Trying to figure out why my connection from the ISR4321 is sooo slow. I tested first with plugging my laptop directly into the modem. From the modem directly, I'm hitting speed of up to mid to high 90's. When I plug my 4321 into the modem and use the 2nd interface to the laptop, I go down to mid or high 18's. How can I go from 90's to 18's? I posted my config. License should push 50 in and 50 out. No idea what is causing this. My g0/0/0 is inside and g0/0/1 outside. Any help?

version 16.6
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service sequence-numbers
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname RTE
!
boot-start-marker
boot system flash bootflash:isr4300-universalk9.16.06.02.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
logging buffered warnings
no logging console
no logging monitor
enable secret 5 $1$7vG5$PIahg9O40FxoTHfozgtXW/
!
aaa new-model
!
!
aaa group server tacacs+ ISE_TACACS
 server name alcise01
 server name alcise02
!
aaa authentication password-prompt "Password_: "
aaa authentication username-prompt "Username_: "
aaa authentication login default group tacacs+ local
aaa authentication login VTY group ISE_TACACS local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec VTY group ISE_TACACS local if-authenticated
aaa authorization commands 1 VTY group ISE_TACACS local if-authenticated
aaa authorization commands 15 VTY group ISE_TACACS local if-authenticated
aaa accounting update periodic 15
aaa accounting exec default start-stop group ISE_TACACS
aaa accounting commands 1 default start-stop group ISE_TACACS
aaa accounting commands 15 default start-stop group ISE_TACACS
!
!
!
!
!
!
aaa session-id common
process cpu threshold type total rising 80 interval 60 falling 40 interval 60
clock timezone CDT -5 0
clock summer-time CDT recurring
no ip source-route
ip options drop
!
ip name-server 10.255.0.190 10.255.0.191
ip domain list *****
ip domain lookup source-interface GigabitEthernet0/0/0
ip domain name *****
no ip dhcp use vrf connected
ip dhcp excluded-address 10.50.10.1 10.50.10.70
ip dhcp excluded-address 10.50.10.100 10.50.10.254
!
ip dhcp pool CLIENT
 network 10.50.10.0 255.255.255.0
 default-router 10.50.10.254
 dns-server 10.255.0.190 10.255.0.191
 netbios-name-server 10.255.0.190 10.255.0.191
 domain-name *****
 lease 2
!
ip dhcp pool Pinicon-1
 host 10.50.10.101 255.255.255.0
 client-identifier 0180.9b20.b576.b8
 dns-server 10.255.0.190 10.255.0.191
 default-router 10.50.10.254
 domain-name *****
 netbios-name-server 10.255.0.190 10.255.0.191
 lease 2
!
ip dhcp pool Pinicon-2
 host 10.50.10.102 255.255.255.0
 client-identifier 0180.9b20.b848.54
 dns-server 10.255.0.190 10.255.0.191
 default-router 10.50.10.254
 domain-name *****
 netbios-name-server 10.255.0.190 10.255.0.191
 lease 2
!
ip dhcp pool Pinicon-3
 host 10.50.10.103 255.255.255.0
 client-identifier 0144.8a5b.e917.45
 dns-server 10.255.0.190 10.255.0.191
 default-router 10.50.10.254
 domain-name *****
 netbios-name-server 10.255.0.190 10.255.0.191
 lease 2
!
ip dhcp pool Pinicon-4
 host 10.50.10.104 255.255.255.0
 client-identifier 01b8.8a60.3e6d.9c
 dns-server 10.255.0.190 10.255.0.191
 default-router 10.50.10.254
 domain-name *****
 lease 2
!
!
license udi pid ISR4321/K9 sn FDO19490H76
license boot level securityk9
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
username ***** privilege 15 password 7 *****
!
redundancy
 mode none
!
!
!
!
!
!
!
crypto keyring keyring
  pre-shared-key address 0.0.0.0 0.0.0.0 key *****
!
!
!
!
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set *****
 mode transport
!
crypto ipsec profile AES-SHA
 set transform-set AES-SHA
!
!
!
!
!
!
!
!
!
!
interface Tunnel0
 description DMVPN
 ip address 10.255.14.60 255.255.254.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication enlivant
 ip nhrp map 10.255.14.1 38.69.52.4
 ip nhrp map multicast 38.69.52.4
 ip nhrp network-id 1
 ip nhrp holdtime 300
 ip nhrp nhs 10.255.14.1
 ip nhrp redirect
 ip tcp adjust-mss 1360
 keepalive 5 3
 tunnel source GigabitEthernet0/0/1
 tunnel mode gre multipoint
 tunnel key 1
 tunnel protection ipsec profile AES-SHA shared
 ip virtual-reassembly
!
interface GigabitEthernet0/0/0
 description LAN-INSIDE
 ip address 10.50.10.254 255.255.255.0
 ip mtu 1460
 ip nat inside
 ip tcp adjust-mss 1350
 ip policy route-map PBR
 negotiation auto
 hold-queue 32 in
 hold-queue 100 out
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1
 description INTERNET-OUTSIDE
 ip address dhcp
 ip nat outside
 negotiation auto
 no cdp enable
 ip virtual-reassembly
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
!
router eigrp 2
 distribute-list prefix BLOCK-EIGRP-DEFAULT in
 network 10.0.0.0
 passive-interface default
 no passive-interface Tunnel0
 eigrp stub connected
!
ip nat inside source list NAT interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip http server
no ip http secure-server
ip http secure-trustpoint TP-self-signed-3430957644
ip http client secure-trustpoint TP-self-signed-3430957644
ip tftp source-interface GigabitEthernet0/0/0
ip tacacs source-interface GigabitEthernet0/0/0
!
ip ssh version 2
!
!
ip prefix-list BLOCK-EIGRP-DEFAULT seq 5 deny 0.0.0.0/0
ip prefix-list BLOCK-EIGRP-DEFAULT seq 10 permit 0.0.0.0/0 le 32
!
ip access-list extended NAT
 permit ip 10.50.10.224 0.0.0.15 any
ip access-list extended PBR
 deny   ip 10.50.10.224 0.0.0.15 any
 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 permit ip 10.0.0.0 0.255.255.255 any
!
!
logging trap warnings
logging host 10.255.0.150
access-list 2 permit 10.6.0.0 0.0.255.255
access-list 2 permit 10.20.0.0 0.0.255.255
access-list 2 permit 10.40.0.0 0.0.255.255
access-list 2 permit 10.50.0.0 0.0.255.255
access-list 2 permit 10.90.0.0 0.0.255.255
access-list 2 permit 10.255.0.0 0.0.255.255
access-list 2 permit ***** 0.0.0.63
access-list 2 permit ***** 0.0.0.7
access-list 2 deny   any
!
!
route-map PBR permit 10
 match ip address PBR
 set ip next-hop 10.255.14.1
!
snmp-server community ALCpub RO
snmp-server community 177h@ouses RW
snmp-server enable traps snmp coldstart
snmp-server enable traps tty
snmp-server enable traps memory bufferpeak
snmp-server enable traps cpu threshold
snmp-server host 10.255.8.158 ALCpub
tacacs-server timeout 10
tacacs-server directed-request
tacacs server alcise01
 address ipv4 10.255.0.30
 key 7 *****
tacacs server alcise02
 address ipv4 10.255.0.31
 key 7 *****
!
!
!
!
control-plane
!
banner motd ^CCC

*********************  ATTENTION!!  ***********************
*                                                         *
*  STATE AND FEDERAL STATUTES MAKE IT A CRIME TO          *
*  GAIN UNAUTHORIZED ACCESS INTO THIS SYSTEM.VIOLATORS    *
*  WILL BE PROSECUTED TO THE FULLEST EXTENT OF THE LAW.c  *
*                                                         *
***********************************************************

Your session is being monitored by Enlivant network admins.


^C
!
line con 0
 session-timeout 40
 exec-timeout 120 0
 logging synchronous
 transport input none
 stopbits 1
line aux 0
 modem InOut
 no exec
 stopbits 1
 speed 115200
 flowcontrol hardware
line vty 0 4
 session-timeout 40
 access-class 2 in
 exec-timeout 120 0
 authorization commands 1 VTY
 authorization commands 15 VTY
 authorization exec VTY
 logging synchronous
 login authentication VTY
 length 0
 transport input ssh
line vty 5 15
 session-timeout 40
 access-class 2 in
 exec-timeout 120 0
 authorization commands 1 VTY
 authorization commands 15 VTY
 authorization exec VTY
 logging synchronous
 login authentication VTY
 transport input ssh
!
scheduler max-task-time 5000
ntp source Tunnel0
ntp server 10.255.0.1
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

RTE#sh ip int g0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
  Internet address is 10.50.10.254/24
  Broadcast address is 255.255.255.255
  Address determined by non-volatile memory
  MTU is 1460 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.10
  Outgoing Common access list is not set
  Outgoing access list is not set
  Inbound Common access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP Null turbo vector
  Associated unicast routing topologies:
        Topology "base", operation state is UP
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is enabled, using route map PBR
  Network address translation is enabled, interface in domain inside
  BGP Policy Mapping is disabled
  Input features: Virtual Fragment Reassembly, Policy Routing, MCI Check, TCP Adjust MSS
  Output features: NAT Inside, TCP Adjust MSS
  IPv4 WCCP Redirect outbound is disabled
  IPv4 WCCP Redirect inbound is disabled
  IPv4 WCCP Redirect exclude is disabled

RTE#sh int g0/0/0
GigabitEthernet0/0/0 is up, line protocol is up
  Hardware is ISR4321-2x1GE, address is 00f2.8b29.2400 (bia 00f2.8b29.2400)
  Description: LAN-INSIDE
  Internet address is 10.50.10.254/24
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  Full Duplex, 1000Mbps, link type is auto, media type is RJ45
  output flow-control is off, input flow-control is off
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:01, output 00:00:03, output hang never
  Last clearing of "show interface" counters 00:18:46
  Input queue: 0/32/0/0 (size/max/drops/flushes); Total output drops: 175
  Queueing strategy: fifo
  Output queue: 0/100 (size/max)
  5 minute input rate 28000 bits/sec, 14 packets/sec
  5 minute output rate 135000 bits/sec, 9 packets/sec
     40418 packets input, 9560526 bytes, 0 no buffer
     Received 2108 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 4419 multicast, 0 pause input
     43948 packets output, 31662276 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     38 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out
------------------------------------------------------------------------------
RTE#sh ip int g0/0/1
GigabitEthernet0/0/1 is up, line protocol is up
  Internet address is *******/23
  Broadcast address is 255.255.255.255
  Address determined by DHCP
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing Common access list is not set
  Outgoing access list is not set
  Inbound Common access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP Null turbo vector
  Associated unicast routing topologies:
        Topology "base", operation state is UP
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain outside
  BGP Policy Mapping is disabled
  Input features: Virtual Fragment Reassembly, NAT Outside, MCI Check
  Output features: Post-routing NAT Outside
  IPv4 WCCP Redirect outbound is disabled
  IPv4 WCCP Redirect inbound is disabled
  IPv4 WCCP Redirect exclude is disabled


RTE#sh int g0/0/1
GigabitEthernet0/0/1 is up, line protocol is up
  Hardware is ISR4321-2x1GE, address is 00f2.8b29.2401 (bia 00f2.8b29.2401)
  Description: INTERNET-OUTSIDE
  Internet address is *******/23
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not supported
  Full Duplex, 1000Mbps, link type is auto, media type is RJ45
  output flow-control is off, input flow-control is off
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:37:59, output hang never
  Last clearing of "show interface" counters 00:19:48
  Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 145000 bits/sec, 61 packets/sec
  5 minute output rate 35000 bits/sec, 12 packets/sec
     99094 packets input, 36172421 bytes, 0 no buffer
     Received 52087 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 129 multicast, 0 pause input
     36886 packets output, 9840593 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

RTE#sh ver
Cisco IOS XE Software, Version 16.06.02
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, Inc.
Compiled Wed 01-Nov-17 07:09 by mcpre

ROM: IOS-XE ROMMON

Pinicon_Place uptime is 6 hours, 23 minutes
Uptime for this control processor is 6 hours, 26 minutes
System returned to ROM by PowerOn at 23:59:00 CDT Sat Mar 24 2018
System restarted at 10:10:32 CDT Tue Apr 10 2018
System image file is "bootflash:isr4300-universalk9.16.06.02.SPA.bin"
Last reload reason: PowerOn



Suite License Information for Module:'esg'

--------------------------------------------------------------------------------
Suite                 Suite Current         Type           Suite Next reboot
--------------------------------------------------------------------------------
FoundationSuiteK9     None                  None           None
securityk9
appxk9

AdvUCSuiteK9          None                  None           None
uck9
cme-srst
cube


Technology Package License Information:

-----------------------------------------------------------------
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
------------------------------------------------------------------
appxk9           None             None             None
uck9             None             None             None
securityk9       securityk9       EvalRightToUse   securityk9
ipbase           ipbasek9         Permanent        ipbasek9

cisco ISR4321/K9 (1RU) processor with 1796760K/6147K bytes of memory.
Processor board ID FLM1951W070
2 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
3223551K bytes of flash memory at bootflash:.
0K bytes of WebUI ODM Files at webui:.

Configuration register is 0x2102