Buy or Renew
Buy or Renew
Notice: The file download function is disabled. We apologize for the inconvenience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1648
Views
0
Helpful
17
Replies

Constant and Random Internet Slowing/Lagging. How to verify WAN or LAN

TheGoob
VIP
VIP

‎03-03-2025 08:32 AM

Morning.

So I am running FPR1010 FDM w/ 7.6.0-113 Software and a pretty straight configuration.

Now I had this exact problem running through [this order] Cisco ISR C1111 [ZBFW NAT and ACL's] to a FPR1010 FDM [Added ACL's] to a SG350XG [DHCP Servers, DNS Servers]. After some research the theory was, for my Internet, I simply had too many devices and too much overheard so I went to 1 device, the FDR1010.

Where it stands everything is awesome and fun and then it is not. TV just spins, online gaming is like 800-2000 ms ping. The whole internet just stops. I can ping internally but nothing going outside will ping. 8.8.8.8/1.1.1.1 google.com etc all time out, then maybe I will get a ping, then stops. This will go on for an hour to two if I let it.

My goal here is how does one troubleshoot with limited ability [knowledge of such] /resources [money to pay for these fancy tools].

Also, and this is simply an observation and not an accusation because the fault, if any, would be my misconfiguration of any or all the devices BUT #1 when I remove my fancy Cisco firewalls and use my simply C4000 DSL modem, I will have 0 lag/connectivity issues indefinitely. #2 If I shut down [unplug] my DSL Router, my FPR1010 and turn back on...everything is fine.

This is driving me crazy.

Labels:
0 Helpful
17 Replies 17

TheGoob
VIP
VIP

‎03-04-2025 08:44 AM - edited ‎03-04-2025 08:56 AM

I can not get this to work, I am up all night could not get this. NO LAN can ping 8.8.8.8 or websites. NO connectivity.

Below is INCOMPLETE but essentially, I want 5.0_Network [192.168.5.0/24] to have Internet Access to 5.0_WAN [207.108.121.182 (which PPPoE grabs as main ip) and it uses Primary 192.168.3.5 as DNS and Secondary 8.8.8.8 DNS (when 192.168.3.5 is down)].

I have a NAT rule assoaciating 5.0_Network with 5.0_WAN

I have ACL allowing INSIDE (which vlan 7, 192.168.5.0/24 is) to outside.

I have default route 0.0.0.0/24 outside 207.108.121.182

I don't get it.

> show running-config
: Saved
:
: Serial Number: JAD2537040H
: Hardware: FPR-1010, 2586 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 cores)
:
NGFW Version 7.4.1.1
!
hostname firepower
enable password ***** encrypted
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
no mac-address auto
!
interface Vlan1
nameif inside
security-level 0
ip address 192.168.95.1 255.255.255.0
!
interface Vlan2
nameif vlan2
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface Vlan3
nameif vlan3
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Vlan4
nameif vlan4
security-level 0
ip address 192.168.3.1 255.255.255.0
!
interface Vlan5
nameif vlan5
security-level 0
ip address 192.168.4.1 255.255.255.0
!
interface Vlan6
nameif vlan6
security-level 0
ip address 192.168.6.1 255.255.255.0
!
interface Vlan7
nameif vlan7
security-level 0
ip address 192.168.5.1 255.255.255.0
!
interface Ethernet1/1
no switchport
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
pppoe client vpdn group PPPoE
ip address pppoe setroute
!
interface Ethernet1/2
switchport
switchport access vlan 2
no security-level
!
interface Ethernet1/3
switchport
switchport access vlan 3
no security-level
!
interface Ethernet1/4
switchport
switchport access vlan 4
no security-level
!
interface Ethernet1/5
switchport
switchport access vlan 5
no security-level
!
interface Ethernet1/6
switchport
switchport access vlan 6
no security-level
!
interface Ethernet1/7
switchport
switchport access vlan 7
power inline auto
no security-level
!
interface Ethernet1/8
switchport
switchport access vlan 7
power inline auto
no security-level
!
interface Management1/1
management-only
nameif management
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
!
ftp mode passive
ngips conn-match vlan-id
dns domain-lookup any
dns server-group CiscoUmbrellaDNSServerGroup
name-server 208.67.222.222
name-server 208.67.220.220
name-server 2620:119:35::35
dns server-group TheGoog
name-server 8.8.8.8
name-server 8.8.4.4
no object-group-search access-control
object network any-ipv6
subnet ::/0
object network IPv4-Private-10.0.0.0-8
subnet 10.0.0.0 255.0.0.0
object network IPv4-Private-172.16.0.0-12
subnet 172.16.0.0 255.240.0.0
object network IPv4-Private-192.168.0.0-16
subnet 192.168.0.0 255.255.0.0
object network any-ipv4
subnet 0.0.0.0 0.0.0.0
object network Outside
host 207.108.121.182
object network fbeye_Network
subnet 192.168.1.0 255.255.255.0
object network fbeye_WAN
host 207.108.121.180
object network fhc_Network
subnet 192.168.2.0 255.255.255.0
object network fhc_WAN
host 207.108.121.181
object network 5.0_Network
subnet 192.168.5.0 255.255.255.0
object network 5.0_WAN
host 207.108.121.182
object-group network IPv4-Private-All-RFC1918
network-object object IPv4-Private-10.0.0.0-8
network-object object IPv4-Private-172.16.0.0-12
network-object object IPv4-Private-192.168.0.0-16
object-group service |acSvcg-268435457
service-object ip
object-group service |acSvcg-268435464
service-object ip
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside any ifc outside any r
ule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc vlan2 any ifc outside any ru
le-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc vlan3 any ifc outside any ru
le-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc vlan4 any ifc outside any ru
le-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc vlan5 any ifc outside any ru
le-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc vlan6 any ifc outside any ru
le-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc vlan7 any ifc outside any ru
le-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435464: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435464: L5 RULE: Inside_Inside
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc inside any ifc inside any ru
le-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc inside any ifc vlan2 any rul
e-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc inside any ifc vlan3 any rul
e-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc inside any ifc vlan4 any rul
e-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc inside any ifc vlan5 any rul
e-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc inside any ifc vlan6 any rul
e-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc inside any ifc vlan7 any rul
e-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan2 any ifc inside any rul
e-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan2 any ifc vlan2 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan2 any ifc vlan3 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan2 any ifc vlan4 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan2 any ifc vlan5 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan2 any ifc vlan6 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan2 any ifc vlan7 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan3 any ifc inside any rul
e-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan3 any ifc vlan2 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan3 any ifc vlan3 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan3 any ifc vlan4 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan3 any ifc vlan5 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan3 any ifc vlan6 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan3 any ifc vlan7 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan4 any ifc inside any rul
e-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan4 any ifc vlan2 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan4 any ifc vlan3 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan4 any ifc vlan4 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan4 any ifc vlan5 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan4 any ifc vlan6 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan4 any ifc vlan7 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan5 any ifc inside any rul
e-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan5 any ifc vlan2 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan5 any ifc vlan3 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan5 any ifc vlan4 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan5 any ifc vlan5 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan5 any ifc vlan6 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan5 any ifc vlan7 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan6 any ifc inside any rul
e-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan6 any ifc vlan2 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan6 any ifc vlan3 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan6 any ifc vlan4 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan6 any ifc vlan5 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan6 any ifc vlan6 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan6 any ifc vlan7 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan7 any ifc inside any rul
e-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan7 any ifc vlan2 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan7 any ifc vlan3 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan7 any ifc vlan4 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan7 any ifc vlan5 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan7 any ifc vlan6 any rule
-id 268435464
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435464 ifc vlan7 any ifc vlan7 any rule
-id 268435464
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
pager lines 24
logging enable
logging timestamp
logging permit-hostdown
mtu inside 1500
mtu vlan2 1500
mtu vlan3 1500
mtu vlan4 1500
mtu vlan5 1500
mtu vlan6 1500
mtu vlan7 1500
mtu outside 1500
mtu management 1500
no failover
failover replication http
no monitor-interface vlan2
no monitor-interface vlan3
no monitor-interface vlan4
no monitor-interface vlan5
no monitor-interface vlan6
no monitor-interface vlan7
no monitor-interface outside
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
management-interface convergence
nat (vlan2,outside) source dynamic fbeye_Network fbeye_WAN
nat (vlan3,outside) source dynamic fhc_Network fhc_WAN
nat (vlan7,outside) source dynamic 5.0_Network 5.0_WAN
route outside 0.0.0.0 0.0.0.0 207.108.121.182 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 vlan7
ip-client inside
ip-client inside ipv6
ip-client management
ip-client management ipv6
ip-client vlan4
ip-client vlan4 ipv6
ip-client vlan3
ip-client vlan3 ipv6
ip-client vlan5
ip-client vlan5 ipv6
ip-client vlan6
ip-client vlan6 ipv6
ip-client vlan7
ip-client vlan7 ipv6
ip-client vlan2
ip-client vlan2 ipv6
ip-client outside
ip-client outside ipv6
snmp-server group AUTH v3 auth
snmp-server group PRIV v3 priv
snmp-server group NOAUTH v3 noauth
snmp-server location null
snmp-server contact null
snmp-server community *****
sysopt connection tcpmss 0
no sysopt connection permit-vpn
crypto ipsec security-association pmtu-aging infinite
crypto ca permit-weak-crypto
crypto ca trustpool policy
telnet timeout 10
console timeout 0
vpdn group PPPoE request dialout pppoe
vpdn group PPPoE localname [NAME].net
vpdn group PPPoE ppp authentication chap
vpdn username [NAME] password *****
dhcpd dns 192.168.3.5 1.1.1.1
!
dhcpd address 192.168.95.5-192.168.95.254 inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 vlan2
dhcpd enable vlan2
!
dhcpd address 192.168.2.2-192.168.2.254 vlan3
dhcpd enable vlan3
!
dhcpd address 192.168.3.6-192.168.3.254 vlan4
dhcpd enable vlan4
!
dhcpd address 192.168.4.2-192.168.4.254 vlan5
dhcpd enable vlan5
!
dhcpd address 192.168.6.2-192.168.6.254 vlan6
dhcpd enable vlan6
!
dhcpd address 192.168.5.2-192.168.5.254 vlan7
dhcpd enable vlan7
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client
split-tunnel-all-dns enable
webvpn
anyconnect ssl dtls none
dynamic-access-policy-record DfltAccessPolicy
username vpnaccess password ***** pbkdf2
!
class-map inspection_default
match default-inspection-traffic
class-map class_snmp
match port udp eq 4161
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect xdmcp
class class_snmp
inspect snmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
snort preserve-connection
snort multichannel-lb enable
no dp-tcp-proxy
Cryptochecksum:8fd14c1937f51b36512d3fbffe3d63a7
: end
>


0 Helpful

liviu.gheorghe
VIP
VIP
In response to TheGoob

‎03-08-2025 02:06 AM

Just out of curiosity - why did you use a Layer 2 and Vlans configuration on interfaces Ethernet 2 - 8? Why not use a Layer 3 configuration? I'm not saying there is something wrong with the configuration. I'm just looking for some differences between your config and mine that would explain the issues you are having. I have been using a similar box, a 1120, for years with similar set of services (Internet access, IP TV streaming, but not gaming) with the same OS version (7.6.0-113) and NEVER experienced something even close to what you are describing.

Regards, LG
*** Please Rate All Helpful Responses ***
0 Helpful

TheGoob
VIP
VIP
In response to liviu.gheorghe

‎03-08-2025 08:09 AM

Good Morning.

Well the reason L2 is because the FTD has 7 vlans, 7 DHCP Servers [7/8 are both vlan7]. My intention was that whatever plugs into 2-8 will obtain an IP automatically.. Would that not need to be L2 in order for devices to obtain via DHCP?

My vlans have static ips I guess I just assumed it was using that as their L3 / routing.

In the past I had the 7 vlans but did a TRUNK to a SG350XG which utilized it [whichever interface I used] as L3 but I just assumed this was the right way..

If there is a better way, believe me , I will do it.

0 Helpful
Customers Also Viewed These Support Documents