Cisco 1811W Bandwidth Problem

newcombcomputers · ‎12-26-2011

I have a Cisco 1811W router that I inherited from another person setting up.

We recently upgraded from a 7M/768k connection to 30M/5M connection.

Since then whenever I start to download a file, it will spike up to 2M or so downloading then slowly decline to sometimes 60k and then just stop and never finish downloading the file.

I'm using SDM to configure since I don't know much CLI. Is there anything that could be causing this on the router?

I have checked the QOS policies and even deleted everything out of the policy and still the same thing.

Attached is a video of a download and what it does to the download after it starts.

I tried connecting my laptop directly to the cable modem and could download at a solid 4MB/Sec through the entire download.

I went into the Interface for the Internet and turned off the Inspection Rule Outbound rule to none and cleared the inbound access rule and everything started to work somewhat better, but I could still only get about 1-2MB/sec download instead of 4MB.

Any help would be greatly appreciated

Peter Paluch · ‎12-26-2011

Hi Patrick,

Can you please provide us with the following information?

IOS version
Complete dump of the configuration in text form - if there are any passwords please replaced them with XXXs or similar so that no sensitive information leaks out

Usually this phenomenon is observed if using a particular implementation of firewall - either IP Inspect or Zone-Based Firewall. Sometimes, an upgrade of the IOS will help, however, usually, the first aid is to simply deactivate these features and replace them with more primitive and limited ACLs.

Best regards,

Peter

newcombcomputers · ‎12-27-2011

Below is the config file.

Any Help would be greatly appreciated.

The current IOS is 12.4(6)T7

!This is the running config of the router: 192.168.39.1

!----------------------------------------------------------------------------

!version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname BCIPain&Spine

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret 5 XXXXX

!

aaa new-model

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authentication login sdm_vpn_xauth_ml_2 local

aaa authentication login sdm_vpn_xauth_ml_3 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

aaa authorization network sdm_vpn_group_ml_2 local

aaa authorization network sdm_vpn_group_ml_3 local

aaa authorization network sdm_vpn_group_ml_4 local

aaa authorization network sdm_vpn_group_ml_5 local

!

aaa session-id common

!

resource policy

!

clock timezone PCTime -5

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

no ip source-route

!

ip cef

!

ip tcp synwait-time 10

no ip bootp server

ip domain name yourdomain.com

ip name-server 64.89.74.2

ip name-server 64.89.70.2

ip ssh time-out 60

ip ssh authentication-retries 2

ip inspect log drop-pkt

ip inspect name SDM_MEDIUM appfw SDM_MEDIUM

ip inspect name SDM_MEDIUM cuseeme

ip inspect name SDM_MEDIUM dns

ip inspect name SDM_MEDIUM h323

ip inspect name SDM_MEDIUM https

ip inspect name SDM_MEDIUM icmp

ip inspect name SDM_MEDIUM imap reset

ip inspect name SDM_MEDIUM pop3 reset

ip inspect name SDM_MEDIUM netshow

ip inspect name SDM_MEDIUM rcmd

ip inspect name SDM_MEDIUM realaudio

ip inspect name SDM_MEDIUM rtsp

ip inspect name SDM_MEDIUM esmtp

ip inspect name SDM_MEDIUM sqlnet

ip inspect name SDM_MEDIUM streamworks

ip inspect name SDM_MEDIUM tftp

ip inspect name SDM_MEDIUM tcp

ip inspect name SDM_MEDIUM udp

ip inspect name SDM_MEDIUM vdolive

ip inspect name SDM_MEDIUM ftp

!

appfw policy-name SDM_MEDIUM

application im aol

service default action allow alarm

service text-chat action allow alarm

server permit name login.oscar.aol.com

server permit name toc.oscar.aol.com

server permit name oam-d09a.blue.aol.com

audit-trail on

application im msn

service default action allow alarm

service text-chat action allow alarm

server permit name messenger.hotmail.com

server permit name gateway.messenger.hotmail.com

server permit name webmessenger.msn.com

audit-trail on

application http

strict-http action allow alarm

port-misuse im action reset alarm

port-misuse p2p action reset alarm

port-misuse tunneling action allow alarm

application im yahoo

service default action allow alarm

service text-chat action allow alarm

server permit name scs.msg.yahoo.com

server permit name scsa.msg.yahoo.com

server permit name scsb.msg.yahoo.com

server permit name scsc.msg.yahoo.com

server permit name scsd.msg.yahoo.com

server permit name cs16.msg.dcn.yahoo.com

server permit name cs19.msg.dcn.yahoo.com

server permit name cs42.msg.dcn.yahoo.com

server permit name cs53.msg.dcn.yahoo.com

server permit name cs54.msg.dcn.yahoo.com

server permit name ads1.vip.scd.yahoo.com

server permit name radio1.launch.vip.dal.yahoo.com

server permit name in1.msg.vip.re2.yahoo.com

server permit name data1.my.vip.sc5.yahoo.com

server permit name address1.pim.vip.mud.yahoo.com

server permit name edit.messenger.yahoo.com

server permit name messenger.yahoo.com

server permit name http.pager.yahoo.com

server permit name privacy.yahoo.com

server permit name csa.yahoo.com

server permit name csb.yahoo.com

server permit name csc.yahoo.com

audit-trail on

!

crypto pki trustpoint TP-self-signed-3920102629

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3920102629

revocation-check none

rsakeypair TP-self-signed-3920102629

!

crypto pki certificate chain TP-self-signed-3920102629

certificate self-signed 01

XXXXX

B5F609A9 60F3ABA9 9CD7C00C B919CEB9 EA66BEAA 1BFA9CE8

quit

username admin privilege 15 secret 5 XXXXX

username remote secret 5 XXXXX

username oncall secret 5 XXXXX

username rwadley secret 5 XXXXX

username cbrake secret 5 XXXXX

!

policy-map sdmappfwp2p_SDM_MEDIUM

!

crypto isakmp policy 1

hash md5

authentication pre-share

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 5

!

crypto isakmp policy 3

authentication pre-share

group 5

!

crypto isakmp policy 4

encr aes 256

authentication pre-share

group 2

crypto isakmp key PainSpineISA address 97.67.146.74 no-xauth

!

crypto isakmp client configuration group remoteg

key BCPSremoteg

dns 192.168.39.2

pool SDM_POOL_3

acl 106

max-users 10

netmask 255.255.255.0

!

crypto isakmp client configuration group EasyVPN

key XXXXX

dns 192.168.39.2

domain bcipainandspine.local

pool SDM_POOL_4

acl 107

include-local-lan

split-dns bcipainandspine.local

max-users 10

netmask 255.255.255.0

crypto isakmp profile sdm-ike-profile-1

match identity group remoteg

isakmp authorization list sdm_vpn_group_ml_3

client configuration address respond

virtual-template 3

crypto isakmp profile sdm-ike-profile-2

match identity group EasyVPN

client authentication list sdm_vpn_xauth_ml_3

isakmp authorization list sdm_vpn_group_ml_5

client configuration address respond

virtual-template 2

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set 256-Encryption esp-aes 256 esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-DES-MD5 ESP-3DES-SHA ESP-3DES-SHA1

set isakmp-profile sdm-ike-profile-1

!

crypto ipsec profile SDM_Profile2

set security-association idle-time 3600

set transform-set 256-Encryption

set isakmp-profile sdm-ike-profile-2

!

crypto map RMPS 1 ipsec-isakmp

set peer 97.67.146.74

set transform-set ESP-DES-MD5

match address 102

!

bridge irb

!

interface Tunnel0

ip address 172.16.40.1 255.255.255.0

ip mtu 1420

shutdown

tunnel source FastEthernet0

tunnel destination 97.67.146.74

tunnel path-mtu-discovery

!

interface FastEthernet0

description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

ip address 70.62.101.26 255.255.255.252

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip inspect SDM_MEDIUM out

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

crypto map RMPS

service-policy input sdmappfwp2p_SDM_MEDIUM

service-policy output sdmappfwp2p_SDM_MEDIUM

!

interface FastEthernet1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

shutdown

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Dot11Radio0

no ip address

!

encryption mode ciphers tkip

!

ssid Pain&Spine

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7 XXXXX

!

speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2412

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio1

no ip address

shutdown

!

encryption mode ciphers tkip

!

ssid bcips

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7 XXXXX

!

speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Virtual-Template3 type tunnel

ip unnumbered BVI1

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Virtual-Template2 type tunnel

ip unnumbered FastEthernet0

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile2

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$

no ip address

ip tcp adjust-mss 1452

bridge-group 1

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

interface BVI1

description $ES_LAN$$FW_INSIDE$

ip address 192.168.39.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412

!

ip local pool SDM_POOL_1 192.168.40.160 192.168.40.169

ip local pool SDM_POOL_2 192.168.40.100 192.168.40.150

ip local pool SDM_POOL_3 192.168.41.100 192.168.41.110

ip local pool SDM_POOL_4 192.168.38.50 192.168.38.75

ip route 0.0.0.0 0.0.0.0 70.62.101.25 permanent

ip route 192.168.40.0 255.255.255.0 192.168.39.254 permanent

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload

!

ip access-list extended SDM_2

ip access-list extended sdm_virtual-template1_in

remark SDM_ACL Category=1

remark Auto generated by SDM for NTP (123) 217.160.254.116

permit udp host 217.160.254.116 eq ntp any eq ntp

permit ip any any

!

logging trap debugging

access-list 1 remark INSIDE_IF=BVI1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.39.0 0.0.0.255

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 permit ip 192.168.40.0 0.0.0.255 any

access-list 100 permit udp any host 192.168.39.1 eq non500-isakmp

access-list 100 permit udp any host 192.168.39.1 eq isakmp

access-list 100 permit esp any host 192.168.39.1

access-list 100 permit ahp any host 192.168.39.1

access-list 100 permit udp host 97.67.146.74 host 192.168.39.1 eq non500-isakmp

access-list 100 permit udp host 97.67.146.74 host 192.168.39.1 eq isakmp

access-list 100 permit esp host 97.67.146.74 host 192.168.39.1

access-list 100 permit ahp host 97.67.146.74 host 192.168.39.1

access-list 100 deny ip 74.223.46.120 0.0.0.4 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit ahp host 97.67.146.74 host 70.62.101.26

access-list 101 permit esp host 97.67.146.74 host 70.62.101.26

access-list 101 permit udp host 97.67.146.74 host 70.62.101.26 eq isakmp

access-list 101 permit udp host 97.67.146.74 host 70.62.101.26 eq non500-isakmp

access-list 101 permit ip 192.168.40.0 0.0.0.255 192.168.39.0 0.0.0.255

access-list 101 remark Gillian Access

access-list 101 permit tcp host 24.163.121.143 host 70.62.101.26 eq 3389

access-list 101 remark BSCI Access to Server001

access-list 101 permit tcp 96.10.12.104 0.0.0.7 host 70.62.101.26 eq 5901

access-list 101 remark BSCI access to Server002

access-list 101 permit tcp 96.10.12.104 0.0.0.7 host 70.62.101.26 eq 5900

access-list 101 remark Outside FTP for CSS and E-clinical

access-list 101 permit tcp any host 70.62.101.26 eq ftp

access-list 101 remark CSS Support

access-list 101 permit tcp 146.145.242.0 0.0.0.255 host 70.62.101.26 eq telnet

access-list 101 remark CSS Support

access-list 101 permit tcp 146.145.242.0 0.0.0.255 host 70.62.101.26 eq ftp-data

access-list 101 remark Auto generated by SDM for NTP (123) 217.160.254.116

access-list 101 permit udp host 217.160.254.116 eq ntp host 70.62.101.26 eq ntp

access-list 101 remark DNS

access-list 101 permit udp any eq domain host 70.62.101.26 eq domain

access-list 101 remark Time

access-list 101 permit tcp any eq 123 host 70.62.101.26

access-list 101 deny ip 192.168.39.0 0.0.0.255 any

access-list 101 permit icmp any host 70.62.101.26 echo-reply

access-list 101 permit udp any host 70.62.101.26 eq non500-isakmp

access-list 101 permit udp any host 70.62.101.26 eq isakmp

access-list 101 permit esp any host 70.62.101.26

access-list 101 permit ahp any host 70.62.101.26

access-list 101 remark vnc5901

access-list 101 permit tcp any host 70.62.101.26 eq 5901 log

access-list 101 remark tightvnc

access-list 101 permit tcp any host 70.62.101.26 eq 5900 log

access-list 101 permit icmp any host 74.223.46.122 echo

access-list 101 permit icmp any host 74.223.46.122 time-exceeded

access-list 101 permit icmp any host 74.223.46.122 unreachable

access-list 101 permit tcp 66.83.190.160 0.0.0.7 host 70.62.101.26 eq 443

access-list 101 permit tcp 66.83.190.160 0.0.0.7 host 74.223.46.122 eq 22

access-list 101 permit tcp 66.83.190.160 0.0.0.7 host 70.62.101.26 eq cmd

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any log

access-list 102 remark IPSEC to RMPS

access-list 102 remark SDM_ACL Category=4

access-list 102 permit ip 192.168.39.0 0.0.0.255 192.168.40.0 0.0.0.255

access-list 103 remark SDM_ACL Category=4

access-list 103 permit ip 192.168.40.0 0.0.0.255 any

access-list 104 remark SDM_ACL Category=2

access-list 104 deny ip 192.168.39.0 0.0.0.255 192.168.40.0 0.0.0.255

access-list 104 permit ip 192.168.39.0 0.0.0.255 any

access-list 104 permit ip 192.168.40.0 0.0.0.255 any

access-list 105 remark SDM_ACL Category=4

access-list 105 permit ip 192.168.39.0 0.0.0.255 any

access-list 106 remark SDM_ACL Category=4

access-list 106 permit ip 192.168.39.0 0.0.0.255 any

access-list 106 permit ip 192.168.40.0 0.0.0.255 any

access-list 107 remark SDM_ACL Category=4

access-list 107 permit ip 192.168.39.0 0.0.0.255 any

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 104

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

transport output telnet

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

transport output telnet

line vty 0 4

transport input telnet ssh

line vty 5 15

transport input telnet ssh

!

scheduler allocate 4000 1000

scheduler interval 500

ntp clock-period 17180206

ntp update-calendar

ntp server 217.160.254.116 source FastEthernet0

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

Peter Paluch · ‎12-28-2011

Hi Patrick,

You are indeed using the IP Inspect feature. The IOS version you are using has no support for processing out-of-order TCP segments and instead, drops them, which has been one of the major problems with the IP Inspect feature.

The IOS 12.4(11)T and newer implements an enhancement to the IP Inspect to correctly deal with out-of-order TCP segments. Do you have an option of upgrading your IOS? If you have 128MB of DRAM, the IOS version 12.4(15)T16 will be appropriate for you. If you have 256MB of DRAM then you may upgrade to 12.4(24)T5 (this will require 64MB of FLASH).

If you have no option of upgrading your IOS, we will probably need to remove the IP Inspect configuration altogether from your configuration and rework it, as far as possible, using static ACLs which will be a non-trivial task.

Best regards,

Peter

newcombcomputers · ‎12-28-2011

Unfortunately we don't have an active contract on the device, so I can't upgrade the IOS.

So, if I turn off the Inspect option for the FE0 interface, should that help or relieve the problem?

I thought I did that but got a little better bandwidth result, but not nearly the result as if I bypass the router altogether.