Showing results for 
Search instead for 
Did you mean: 

Cisco 881 unreliable with datastreams like youtube

Hi guys,

I have a Cisco881w router connected to my cable-modem. I installed the 881 together with a new cable-modem, so practically 2 things have changed in the network here. Since then, we're experiencing problems with things like downloading large files (like > a few MB), watching youtube movies etc. When I click on a movie on youtube, usually the loading bar stops at approx 5-10%. When hitting refresh a couple of times, suddenly the whole movie is loaded. This is the same when downloading large files.

I have absolutely no clue whatsoever where I should start searching. Does anybody have an idea? Thanks very much!


Accepted Solutions

Remove the "zone" and policy map commands. Also remove the "ip virtual-reammbly command" and the unneccesary "ip tcp" since this is not PPPoE.

View solution in original post

paolo bevilacqua
Hall of Fame Master

Are you using pppoe ? If yes configure "ip tcp mss-adjust 1452" under VLAN interface. You may also suffer from other incorrect or unncessary configuration commands.

Hi, thx for your answerr. I don't think I'm using pppoe, this is the config:

Cisco881w#sh ru
Building configuration...

Current configuration : 8379 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Cisco881w
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$k9vg$gvqiiMwUHtPFl/RDkJKg90
no aaa new-model
memory-size iomem 10
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
crypto pki trustpoint TP-self-signed-3372704126
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3372704126
revocation-check none
rsakeypair TP-self-signed-3372704126
crypto pki certificate chain TP-self-signed-3372704126
certificate self-signed 01
  3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33333732 37303431 3236301E 170D3130 31313136 32313433
  30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33373237
  30343132 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100EA15 293FD03D 05ECC78A 5976C75A 2D020C87 57D0AC05 06FCF79C E34C62A4
  EBA4C1E5 4F8D12BE 40C38D57 DC8A2B93 2C84F8C2 F656E08E 6F240251 04013BA9
  1A214B39 77C6D6F1 3AF57437 593C77E0 6E4F6961 FD35BC7F 731A95A4 2986C81F
  DB852C79 305EB9F3 980906E6 0BE96FB4 1B63EE0E AD0F9374 BB436D50 749F2F5F
  B8D50203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603
  551D1104 1A301882 16436973 636F3838 31772E77 6562656E 61626C65 2E6E6C30
  1F060355 1D230418 30168014 B58BC3CB A2979E50 E23CD62B 4B74A60F 61F91446
  301D0603 551D0E04 160414B5 8BC3CBA2 979E50E2 3CD62B4B 74A60F61 F9144630
  0D06092A 864886F7 0D010104 05000381 81006BA9 985291D1 00646652 052DD945
  0779991A AEF47011 CC832BDF 98C06B6C 16E3A890 C2FF7BF6 0FB5E6BD F4A204C9
  01DD30E4 00A59980 78320007 0D587FF0 80715BE0 2F0895D2 768CC57F 458DE4CA
  848E00E9 E04F660B 33D04511 B380FE22 F8B34F25 5C2E7320 59454E95 1291596B
  500A44ED D2C1A4B8 7FC9406C F783F3DD F920
no ip source-route
ip dhcp excluded-address
ip dhcp pool ccp-pool1
   import all
ip cef
no ip bootp server
ip domain name
ip name-server
ip name-server
ip port-map user-protocol--1 port tcp 3389
no ipv6 cef
username admin privilege 15 secret 5 $1$BE3m$q5hXmgPDF.42JFcSc7.vj0
log config
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 102
match protocol user-protocol--1
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
class class-default
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-http-1
class type inspect sdm-nat-user-protocol--1-1
class class-default
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
  drop log
class type inspect ccp-protocol-http
class type inspect ccp-insp-traffic
class class-default
policy-map type inspect ccp-permit
class class-default
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address ***.***.74.202
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
interface Vlan1
ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
ip forward-protocol nd
ip route ***.***.74.201
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 80 ***.***.74.203 80 extendable
ip nat inside source static tcp 3389 ***.***.74.203 3389 extendable
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host any
access-list 100 permit ip any
access-list 100 permit ip ***.***.74.200 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host
no cdp run

banner exec ^C
% Password expiration warning.

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you
want to use.

banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
login local
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500


I just bought a cheap TP-Link WIFI-router, installed it and now testing the internetconnection. Youtube-movies just work, no problem, so I think the cable-modem is OK, and the problem must be in the Cisco881...

Remove the "zone" and policy map commands. Also remove the "ip virtual-reammbly command" and the unneccesary "ip tcp" since this is not PPPoE.

Wow, I changed it and it seems to work now! Great, awesome, thx man!

You're welcome, thanks for the nice rating and good luck!