.0 255.255.254.0 outside
ssh timeout 3
ssh version 1
console timeout 0
dhcpd address 10.0.10.100-10.0.10.200 inside
dhcpd dns 10.0.10.252 10.0.10.250
dhcpd wins 10.0.10.252
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain marathonllc.local
dhcpd auto_config outside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect http
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:3229ddfa2728df4720937f7d5a924604
: end
PIX515E#

 

[North323]

thats only a 194kb difference. looks like you set up a vpn tunnel to a remote host...that could be the reason, its called over head

 

[weinmatt]

I have removed those tunnels/vpns as we were not using them. I ran a sh int and it shows me this.

I don't think those tunnels are causing the slow down. Sometimes its much slower then 200k.

How do I tell what is causing the below errors?

THanks.

PIX515E# sh int
Interface Ethernet0 "outside", is up, line protocol is up
Hardware is i82559, BW 100 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 000f.34ac.f321, MTU 1500
IP address 98.xxx.xxx.xxx, subnet mask 255.255.255.248
3979957 packets input, 3452906123 bytes, 0 no buffer
Received 1604 broadcasts, 997 runts, 0 giants
5829 input errors, 2925 CRC, 2904 frame, 0 overrun, 2925 ignored, 0 abor
t
0 L2 decode drops
3687195 packets output, 779068910 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/5)
output queue (curr/max blocks): hardware (0/19) software (0/1)
Traffic Statistics for "outside":
3973751 packets input, 3393793061 bytes
3687774 packets output, 707832645 bytes
174299 packets dropped
Interface Ethernet1 "inside", is up, line protocol is up
Hardware is i82559, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 000f.34ac.f322, MTU 1500
IP address 10.0.10.1, subnet mask 255.255.255.0
3726345 packets input, 783730732 bytes, 0 no buffer
Received 281176 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
3855071 packets output, 3265572320 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/19)
output queue (curr/max blocks): hardware (0/5) software (0/1)
Traffic Statistics for "inside":
3726968 packets input, 721600087 bytes
3855115 packets output, 3204480959 bytes
187206 packets dropped
PIX515E#

 

[North323]

what is the inside interface connected to? a switch? what is that speed set at? how many switches or hops are there between your pix and desktop? i see your 'inside' is set for 'auto' 'auto', have you tried to hard code it to duplex full speed 100? also, there looks to be static on your line: 5829 input errors, 2925 CRC, 2904 frame, 0 overrun, 2925 ignored, 0 abor
You dont want to see input errors or crc errors. may want to open a ticket with telco to test after hours

lastly, dont post enable password RPN.WPaKy.QDNIg/ encrypted, there are tools that can decrypt your password.

 

[unclerico]

Could be a bad cable between the PIX and the router.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[baddos]

It's the outside interface having the problem. There is a duplex and/or speed mismatch.

Make sure it's either set to auto on both ends or the same manual setting on both ends. You cannot have say the router set to auto and the pix set to 100/full.

I would recommend leaving all your interfaces to auto unless there is a compatability issue.

 

[unclerico]

Large amounts of CRC errors with little to no collisions or output errors usually points to excessive noise (i.e. bad cable).

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[weinmatt]

I will go ahead and swap out the cable tomorrow and let you know what happens.

Thanks for all the advice!

 

[weinmatt]

I just switched out the crossover cable and the speed has not changed.

I am getting about 800kb/s down and 1400kb/s up. I'm not sure why the down is so much slower then the up?

Anything in the config that it could be. I have cleaned up the config a bit. Here it is again.



Thanks!!!

PIX515E# sh run
: Saved
:
PIX Version 7.1(1)
!
hostname PIX515E
domain-name marathonllc.com
enable password xxxx.xxx.xxx/ encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 98.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.0.10.1 255.255.255.0
!
passwd RPN.WPaKy.QDNIg/ encrypted
boot system flash:/image.bin
ftp mode passive
dns server-group DefaultDNS
domain-name marathonllc.com
access-list 105 extended permit ip 10.0.10.0 255.255.255.0 10.10.12.0 255.255.25
5.0
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq smtp
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq www
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq https
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq imap4
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq 3389
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq 3389
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq 5721
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq www
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq https
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq 8081
access-list outside_acl extended permit tcp any host 98.xxx.xxx.xxx eq 3389
pager lines 24
logging enable
logging timestamp
logging device-id hostname
mtu outside 1500
mtu inside 1500
icmp permit any outside
icmp permit host 98.xxx.xxx.xxx echo-reply outside
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 98.xxx.xxx.xxx 10.0.10.252 netmask 255.255.255.255
static (inside,outside) 98.xxx.xxx.xxx 10.0.10.251 netmask 255.255.255.255
static (inside,outside) 98.xxx.xxx.xxx 10.0.10.130 netmask 255.255.255.255
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 98.xxx.xxx.xxx 1
timeout xlate 1:00:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server arkhonauth protocol radius
aaa-server arkhonauth host 10.0.10.252
username weinmatt password xxxxxxxxxxxxxx encrypted privilege 15
http server enable
http 129.2.237.198 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
isakmp identity address
isakmp enable outside
telnet 10.0.10.0 255.255.255.0 inside
telnet timeout 5
ssh 129.2.236.0 255.255.254.0 outside
ssh timeout 3
ssh version 1
console timeout 0
dhcpd address 10.0.10.100-10.0.10.200 inside
dhcpd dns 10.0.10.252 10.0.10.250
dhcpd wins 10.0.10.252
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain marathonllc.local
dhcpd auto_config outside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect http
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:3ee2ff646d54f8cd51a9580f95117db9
: end
PIX515E#

here is the sh int on the outside interface...still getting errors.

Interface Ethernet0 "outside", is up, line protocol is up
Hardware is i82559, BW 100 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 000f.34ac.f321, MTU 1500
IP address 98.xxx.xxx.xxx, subnet mask 255.255.255.248
13615 packets input, 10007003 bytes, 0 no buffer
Received 1 broadcasts, 5 runts, 0 giants
5 input errors, 3 CRC, 2 frame, 0 overrun, 3 ignored, 0 abort
0 L2 decode drops
12179 packets output, 6088411 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/2)
output queue (curr/max blocks): hardware (0/2) software (0/1)
Traffic Statistics for "outside":
13597 packets input, 9796724 bytes
12169 packets output, 5853440 bytes
373 packets dropped

 

[unclerico]

You still have some CRC errors, but that is a pretty low percentage of packets overall. What is connected to the outside interface?? If it's a router can you post the config for the interface??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[North323]

try changing your outside:
interface Ethernet0
speed 100
duplex full
nameif outside

to auto auto

unless you are positive it should be 100/full