Slow to No Performance CISCO 1841 over T1 Line

[Deadasbetamax]

Hello,

I have setup a CISCO 1841 with the following configuration and experiencing extremely slow connections to websites over our T1 link to the Internet. I just configured this router and was wondering if anyone could find anything in my configuration that would provide me with an idea of what is causing this problem. Version and Config are below

**Show Version**
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(3h), REL
EASE SOFTWARE (fc2)
Technical Support:

http://www.cisco.com/techsupport

Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 25-Jul-07 13:43 by stshen

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

Testing uptime is 7 minutes
System returned to ROM by power-on
System image file is "flash:c1841-advsecurityk9-mz.124-3h.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 1841 (revision 7.0) with 234496K/27648K bytes of memory.
Processor board ID FTX1137X098
2 FastEthernet interfaces
1 Serial(sync/async) interface
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

**Show Config**

!
! Last configuration change at 15:26:24 CDT Wed Oct 10 2007
! NVRAM config last updated at 15:28:02 CDT Wed Oct 10 2007
!
version 12.4
service timestamps debug uptime
service timestamps log datetime msec
service password-encryption
!
hostname Testing
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy
!
clock timezone CST -6
clock summer-time CDT recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
ip inspect dns-timeout 15
ip inspect name outbound tcp
ip inspect name outbound udp
ip inspect name outbound ftp
ip inspect name outbound realaudio
ip inspect name outbound smtp
!
!
ip flow-cache timeout active 1
ip domain name testing.com
ip name-server X.X.X.65
!
!
!
** CRYPTOGRAPHY PORTION AND USERNAMES REMOVED **
!
!
!
!
!
interface FastEthernet0/0
description connected to Lan
ip address 10.1.1.1 255.0.0.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0
description connected to the Internet
ip address X.X.X.186 255.255.255.252
ip access-group 101 in
ip inspect outbound out
ip nat outside
ip virtual-reassembly
no ip route-cache cef
ip route-cache flow
no ip mroute-cache
clock rate 2000000
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.X.185
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 10.0.0.152 2055
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool inet_add X.X.X.38 X.X.X.38 netmask 255.255.255.248
ip nat inside source list 10 pool inet_add overload
ip nat inside source static 10.1.1.10 X.X.X.33
ip nat inside source static 10.0.0.218 X.X.X.34
ip nat inside source static 10.0.0.101 X.X.X.35
ip nat inside source static 10.1.1.12 X.X.X.36
!
logging trap debugging
logging 10.0.0.152
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 101 permit tcp any host X.X.X.33 eq 1494
access-list 101 permit tcp any host X.X.X.33 eq www
access-list 101 permit tcp any host X.X.X.33 eq 2598
access-list 101 permit tcp any host X.X.X.33 eq 443
access-list 101 permit tcp any host X.X.X.34 eq www
access-list 101 permit tcp any host X.X.X.34 eq 3000
access-list 101 permit tcp any host X.X.X.34 eq 3001
access-list 101 permit tcp any host X.X.X.34 eq 3003
access-list 101 permit tcp any host X.X.X.34 eq 8800
access-list 101 permit tcp any host X.X.X.186 eq 22
access-list 101 permit tcp any host X.X.X.35 eq www
access-list 101 permit tcp any host X.X.X.35 eq 3000
access-list 101 permit tcp any host X.X.X.35 eq 389
access-list 101 permit tcp any host X.X.X.35 eq smtp
access-list 101 permit tcp any host X.X.X.35 eq pop3
access-list 101 permit tcp any host X.X.X.35 eq 587
access-list 101 permit tcp any host X.X.X.35 eq 143
access-list 101 permit tcp any host X.X.X.35 eq domain
access-list 101 permit tcp any host X.X.X.35 eq 3002
access-list 101 permit tcp any host X.X.X.35 eq 1000
access-list 101 permit tcp any host X.X.X.35 eq 366
access-list 101 permit tcp any host X.X.X.36 eq 1494
access-list 101 permit tcp any host X.X.X.36 eq 2598
access-list 101 permit tcp any host X.X.X.36 eq www
access-list 101 permit tcp any host X.X.X.36 eq 443
access-list 101 permit tcp any host X.X.X.36 eq 3389
access-list 101 deny ip any any
snmp-server community public RO
snmp-server enable traps tty
!
!
control-plane
!
banner motd CC
Unauthorized Access to this system is strictly prohibited!!
!
line con 0
exec-timeout 0 0
privilege level 15
line aux 0
password 7 130E1B14
modem InOut
modem autoconfigure type usr_sportster
transport input all
speed 1200
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 3000 1000
end

Any help at this point would be greatly appreciated as I have been over this many times even switching routers to try and solve the issue to no avail.

 

[plshlpme]

on my routers i have my inspect facing out on the wan and the acl facing in on the wan...

this allows cbac to monitor what you are sending out and then punch holes in the acl for it to get back in...

my acls only allow in specific ports for the hosts that are hosting http, mail etc.. all other traffic that doesn't originate from within my network is blocked.

here is my CBAC as an example..

ip inspect max-incomplete low 400
ip inspect max-incomplete high 20000000
ip inspect one-minute low 400
ip inspect one-minute high 100000000
ip inspect tcp synwait-time 10
ip inspect tcp max-incomplete host 100000 block-time 0
ip inspect name INSPECT pop3
ip inspect name INSPECT pop3s
ip inspect name INSPECT imap3
ip inspect name INSPECT imaps
ip inspect name INSPECT imap
ip inspect name INSPECT smtp
ip inspect name INSPECT tcp
ip inspect name INSPECT udp
ip inspect name INSPECT pptp
ip inspect name INSPECT l2tp
ip inspect name INSPECT dns
ip inspect name INSPECT ntp
ip inspect name INSPECT icmp
ip inspect name INSPECT syslog
ip inspect name INSPECT mysql
ip inspect name INSPECT ftp alert off
ip inspect name INSPECT tftp
ip inspect name INSPECT nfs
ip inspect name INSPECT telnet
ip inspect name INSPECT telnets
ip inspect name INSPECT ssh
ip inspect name INSPECT irc
ip inspect name INSPECT irc-serv
ip inspect name INSPECT nntp
ip inspect name INSPECT isakmp
ip inspect name INSPECT ipsec-msft
ip inspect name INSPECT 802-11-iapp


interface Dialer1
ip address negotiated
ip access-group WAN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect INSPECT out
ip multicast boundary 30
ip virtual-reassembly
ip route-cache flow
load-interval 30
no cdp enable

 

[Deadasbetamax]

I believe I have the same setup if not in number of specified protocols but in what should work in general practice with the following.

ip inspect dns-timeout 15
ip inspect name outbound tcp
ip inspect name outbound udp
ip inspect name outbound ftp
ip inspect name outbound realaudio
ip inspect name outbound smtp

interface Serial0/0/0
description connected to the Internet
ip address X.X.X.186 255.255.255.252
ip access-group 101 in
ip inspect outbound out
ip nat outside
ip virtual-reassembly
ip route-cache flow
no ip mroute-cache
no cdp enable

Do I need a more exhaustive list of protocols in order to get traffic to pass through using the inspect commands? I figured with inspection going on for tcp and udp I pretty much had just about every basis covered. Or do I need to specify exactly all protocols in order for this to work?

 

[plshlpme]

it should be fine like you have it...
im also only running a 1760 router and would love to trade for an 18xx series

my setup is similar to yours in many ways with the static nats and overloading as well and my acl is probably 3 or 4 times bigger then yours..

are there any other routing devices on your lan?
could there be duplex mismatching or something to cause the slowdown..

just to test realy qick though if you drop the acl and inspect from the interface does it start to work better? or no change?

 

[burtsbees]

he drops acl 101 and it works fine...

Burt

 

[plshlpme]

well i would throw a log statement onto the
deny ip any entry
and see if some traffic you expect to go through is being dropped...

 

[Deadasbetamax]

Strange thing is I can make a single entry to the 101 access-list just defining a server and port. For instance access-list 101 permit tcp any host X.X.X.33 eq 1494 and instantly the connection to the Internet becomes unusable.

plshlpme
I probably would have said the same thing about trading my old router last week. However when the thing fails on a Monday and you gotta spend four hours after work driving to pickup a replacement, then you got the issues setting it up that I have had. Well tried, true and tested seriously has it's benefits.

 

[brianinms]

Best practice when making changes to an ACL is to unapply it from the interface first.

 

[Deadasbetamax]

I wonder if this has something to do with it. I ran a show ip inspect statistics all.

This is what it returned.

Packet inspection statistics [process switch:fast switch]
tcp packets: [4625:4021]
udp packets: [24:0]
smtp packets: [0:221]
Interfaces configured for inspection 1
Session creations since subsystem startup or last reset 3140
Current session counts (estab/half-open/terminating) [31:1:0]
Maxever session counts (estab/half-open/terminating) [47:358:4]
Last session created 00:00:00
Last statistic reset never
Last session creation rate 2432
Last half-open session total 1
Half-open session count or session creation rate exceeded

Could the line above be reason?

 

[Deadasbetamax]

Just tested it out looks like it was>

I have upped the following

ip inspect one-minute high 4000
ip inspect one-minute low 3000

Now works beautifully. Thank you all for you help. brianinms, plshlpme, burtsbees, and DanInRaleigh. Your assistance is deeply, deeply appreciated.

 

[burtsbees]

You know what...I was just reading that in my CCSP book...this post had me break that book out! I like when something does that. That is a great tip/thing to look for. Thanks for the post!

Burt