Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8871
Views
4
Helpful
2
Replies

TCP Window Scaling Issues

Go to solution
jfinnigan1
Level 1
Level 1

‎07-31-2013 05:13 PM - edited ‎03-04-2019 08:37 PM

We have Cisco 2800's at each of our four location which are managed by our ISP. We have been having issues with them, I got them to send me the Config files off of one of them but nothing jumps out at me.

We have to disable TCP Window Scaling/Tunning on all our Windows 7/Server 2012 Machines (by running netsh interface tcp set global autotuning=disabled in the command line)

If we do not it's very slow to even load a webpage, and impossible to download a file (even something as small as 2MB). Mobile devices have no hopes of working on our network currently because of this. This is not an issue on our few remaning XP machines, though I believe XP didn't use Window Scaling is the reason.

Any Ideas what would be causing this? I plan on replacing them soon with our own routers, since they do not want to setup the Sub-interfaces for our vlans but in the mean time I need this working.

Thanks in Advanced for any help.

Here is the Config with Sensative Info Removed

version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname REMOVED
!
boot-start-marker
boot-end-marker
!
logging buffered 8192 debugging
no logging console
enable secret REMOVED
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-REMOVED
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-REMOVED
 revocation-check none
 rsakeypair TP-self-signed-REMOVED
!
!
crypto pki certificate chain TP-self-signed-REMOVED
 certificate self-signed 01
  REMOVED
  quit
!
class-map match-all VOIP
 match access-group 120
!
!
policy-map VOIP
 class VOIP
  priority 1000
 class class-default
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key REMOVED address 0.0.0.0 0.0.0.0
no crypto isakmp ccm
!
!
crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
 set transform-set VPN
!
crypto ipsec profile SDM_Profile2
 set transform-set VPN
!
!
!
!
!
interface Tunnel0
 description $FW_INSIDE$
 bandwidth 3000
 ip address 10.10.200.1 255.255.255.0
 ip access-group 101 in
 no ip redirects
 ip mtu 1400
 ip nhrp authentication VPN
 ip nhrp map multicast dynamic
 ip nhrp network-id 100000
 ip nhrp holdtime 360
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1360
 ip ospf network broadcast
 ip ospf priority 20
 delay 10
 tunnel source FastEthernet0/1
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile SDM_Profile1
!
interface Null0
 no ip unreachables
!
interface Loopback0
 ip address 192.168.210.1 255.255.255.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
!
interface FastEthernet0/0
 description $FW_INSIDE$
 ip address 10.10.100.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip policy route-map server-nat
 duplex auto
 speed auto
 no mop enabled
 service-policy output VOIP
!
interface FastEthernet0/1
 description $FW_OUTSIDE$
 ip address IP REMOVED NETMASK REMOVED
 ip access-group 102 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache flow
 load-interval 30
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1/0
 load-interval 30
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
router ospf 100
 log-adjacency-changes
 passive-interface FastEthernet0/0
 passive-interface FastEthernet0/1
 passive-interface FastEthernet0/1/0
 network 10.10.100.0 0.0.0.255 area 0
 network 10.10.200.0 0.0.0.255 area 0
 network 10.10.201.0 0.0.0.255 area 0
 network 192.168.210.1 0.0.0.0 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 REMOVED
ip route REMOVED NETMASK REMOVED
ip route REMOVED NETMASK REMOVED
ip route REMOVED NETMASK REMOVED
!
ip flow-capture ip-id
ip flow-capture mac-addresses
ip flow-top-talkers
 top 10
 sort-by bytes
 cache-timeout 30000
!
ip http server
ip http authentication local
ip http secure-server
ip nat pool nat REMOVED netmask REMOVED
ip nat inside source list 150 interface FastEthernet0/1 overload
!
access-list 100 deny   ip 10.10.200.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 deny   ip 10.10.201.0 0.0.0.255 any
access-list 101 remark Tunnel ACL
access-list 101 deny   ip REMOVED 0.0.0.7 any log
access-list 101 deny   ip host 255.255.255.255 any log
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 permit ip 10.10.100.0 0.0.0.255 10.10.110.0 0.0.0.255 log
access-list 101 permit ip 10.10.100.0 0.0.0.255 10.10.120.0 0.0.0.255 log
access-list 101 permit ip 10.10.100.0 0.0.0.255 10.10.130.0 0.0.0.255 log
access-list 101 permit ip host 10.10.100.10 any log
access-list 101 permit ip host 10.10.100.12 any log
access-list 101 permit ip host 10.10.100.20 any log
access-list 101 permit ip host 10.10.100.21 any log
access-list 101 permit ip host 10.10.100.45 any log
access-list 101 permit ip any host 10.10.100.10 log
access-list 101 permit ip any host 10.10.100.12 log
access-list 101 permit ip any host 10.10.100.20 log
access-list 101 permit ip any host 10.10.100.21 log
access-list 101 permit ip any host 10.10.100.45 log
access-list 101 permit ospf any any
access-list 101 permit icmp any any
access-list 101 deny   ip 10.10.100.0 0.0.0.255 any log
access-list 101 permit ip 10.10.110.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 101 permit ip 10.10.120.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 101 permit ip 10.10.130.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 102 remark Outside ACL
access-list 102 permit tcp host REMOVED host REMOVED eq 22
access-list 102 permit tcp REMOVED 0.0.0.15 host REMOVED eq 22
access-list 102 permit udp any host REMOVED eq non500-isakmp
access-list 102 permit udp any host REMOVED eq isakmp
access-list 102 permit esp any host REMOVED
access-list 102 permit ahp any host REMOVED
access-list 102 permit gre any host REMOVED
access-list 102 permit icmp any host REMOVED echo-reply
access-list 102 permit icmp any host REMOVED time-exceeded
access-list 102 permit icmp any host REMOVED unreachable
access-list 102 permit ip any host 10.10.100.10
access-list 102 permit ip any host 10.10.100.12
access-list 102 permit ip any host 10.10.100.20
access-list 102 permit ip any host 10.10.100.21
access-list 102 permit ip any host 10.10.100.45
access-list 102 deny   ip 10.10.100.0 0.0.0.255 any
access-list 102 deny   ip 10.10.200.0 0.0.0.255 any
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 103 permit ip REMOVED 0.0.0.15 any
access-list 103 permit ip 10.10.200.0 0.0.0.255 any
access-list 103 permit ip 10.10.100.0 0.0.0.255 any
access-list 103 permit ip 10.10.110.0 0.0.0.255 any
access-list 103 permit ip 10.10.120.0 0.0.0.255 any
access-list 103 permit ip 10.10.130.0 0.0.0.255 any
access-list 110 deny   ip host 10.10.100.12 10.10.110.0 0.0.0.255
access-list 110 deny   ip host 10.10.100.12 10.10.130.0 0.0.0.255
access-list 110 deny   ip host 10.10.100.10 10.10.110.0 0.0.0.255
access-list 110 deny   ip host 10.10.100.10 10.10.130.0 0.0.0.255
access-list 110 deny   ip host 10.10.100.20 10.10.110.0 0.0.0.255
access-list 110 deny   ip host 10.10.100.20 10.10.130.0 0.0.0.255
access-list 110 deny   ip host 10.10.100.21 10.10.110.0 0.0.0.255
access-list 110 deny   ip host 10.10.100.21 10.10.130.0 0.0.0.255
access-list 110 deny   ip host 10.10.100.45 10.10.110.0 0.0.0.255
access-list 110 deny   ip host 10.10.100.45 10.10.130.0 0.0.0.255
access-list 110 permit ip host 10.10.100.12 any
access-list 110 permit ip host 10.10.100.10 any
access-list 110 permit ip host 10.10.100.20 any
access-list 110 permit ip host 10.10.100.21 any
access-list 110 permit ip host 10.10.100.45 any
access-list 120 permit udp any any eq 5060
access-list 150 deny   ip host 10.10.100.10 any
access-list 150 deny   ip host 10.10.100.12 any
access-list 150 deny   tcp host 10.10.100.20 any eq 3389
access-list 150 deny   ip host 10.10.100.21 any
access-list 150 deny   tcp host 10.10.100.45 any eq 22
access-list 150 deny   tcp host 10.10.100.45 any eq 443
access-list 150 deny   udp host 10.10.100.45 any eq 5060
access-list 150 deny   udp host 10.10.100.45 any range 10000 10500
access-list 150 deny   ip 10.10.110.0 0.0.0.255 any
access-list 150 deny   ip 10.10.120.0 0.0.0.255 any
access-list 150 deny   ip 10.10.130.0 0.0.0.255 any
access-list 150 permit ip 10.10.100.0 0.0.0.255 any
!
route-map server-nat permit 10
 match ip address 110
 set ip next-hop 10.10.200.3
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner motd ^CC
<@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>
                         Authorized access only
<@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>
        Disconnect IMEDIATELY if you are not an authorized user !
^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 access-class 103 in
 privilege level 15
 login local
 transport input ssh
line vty 5 15
 access-class 103 in
 privilege level 15
 login local
 transport input ssh
!
end
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rolf Fischer
Level 9
Level 9

‎07-31-2013 10:48 PM

Hello Jason,

you can find may articles saying that MS auto-tuning feature doesn't work well with some stateful inspection firewalls and/or VPNs.

In CSC I found another interesting one:

https://supportforums.cisco.com/thread/2169557

Maybe Joseph joins this discussion later with some new/additional information.

Best regards

Rolf

View solution in original post

2 Replies 2

Go to solution
Rolf Fischer
Level 9
Level 9

‎07-31-2013 10:48 PM

Hello Jason,

you can find may articles saying that MS auto-tuning feature doesn't work well with some stateful inspection firewalls and/or VPNs.

In CSC I found another interesting one:

https://supportforums.cisco.com/thread/2169557

Maybe Joseph joins this discussion later with some new/additional information.

Best regards

Rolf

Go to solution
jfinnigan1
Level 1
Level 1
In response to Rolf Fischer

‎08-01-2013 05:33 AM

Thanks,

So It sounds like it's an issue with the age of our devices, and it not know about TCP Window Scaling.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card