Solved: Re: Cisco 3945E with NAT, unstable WAN speed

Tak Smith · ‎04-29-2019

Hi everybody!

For the past weeks, I´ve been trying to figure out what´s happening at one customer´s network. It has 2 fiber connection with the same ISP, one connection with pseudo-fix IP and the other with dynamic IP.

The Cisco3945E is behing both ISP´s routers, and is in charge of both Dialers. Speed tests on ISP routers (configured as dialers) are 600Mbps, but through Cisco router is quite unstable. We could see sometimes 600Mbps download, and 150Mbps upload. CPU Load is also a big concern, as we stress the router with minimal config it goes beyond 85% CPU Load during speed tests.

I did try with several ACL types, no luck. Last config, is with permit any any, to try not overload CPU, no luck.

Is there anything wrong or anything you can advice in order to make this connection stable?

Enclosed is show running and show ver

Thanks all for your time!

P.S.: VPN not working, but not my focus at this stage.

Georg Pauwen · ‎04-30-2019

Hello,

I have made some adjustments (marked in bold) to your config, try and implement those and check if it makes a difference:

C3945E-ECYL#show running-config | begin interface
interface Loopback0
ip address X.X.X.X X.X.X.X
!
interface GigabitEthernet0/0
description Link_ISP1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
description Link_ISP2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/3
ip address X.X.X.X 255.255.0.0 secondary
ip address X.X.X.X 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
switchport mode access
no ip address
!
interface GigabitEthernet0/0/1
switchport mode access
no ip address
!
interface GigabitEthernet0/0/2
switchport mode access
no ip address
!
interface GigabitEthernet0/0/3
switchport mode access
no ip address
!
interface Virtual-Template1
ip unnumbered Loopback0
!
interface Vlan1
no ip address
no ip unreachables
ip virtual-reassembly in
ip tcp adjust-mss 1420
hold-queue 100 out
!
interface Dialer1
mtu 1492
ip address negotiated
--> ip mtu 1492
ip nat outside
--> no ip nat enable
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
--> ip tcp adjust-mss 1452
no cdp enable
ppp chap hostname XXXXXXXX
ppp chap password 7 XXXXX
ppp pap sent-username XXXXXX password 7 XXXXXX
hold-queue 224 in
!
interface Dialer2
mtu 1492
ip address negotiated
ip nat outside
--> no ip nat enable
ip virtual-reassembly in
encapsulation ppp
dialer pool 2
dialer-group 2
--> ip tcp adjust-mss 1452
no cdp enable
ppp chap hostname XXXXXXX
ppp chap password 7 XXXXXXXX
ppp pap sent-username XXXXXXX password 7 XXXXXX
hold-queue 224 in
!
ip local pool vpn-pool X.X.10.230 X.X.10.234
ip local pool SSLVPN_POOL X.X.11.90 X.X.11.95
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp X.X.X.X 8002 interface Dialer1 8002
ip nat inside source static tcp X.X.X.X 81 interface Dialer1 81
ip nat inside source static tcp X.X.X.X 8001 interface Dialer1 8001
ip nat inside source static tcp X.X.X.X 82 interface Dialer1 82
ip nat inside source static udp X.X.X.X 8001 interface Dialer1 8001
ip nat inside source static tcp X.X.X.X 65531 interface Dialer1 65531
ip nat inside source static tcp X.X.X.X 10001 interface Dialer1 10001
ip nat inside source static tcp X.X.X.X 10002 interface Dialer1 10002
ip nat inside source static tcp X.X.X.X 10004 interface Dialer1 10004
ip nat inside source static tcp X.X.X.X 10005 interface Dialer1 10005
ip nat inside source static udp X.X.X.X 65531 interface Dialer1 65531
ip nat inside source static udp X.X.X.X 10002 interface Dialer1 10002
ip nat inside source static udp X.X.X.X 11002 interface Dialer1 11002
ip nat inside source static tcp X.X.X.X 11002 interface Dialer1 11002
ip nat inside source static udp X.X.X.X 65532 interface Dialer1 65532
ip nat inside source static tcp X.X.X.X 65532 interface Dialer1 65532
ip route 0.0.0.0 0.0.0.0 Dialer1
!
--> no ip access-list extended nat-rule
permit ip any any
--> no ip access-list extended nat-test
permit ip any any
!
access-list 1 permit X.X.X.X 0.0.255.255
access-list 1 permit X.X.X.X 0.0.0.255
!
nls resp-timeout 1
cpd cr-id 1
!
access-list 100 permit ip any any
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
gatekeeper
shutdown
!
vstack
!
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler allocate 20000 1000
!
webvpn gateway Cisco-VPN-Gateway
ip interface Dialer2 port 443
no inservice
!
webvpn gateway SSLVPN_GATEWAY
ip address X.X.X.X port XXX
http-redirect port XX
ssl trustpoint SSLVPN_CERT
inservice
!
webvpn context Cisco-VPN
title "WebVPN - Designed by Innercomm"
!
acl "ssl-acl"
permit ip X.X.X.X X.X.X.X X.X.X.X X.X.X.X
login-message "Cisco Secure WebVPN"
!
ssl authenticate verify all
no inservice
!
policy group webvpnpolicy
functions svc-enabled
filter tunnel ssl-acl
svc address-pool "webvpn-pool" netmask 255.255.0.0
svc rekey method new-tunnel
svc split include X.X.X.X 255.255.255.0
!
!
webvpn context Cisco-WebVPN
aaa authentication list sslvpn
gateway Cisco-VPN-Gateway
max-users 3
!
ssl authenticate verify all
!
url-list "rewrite"
inservice
!
policy group webvpnpolicy
default-group-policy webvpnpolicy
!
!
webvpn context SSL_contect
!
ssl authenticate verify all
no inservice
!
!
webvpn context Cisco-WEBVPN
!
ssl authenticate verify all
no inservice
!
!
webvpn context SSL_context
virtual-template 1
!
ssl authenticate verify all
inservice
!
policy group SSL_Policy
functions svc-enabled
svc address-pool "SSLVPN_POOL" netmask 255.255.255.0
svc dns-server primary 8.8.8.8
default-group-policy SSL_Policy
!
end

View solution in original post

balaji.bandi · ‎04-29-2019

show processes cpu sorted 5sec.

Consider below document for reference :

https://www.cisco.com/c/en/us/support/docs/routers/10000-series-routers/15095-highcpu.html#show_process_cpu

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Tak Smith · ‎04-30-2019

@balaji.bandi wrote:
show processes cpu sorted 5sec.

Consider below document for reference :

https://www.cisco.com/c/en/us/support/docs/routers/10000-series-routers/15095-highcpu.html#show_process_cpu

Thanks for this link. I did most of the troubleshooting already and the recommended actions. None of them took a significant difference.

Joseph W. Doherty · ‎04-30-2019

Cisco recommends a 3945E for up to 350 Mbps. This to keep the CPU under 85% in most situations. The fact that you've achieved 600/150 (down/up) Mbps but have exceeded 85% CPU load, appears to conform with Cisco's recommendation. I.e. it appears you're bumping into the performance limits of the 3945E router.

It's possible if you can pare the config down to what's absolutely needed, you might obtain some more performance capacity, but most likely, you need a more "powerful" ISR.

Tak Smith · ‎04-30-2019

Thanks Joseph for your answer.

I expected to be 350Mbps with some configuration. But customer´s config is quite simple (if I may say). Right now: one dialer, one ACL and one static route... 600Mbps download made me doubt as well. Customer said they could see 600Mbps/600Mbps on random checks... but can´t confirm this, as I wasn´t on site when that happened.

Is really 350Mbps the MAX speed with one dialer and one static route for everybody?

Joseph W. Doherty · ‎05-02-2019

"Is really 350Mbps the MAX speed with one dialer and one static route for everybody? "

Probably not the max. In fact, Cisco documents the 3945E being able to achieve up to 8.675 Gbps (yes that's gig), but that's at 100% CPU and with the best possible config and ideal traffic.

Georg Pauwen · ‎04-30-2019

Hello,

I have made some adjustments (marked in bold) to your config, try and implement those and check if it makes a difference:

C3945E-ECYL#show running-config | begin interface
interface Loopback0
ip address X.X.X.X X.X.X.X
!
interface GigabitEthernet0/0
description Link_ISP1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
description Link_ISP2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/3
ip address X.X.X.X 255.255.0.0 secondary
ip address X.X.X.X 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
switchport mode access
no ip address
!
interface GigabitEthernet0/0/1
switchport mode access
no ip address
!
interface GigabitEthernet0/0/2
switchport mode access
no ip address
!
interface GigabitEthernet0/0/3
switchport mode access
no ip address
!
interface Virtual-Template1
ip unnumbered Loopback0
!
interface Vlan1
no ip address
no ip unreachables
ip virtual-reassembly in
ip tcp adjust-mss 1420
hold-queue 100 out
!
interface Dialer1
mtu 1492
ip address negotiated
--> ip mtu 1492
ip nat outside
--> no ip nat enable
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
--> ip tcp adjust-mss 1452
no cdp enable
ppp chap hostname XXXXXXXX
ppp chap password 7 XXXXX
ppp pap sent-username XXXXXX password 7 XXXXXX
hold-queue 224 in
!
interface Dialer2
mtu 1492
ip address negotiated
ip nat outside
--> no ip nat enable
ip virtual-reassembly in
encapsulation ppp
dialer pool 2
dialer-group 2
--> ip tcp adjust-mss 1452
no cdp enable
ppp chap hostname XXXXXXX
ppp chap password 7 XXXXXXXX
ppp pap sent-username XXXXXXX password 7 XXXXXX
hold-queue 224 in
!
ip local pool vpn-pool X.X.10.230 X.X.10.234
ip local pool SSLVPN_POOL X.X.11.90 X.X.11.95
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp X.X.X.X 8002 interface Dialer1 8002
ip nat inside source static tcp X.X.X.X 81 interface Dialer1 81
ip nat inside source static tcp X.X.X.X 8001 interface Dialer1 8001
ip nat inside source static tcp X.X.X.X 82 interface Dialer1 82
ip nat inside source static udp X.X.X.X 8001 interface Dialer1 8001
ip nat inside source static tcp X.X.X.X 65531 interface Dialer1 65531
ip nat inside source static tcp X.X.X.X 10001 interface Dialer1 10001
ip nat inside source static tcp X.X.X.X 10002 interface Dialer1 10002
ip nat inside source static tcp X.X.X.X 10004 interface Dialer1 10004
ip nat inside source static tcp X.X.X.X 10005 interface Dialer1 10005
ip nat inside source static udp X.X.X.X 65531 interface Dialer1 65531
ip nat inside source static udp X.X.X.X 10002 interface Dialer1 10002
ip nat inside source static udp X.X.X.X 11002 interface Dialer1 11002
ip nat inside source static tcp X.X.X.X 11002 interface Dialer1 11002
ip nat inside source static udp X.X.X.X 65532 interface Dialer1 65532
ip nat inside source static tcp X.X.X.X 65532 interface Dialer1 65532
ip route 0.0.0.0 0.0.0.0 Dialer1
!
--> no ip access-list extended nat-rule
permit ip any any
--> no ip access-list extended nat-test
permit ip any any
!
access-list 1 permit X.X.X.X 0.0.255.255
access-list 1 permit X.X.X.X 0.0.0.255
!
nls resp-timeout 1
cpd cr-id 1
!
access-list 100 permit ip any any
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
gatekeeper
shutdown
!
vstack
!
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler allocate 20000 1000
!
webvpn gateway Cisco-VPN-Gateway
ip interface Dialer2 port 443
no inservice
!
webvpn gateway SSLVPN_GATEWAY
ip address X.X.X.X port XXX
http-redirect port XX
ssl trustpoint SSLVPN_CERT
inservice
!
webvpn context Cisco-VPN
title "WebVPN - Designed by Innercomm"
!
acl "ssl-acl"
permit ip X.X.X.X X.X.X.X X.X.X.X X.X.X.X
login-message "Cisco Secure WebVPN"
!
ssl authenticate verify all
no inservice
!
policy group webvpnpolicy
functions svc-enabled
filter tunnel ssl-acl
svc address-pool "webvpn-pool" netmask 255.255.0.0
svc rekey method new-tunnel
svc split include X.X.X.X 255.255.255.0
!
!
webvpn context Cisco-WebVPN
aaa authentication list sslvpn
gateway Cisco-VPN-Gateway
max-users 3
!
ssl authenticate verify all
!
url-list "rewrite"
inservice
!
policy group webvpnpolicy
default-group-policy webvpnpolicy
!
!
webvpn context SSL_contect
!
ssl authenticate verify all
no inservice
!
!
webvpn context Cisco-WEBVPN
!
ssl authenticate verify all
no inservice
!
!
webvpn context SSL_context
virtual-template 1
!
ssl authenticate verify all
inservice
!
policy group SSL_Policy
functions svc-enabled
svc address-pool "SSLVPN_POOL" netmask 255.255.255.0
svc dns-server primary 8.8.8.8
default-group-policy SSL_Policy
!
end

Tak Smith · ‎04-30-2019

Hi George,
Thanks for your time on this. I appreciate you look at the config and made some changes. Except the "no ip nat enabled", the others we did try as well.

Anyway, I just modified in the config and did some speed tests. Surprisingly, download now is on 150Mbps, and upload raised to 190Mbps. CPU load dropped to 30%, which is a good sign.

Honestly, I´m getting confused with all the tests.
Are all the "ip nat inside source static tcp" for different ports, affecting to the speed?
Is the VPN commands affecting on this?
If the 3945E is only capable to reach 350Mbps with some configuration, we should see 350Mbps/350Mbps stable, right?

Thanks!!

Georg Pauwen · ‎05-01-2019

Hello,

the (static) NAT entries you have are very few actually, and NAT does not use up very much memory or CPU resources. To be sure there is nothing else left, can you post the configuration you have now again ?

350MB up/down, if that is what the data sheet says, is what you would get under ideal circumstances, with a minimal configuration.

Tak Smith · ‎05-02-2019

Hi Georg,

Thanks again for your message, I appreciate you dedicate time on this.

Well, 350Mb/350Mb would be something stable, and at this stage I even think that would be even accepted, the thing is now is doing 150Mb download and almost 200Mb upload, doesn´t make big sense, and can´t see anything twisted on the config right now.

the 350/350 was achieved with initial config, and LAN port was connected to an EHWIC that the 3945E has installed. We thought that EHWIC was doing bottle neck on the bandwith, so we decided to place LAN port in one of the gigabitethernet routing port from the 3945E. There we could see the 600Mb download and 150Mb upload.

Right now, LAN port is on GigabitEthernet0/3 and WAN/Dialer port is GigabitEthernet0/0.

I thought the same about all the NAT rules, there aren´t many, shouldn´t collapse CPU up to 90%.

Maybe better to clean config, and start all over... What are your suggestions?

Tak Smith · ‎05-02-2019

Here is the config requested (show ver + show run)

Tak Smith · ‎05-20-2019

A quick feedback on this. We continued with more tests, including a new router directly provided by the ISP.

We could reach higher stable speeds with the modifications recommended above and the new router. The dialer was changed to Gi0/0 (the one with the SFP port shared) instead of using gi0/3 (no port shared).
All these changes made the speedtest stable, reaching 500Mb/s on download and higher values on upload. CPU load while download speed is ongoing reaches 30%, while upload less than 5%. During normal operation with users, CPU load is always less than 5% :)

I much appreciate the advice received here. Thumbs up!!