12-26-2011 01:22 PM - edited 03-04-2019 02:44 PM
I have a Cisco 1811W router that I inherited from another person setting up.
We recently upgraded from a 7M/768k connection to 30M/5M connection.
Since then whenever I start to download a file, it will spike up to 2M or so downloading then slowly decline to sometimes 60k and then just stop and never finish downloading the file.
I'm using SDM to configure since I don't know much CLI. Is there anything that could be causing this on the router?
I have checked the QOS policies and even deleted everything out of the policy and still the same thing.
Attached is a video of a download and what it does to the download after it starts.
I tried connecting my laptop directly to the cable modem and could download at a solid 4MB/Sec through the entire download.
I went into the Interface for the Internet and turned off the Inspection Rule Outbound rule to none and cleared the inbound access rule and everything started to work somewhat better, but I could still only get about 1-2MB/sec download instead of 4MB.
Any help would be greatly appreciated
12-26-2011 01:30 PM
Hi Patrick,
Can you please provide us with the following information?
Usually this phenomenon is observed if using a particular implementation of firewall - either IP Inspect or Zone-Based Firewall. Sometimes, an upgrade of the IOS will help, however, usually, the first aid is to simply deactivate these features and replace them with more primitive and limited ACLs.
Best regards,
Peter
12-27-2011 09:31 PM
Below is the config file.
Any Help would be greatly appreciated.
The current IOS is 12.4(6)T7
!This is the running config of the router: 192.168.39.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname BCIPain&Spine
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 XXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
aaa authorization network sdm_vpn_group_ml_5 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 64.89.74.2
ip name-server 64.89.70.2
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip inspect name SDM_MEDIUM ftp
!
appfw policy-name SDM_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
audit-trail on
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
audit-trail on
!
!
crypto pki trustpoint TP-self-signed-3920102629
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3920102629
revocation-check none
rsakeypair TP-self-signed-3920102629
!
!
crypto pki certificate chain TP-self-signed-3920102629
certificate self-signed 01
XXXXX
B5F609A9 60F3ABA9 9CD7C00C B919CEB9 EA66BEAA 1BFA9CE8
quit
username admin privilege 15 secret 5 XXXXX
username remote secret 5 XXXXX
username oncall secret 5 XXXXX
username rwadley secret 5 XXXXX
username cbrake secret 5 XXXXX
!
!
policy-map sdmappfwp2p_SDM_MEDIUM
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 5
!
crypto isakmp policy 3
authentication pre-share
group 5
!
crypto isakmp policy 4
encr aes 256
authentication pre-share
group 2
crypto isakmp key PainSpineISA address 97.67.146.74 no-xauth
!
crypto isakmp client configuration group remoteg
key BCPSremoteg
dns 192.168.39.2
pool SDM_POOL_3
acl 106
max-users 10
netmask 255.255.255.0
!
crypto isakmp client configuration group EasyVPN
key XXXXX
dns 192.168.39.2
domain bcipainandspine.local
pool SDM_POOL_4
acl 107
include-local-lan
split-dns bcipainandspine.local
max-users 10
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group remoteg
isakmp authorization list sdm_vpn_group_ml_3
client configuration address respond
virtual-template 3
crypto isakmp profile sdm-ike-profile-2
match identity group EasyVPN
client authentication list sdm_vpn_xauth_ml_3
isakmp authorization list sdm_vpn_group_ml_5
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set 256-Encryption esp-aes 256 esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-DES-MD5 ESP-3DES-SHA ESP-3DES-SHA1
set isakmp-profile sdm-ike-profile-1
!
crypto ipsec profile SDM_Profile2
set security-association idle-time 3600
set transform-set 256-Encryption
set isakmp-profile sdm-ike-profile-2
!
!
crypto map RMPS 1 ipsec-isakmp
set peer 97.67.146.74
set transform-set ESP-DES-MD5
match address 102
!
bridge irb
!
!
!
interface Tunnel0
ip address 172.16.40.1 255.255.255.0
ip mtu 1420
shutdown
tunnel source FastEthernet0
tunnel destination 97.67.146.74
tunnel path-mtu-discovery
!
interface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 70.62.101.26 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_MEDIUM out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map RMPS
service-policy input sdmappfwp2p_SDM_MEDIUM
service-policy output sdmappfwp2p_SDM_MEDIUM
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip
!
ssid Pain&Spine
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 XXXXX
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2412
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
shutdown
!
encryption mode ciphers tkip
!
ssid bcips
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 XXXXX
!
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Virtual-Template3 type tunnel
ip unnumbered BVI1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile2
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.39.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip local pool SDM_POOL_1 192.168.40.160 192.168.40.169
ip local pool SDM_POOL_2 192.168.40.100 192.168.40.150
ip local pool SDM_POOL_3 192.168.41.100 192.168.41.110
ip local pool SDM_POOL_4 192.168.38.50 192.168.38.75
ip route 0.0.0.0 0.0.0.0 70.62.101.25 permanent
ip route 192.168.40.0 255.255.255.0 192.168.39.254 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
ip access-list extended SDM_2
ip access-list extended sdm_virtual-template1_in
remark SDM_ACL Category=1
remark Auto generated by SDM for NTP (123) 217.160.254.116
permit udp host 217.160.254.116 eq ntp any eq ntp
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.39.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
access-list 100 permit udp any host 192.168.39.1 eq non500-isakmp
access-list 100 permit udp any host 192.168.39.1 eq isakmp
access-list 100 permit esp any host 192.168.39.1
access-list 100 permit ahp any host 192.168.39.1
access-list 100 permit udp host 97.67.146.74 host 192.168.39.1 eq non500-isakmp
access-list 100 permit udp host 97.67.146.74 host 192.168.39.1 eq isakmp
access-list 100 permit esp host 97.67.146.74 host 192.168.39.1
access-list 100 permit ahp host 97.67.146.74 host 192.168.39.1
access-list 100 deny ip 74.223.46.120 0.0.0.4 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ahp host 97.67.146.74 host 70.62.101.26
access-list 101 permit esp host 97.67.146.74 host 70.62.101.26
access-list 101 permit udp host 97.67.146.74 host 70.62.101.26 eq isakmp
access-list 101 permit udp host 97.67.146.74 host 70.62.101.26 eq non500-isakmp
access-list 101 permit ip 192.168.40.0 0.0.0.255 192.168.39.0 0.0.0.255
access-list 101 remark Gillian Access
access-list 101 permit tcp host 24.163.121.143 host 70.62.101.26 eq 3389
access-list 101 remark BSCI Access to Server001
access-list 101 permit tcp 96.10.12.104 0.0.0.7 host 70.62.101.26 eq 5901
access-list 101 remark BSCI access to Server002
access-list 101 permit tcp 96.10.12.104 0.0.0.7 host 70.62.101.26 eq 5900
access-list 101 remark Outside FTP for CSS and E-clinical
access-list 101 permit tcp any host 70.62.101.26 eq ftp
access-list 101 remark CSS Support
access-list 101 permit tcp 146.145.242.0 0.0.0.255 host 70.62.101.26 eq telnet
access-list 101 remark CSS Support
access-list 101 permit tcp 146.145.242.0 0.0.0.255 host 70.62.101.26 eq ftp-data
access-list 101 remark Auto generated by SDM for NTP (123) 217.160.254.116
access-list 101 permit udp host 217.160.254.116 eq ntp host 70.62.101.26 eq ntp
access-list 101 remark DNS
access-list 101 permit udp any eq domain host 70.62.101.26 eq domain
access-list 101 remark Time
access-list 101 permit tcp any eq 123 host 70.62.101.26
access-list 101 deny ip 192.168.39.0 0.0.0.255 any
access-list 101 permit icmp any host 70.62.101.26 echo-reply
access-list 101 permit udp any host 70.62.101.26 eq non500-isakmp
access-list 101 permit udp any host 70.62.101.26 eq isakmp
access-list 101 permit esp any host 70.62.101.26
access-list 101 permit ahp any host 70.62.101.26
access-list 101 remark vnc5901
access-list 101 permit tcp any host 70.62.101.26 eq 5901 log
access-list 101 remark tightvnc
access-list 101 permit tcp any host 70.62.101.26 eq 5900 log
access-list 101 permit icmp any host 74.223.46.122 echo
access-list 101 permit icmp any host 74.223.46.122 time-exceeded
access-list 101 permit icmp any host 74.223.46.122 unreachable
access-list 101 permit tcp 66.83.190.160 0.0.0.7 host 70.62.101.26 eq 443
access-list 101 permit tcp 66.83.190.160 0.0.0.7 host 74.223.46.122 eq 22
access-list 101 permit tcp 66.83.190.160 0.0.0.7 host 70.62.101.26 eq cmd
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark IPSEC to RMPS
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 192.168.39.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 192.168.40.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=2
access-list 104 deny ip 192.168.39.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 104 permit ip 192.168.39.0 0.0.0.255 any
access-list 104 permit ip 192.168.40.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.39.0 0.0.0.255 any
access-list 106 remark SDM_ACL Category=4
access-list 106 permit ip 192.168.39.0 0.0.0.255 any
access-list 106 permit ip 192.168.40.0 0.0.0.255 any
access-list 107 remark SDM_ACL Category=4
access-list 107 permit ip 192.168.39.0 0.0.0.255 any
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17180206
ntp update-calendar
ntp server 217.160.254.116 source FastEthernet0
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
12-28-2011 01:12 AM
Hi Patrick,
You are indeed using the IP Inspect feature. The IOS version you are using has no support for processing out-of-order TCP segments and instead, drops them, which has been one of the major problems with the IP Inspect feature.
The IOS 12.4(11)T and newer implements an enhancement to the IP Inspect to correctly deal with out-of-order TCP segments. Do you have an option of upgrading your IOS? If you have 128MB of DRAM, the IOS version 12.4(15)T16 will be appropriate for you. If you have 256MB of DRAM then you may upgrade to 12.4(24)T5 (this will require 64MB of FLASH).
If you have no option of upgrading your IOS, we will probably need to remove the IP Inspect configuration altogether from your configuration and rework it, as far as possible, using static ACLs which will be a non-trivial task.
Best regards,
Peter
12-28-2011 06:30 AM
Unfortunately we don't have an active contract on the device, so I can't upgrade the IOS.
So, if I turn off the Inspect option for the FE0 interface, should that help or relieve the problem?
I thought I did that but got a little better bandwidth result, but not nearly the result as if I bypass the router altogether.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide