Проблема:

Видео (даже 144p !!!) на ютуб кэшируется, проигрывается кэш, замирает, на минуту, пять, десять, час, два, потом может чуть-чуть еще закэшировать, может окончательно подвиснуть. При этом страницы грузятся мгновенно, speedtest показывает 5-10 Мбит/с, файлы качаются нормально, торренты нормально, все нормально кроме потокового видео.

Версия IOS - advsecurityk9-mz.151-4.M

Конфиг:

Current configuration : 12157 bytes
!
! Last configuration change at 13:24:27 GMT Fri Apr 4 2014 by admin
! NVRAM config last updated at 13:55:33 GMT Fri Apr 4 2014 by admin
! NVRAM config last updated at 13:55:33 GMT Fri Apr 4 2014 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname border-M-G
!
boot-start-marker
boot-end-marker
!
!
logging userinfo
logging buffered 262144
enable secret 5 $1$S
!
aaa new-model
!
!
aaa authentication password-prompt "password: "
aaa authentication username-prompt "login as: "
aaa authentication login default local
aaa authentication login ANYCONNECT-LOGIN group radius local
aaa authentication enable default enable
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
clock timezone GMT 6 0
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
ip domain name cisco.com
ip name-server 10.24.24.22
ip name-server 192.168.1.19
login block-for 60 attempts 3 within 60
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TRUSTPOINT
 enrollment selfsigned
 serial-number
 subject-name CN=TEST-CERTIFICATE
 revocation-check crl
 rsakeypair RSA
!
!
crypto pki certificate chain TRUSTPOINT
 certificate self-signed 01
  6B8C300D 06092A86 4886F70D 01010505 00038181 003CC21F 5F46584C 8CE15C44
  267F3D3F 7C446739 04BBB953 E4B3A167 83D7B6DB 4087FB30 7BB4ED59 FA85CAA7
  D1FED8ED 98A8054E 51BA13D8 E6CDF4DE 0257B51E 7EE80FD4 E1FCB047 E49C9041
  4AEC83AC 55F9BC05 67EB14BB DC26BFCC 7E3CFC3B 3D9FB362 52331C67 EAE79DB6
  C6C234D6 B557005E 19FC0A98 058FD234 59F038F4 AC
        quit
!
!
license udi pid CISCO1841 sn FCZ000000
archive
 log config
  logging enable
  hidekeys
 path ftp://test/border/run-config
 write-memory
username admin privilege 15 secret 5 $1$E4Rt$
redundancy
!
!
ip ftp username 155\ftp
ip ftp password 123
ip ssh logging events
ip ssh version 2
!
track 1 ip sla 1
 delay down 30
!
track 2 ip sla 2
 delay down 30
!
class-map match-any bittorrent
 match protocol bittorrent
 match protocol directconnect
 match protocol edonkey
 match protocol kazaa2
 match protocol gnutella
class-map match-any Real-Time-Out
 match ip precedence 5
class-map match-any Voice
 match access-group name Avaya
!
!
policy-map TOS_MARKER
 class Voice
  set ip precedence 5
policy-map bittorrent
 class bittorrent
  drop
policy-map outbound
 class Real-Time-Out
  priority 768
 class class-default
  fair-queue
policy-map parent
 class class-default
  shape average 8096000
  service-policy outbound
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key 555555 address 10.214.224.1
crypto isakmp keepalive 20 5 periodic
!
!
crypto ipsec transform-set 3des esp-3des esp-md5-hmac
 mode transport
!
crypto map cryptomap 10 ipsec-isakmp
 set peer 10.24.24.1
 set transform-set 3des
 match address 101
!
!
!
!
!
interface Loopback100
 description ===ManagmentInterface===
 ip address 10.24.25.1 255.255.255.255
!
interface Tunnel798
 description ===vpn===
 ip address 10.24.24.18 255.255.255.252
 ip mtu 1476
 ip tcp adjust-mss 1436
 ip ospf cost 50
 qos pre-classify
 keepalive 10 15
 tunnel source FastEthernet0/0.798
 tunnel destination 10.214.224.1
!
interface Tunnel799
 description ===vpn-over-VT===
 ip address 10.24.24.22 255.255.255.252
 ip mtu 1468
 ip tcp adjust-mss 1428
 ip ospf cost 100
 ip ospf mtu-ignore
 keepalive 10 15
 tunnel source Dialer1
 tunnel destination 13.35.11.14
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.103
 description ===link-to-pix===
 encapsulation dot1Q 103
 ip address 10.24.24.9 255.255.255.252
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 ip policy route-map RMAPtest
 service-policy input TOS_MARKER
!
interface FastEthernet0/0.115
 description ===direct access to the Internet===
 encapsulation dot1Q 115
 ip address 8.6.7.1 255.255.255.240
 ip access-group BARS in
!
interface FastEthernet0/0.117
 description ===to-bars-HV===
 encapsulation dot1Q 117
 ip address 10.214.209.254 255.255.255.0
!
interface FastEthernet0/0.312
 description ==infosvyaz-voip==
 encapsulation dot1Q 312
 ip address 7.9.3.2 255.255.254.0
!
interface FastEthernet0/0.798
 description ===infosvyaz-vpn===
 encapsulation dot1Q 798
 ip address 10.24.24.2 255.255.255.252
 service-policy output parent
!
interface FastEthernet0/0.800
 description ===beeline-sip===
 encapsulation dot1Q 800
 ip address 10.25.0.74 255.255.255.224
 ip nat outside
 ip virtual-reassembly in
 shutdown
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dialer1
 description ===TELESOT===
 ip address negotiated
 ip access-group inDialer1 in
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip route-cache policy
 ip tcp adjust-mss 1452
 load-interval 30
 dialer pool 1
 keepalive 10 3
 ppp authentication chap pap callin
 ppp chap hostname 0000
 ppp chap password 0 00000
 ppp pap sent-username 0000 password 0 00000
 no cdp enable
!
router ospf 1
 redistribute static subnets route-map Redistribute-OSPF-Static
 network 10.24.24.16 0.0.0.3 area 0
 network 10.24.24.20 0.0.0.3 area 0
!
ip local pool ANYCONNECT-POOL 10.24.7.1 10.24.7.254
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip flow-export source Loopback100
ip flow-export version 5
ip flow-export destination 10.24.27.3 22562
ip flow-top-talkers
 top 10
 sort-by bytes
 cache-timeout 100
!
ip nat translation icmp-timeout 10
ip nat inside source static tcp 10.214.207.250 3389 interface Dialer1 3389
ip nat inside source static tcp 10.214.200.3 80 interface Dialer1 8888
ip nat inside source static tcp 10.214.204.5 21 interface Dialer1 21
ip nat inside source static udp 10.214.200.29 46696 interface Dialer1 46696
ip nat inside source static tcp 10.214.200.29 46696 interface Dialer1 46696
ip nat inside source static udp 10.214.204.4 2000 interface Dialer1 2000
ip nat inside source static tcp 10.214.204.7 1542 interface Dialer1 1542
ip nat inside source static udp 10.214.204.7 1542 interface Dialer1 1542
ip nat inside source static udp 10.214.224.10 500 interface Dialer1 500
ip nat inside source static udp 10.214.224.10 4500 interface Dialer1 4500
ip nat inside source static udp 10.214.224.10 10000 interface Dialer1 10000
ip nat inside source static udp 10.214.206.2 3478 interface Dialer1 3478
ip nat inside source static tcp 10.215.204.6 80 interface Dialer1 80
ip nat inside source static udp 10.214.200.106 69 interface Dialer1 69
ip nat inside source route-map RMAP-NAT-TELESOT interface Dialer1 overload
ip nat inside source static udp 10.214.206.2 5060 23.23.7.28 5060 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1 50 track 2
ip route 0.0.0.0 0.0.0.0 10.214.224.17 100
ip route 8.8.8.8 255.255.255.255 Dialer1
ip route 10.25.255.10 255.255.255.255 10.25.0.65
ip route 8.37.6.3 255.255.255.255 Dialer1
!
ip access-list standard Redistribute-OSPF-Static
 permit 10.24.0.0 0.0.255.255
 permit 10.25.0.0 0.0.255.255
!
ip access-list extended Avaya
 permit ip 10.24.20.0 0.0.0.255 host 192.168.1.49
ip access-list extended BARS
 deny   ip host 18.18.16.2 10.0.0.0 0.0.0.255
 deny   ip host 18.18.16.2 192.168.0.0 0.0.255.255
 permit ip any any
ip access-list extended DF-BIT
 permit ip any any
ip access-list extended NAT-BEELINE-SIP
 permit ip any host 10.25.255.10
ip access-list extended NAT-ISP
 permit ip host 10.24.20.5 any
 permit ip any host 3.20.5.4
 permit tcp host 10.24.98.10 any eq 5938
 permit tcp host 10.24.20.17 any eq 5938
 permit tcp any any eq 5938
 permit ip 10.24.0.0 0.0.255.255 any
 permit ip 10.25.0.0 0.0.255.255 any
 deny   ip host 10.24.20.17 any
ip access-list extended OVER-H
 permit ip host 10.24.20.31 any
ip access-list extended inDialer1
 deny   udp any any eq snmp
 permit tcp any host 18.18.16.2 eq 6912
 permit tcp any host 18.18.16.2 eq www
 permit tcp any host 18.18.16.2 eq 1521
 permit tcp any host 18.18.16.2 eq 1522
 permit tcp any host 18.18.16.2 eq 1523
 permit tcp any host 18.18.16.2 eq 1524
 permit tcp any host 18.18.16.2 eq 1525
 deny   ip any host 18.18.16.2
 deny   tcp any any eq ftp-data
 deny   tcp any any eq ftp
 permit ip any any
ip access-list extended remote-access
 deny ip any any
!
ip radius source-interface Loopback100
ip sla 1
 dns ya.ru name-server 8.8.8.8 source-ip 8.27.7.18
ip sla schedule 1 life forever start-time now
ip sla 2
 dns ya.ru name-server 8.8.8.8 source-ip 8.27.7.18
 frequency 10
ip sla schedule 2 life forever start-time now
access-list 101 permit gre host 10.214.224.2 host 10.214.224.1
!
!
!
route-map RMAP-NAT-TELESOT permit 10
 match ip address NAT-ISP
 match interface Dialer1
!
route-map Redistribute-OSPF-Static permit 10
 match ip address Redistribute-OSPF-Static
!
route-map RMAPtest permit 5
 match ip address DF-BIT
 set ip df 0
!
route-map RMAPtest permit 10
 match ip address OVER-H
 set ip next-hop 10.14.24.7
!
route-map RMAP-NAT-BEELINE-SIP permit 10
 match ip address NAT-BEELINE-SIP
 match interface FastEthernet0/0.800
!
snmp-server community 0 RO
snmp-server community 0 RO
snmp-server location 0
snmp-server contact 0
snmp-server host 192.168.188.5 version 2c public
!
!
radius-server host 10.10.10.10
radius-server key 0
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
 access-class remote-access in
 transport input all
line vty 5 15
 access-class remote-access in
 transport input all
!
scheduler allocate 20000 1000
ntp master
ntp server 10.10.10.10
!
webvpn gateway ANYCONNECT-GATEWAY
 ip address 1.1.1.1 port 443
 ssl encryption aes-sha1
 ssl trustpoint TRUSTPOINT
 inservice
 !
webvpn install svc flash:/webvpn/anyconnect-win-3.1.05152-k9.pkg sequence 2
 !
webvpn context ANYCONNECT-CONTEXT
 ssl authenticate verify all
 !
 url-list "ANYCONNECT-URL-LIST"
 !
 acl "SSL-ACL"
   permit ip 10.20.1.0 255.255.255.0 10.20.1.0 255.255.255.0
 !
 !
 policy group ANYCONNECT-POLICY
   functions svc-enabled
   filter tunnel SSL-ACL
   svc address-pool "ANYCONNECT-POOL" netmask 255.255.255.0
   svc rekey method new-tunnel
   svc split include 10.10.0.0 255.255.0.0
   svc split include 192.168.0.0 255.255.0.0
   svc dns-server primary 8.8.8.8
   svc dns-server secondary 8.8.4.4
 default-group-policy ANYCONNECT-POLICY
 aaa authentication list ANYCONNECT-LOGIN
 gateway ANYCONNECT-GATEWAY
 max-users 50
 inservice
!
end