cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
521
Views
0
Helpful
2
Replies

Cisco 871 providing Internet & VPN service but incoming mails slow

desmond.liew
Level 1
Level 1

Dear all,

I have a Cisco 871 router called 'ROUTER871'. It is providing Internet and VPN service through a 1M leased line. The Cisco 871 is suppose to replace an aging Fortinet firewall.

Current Internet traffic is normal http, https, ftp and dns. The router is also receiving smtp traffic from 'mail site B' through the Internet. Also, the router send mails out (smtp) to another site called 'mail site A'. So, one site for incoming and another for outgoing.

Everything is fine except that smtp traffic from 'mail site B' is coming in very slow. The mail queue can be very large, as much as ~100 mails. When an attached mail is sent, it slows it even more. If the old Fortinet firewall is used, mails are okay.

I have tried using QoS commands and used the 'service-policy output [policy-map]' command with priority on the WAN interface (FE/4) but it doesn't help.

I am confused why outgoing mails from ROUTER871 has no problems while incoming mails from 'mail site B' is causing slowness.

Does anyone have any comments or ideas?

2 Replies 2

a.cruea1980
Level 3
Level 3

Setting up QoS on an output policy isn't going to help (as you saw).

Have you tried looking at processor usage statistics? Are you sure your ACLs are set up completely properly? Is the NAT from the WAN to the mail server set up properly, using proper protocol and ports?

"Have you tried looking at processor usage statistics? "

Yes I have checked this with the 'sh processes cpu history' and the cpu usage is quite low. It is hovering around 20-30%.

"Are you sure your ACLs are set up completely properly?"

I believe the ACLs looks okay. Previously, I only have 1 ACL which is applied to the WAN interface (FE/4) using the 'ip access-group 120 in'.

The access-list 120 are as follows:

Extended IP access list 120

10 permit ip host [remote site ip address] host [local public ip 1] (4005 matches)

20 permit tcp host [mail site A] host [local public ip 2] (71928 matches)

30 permit tcp host [mail site B] host [local public ip 2] (2312 matches)

40 permit icmp any host [local public ip 1] echo (142 matches)

50 permit icmp any host [local public ip 1] echo-reply

60 permit icmp any host [local public ip 1] time-exceeded

70 permit icmp any host [local public ip 1] unreachable (3 matches)

80 permit icmp any host [local public ip 2] echo (26 matches)

90 permit icmp any host [local public ip 2] echo-reply

100 permit icmp any host [local public ip 2] time-exceeded

110 permit icmp any host [local public ip 2] unreachable

120 deny ip any host [local public ip 2] log (13 matches)

130 permit tcp any host [local public ip 1] eq 22 (15719 matches)

140 deny tcp any host [local public ip 1] eq telnet

150 deny tcp any host [local public ip 1] eq www

160 deny tcp any host [local public ip 1] eq 443

170 permit ip any any (27628 matches)

There are actually traffic flowing but mail site B tends to have long queues during the day time and only clearing them off the next morning. The mail server at 172.30.205.5 sends mail to mail site A without any problems.

"Is the NAT from the WAN to the mail server set up properly, using proper protocol and ports?"

I used the following command for the static NAT:

ip nat inside source static 172.30.205.5 [local public ip 2] extendable

This is sure working because we do have mails coming in.

I have attached the 'sh run' of the ROUTER871.

Review Cisco Networking for a $25 gift card