07-31-2013 05:13 PM - edited 03-04-2019 08:37 PM
We have Cisco 2800's at each of our four location which are managed by our ISP. We have been having issues with them, I got them to send me the Config files off of one of them but nothing jumps out at me.
We have to disable TCP Window Scaling/Tunning on all our Windows 7/Server 2012 Machines (by running netsh interface tcp set global autotuning=disabled in the command line)
If we do not it's very slow to even load a webpage, and impossible to download a file (even something as small as 2MB). Mobile devices have no hopes of working on our network currently because of this. This is not an issue on our few remaning XP machines, though I believe XP didn't use Window Scaling is the reason.
Any Ideas what would be causing this? I plan on replacing them soon with our own routers, since they do not want to setup the Sub-interfaces for our vlans but in the mean time I need this working.
Thanks in Advanced for any help.
Here is the Config with Sensative Info Removed
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname REMOVED
!
boot-start-marker
boot-end-marker
!
logging buffered 8192 debugging
no logging console
enable secret REMOVED
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-REMOVED
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-REMOVED
revocation-check none
rsakeypair TP-self-signed-REMOVED
!
!
crypto pki certificate chain TP-self-signed-REMOVED
certificate self-signed 01
REMOVED
quit
!
class-map match-all VOIP
match access-group 120
!
!
policy-map VOIP
class VOIP
priority 1000
class class-default
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key REMOVED address 0.0.0.0 0.0.0.0
no crypto isakmp ccm
!
!
crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set VPN
!
crypto ipsec profile SDM_Profile2
set transform-set VPN
!
!
!
!
!
interface Tunnel0
description $FW_INSIDE$
bandwidth 3000
ip address 10.10.200.1 255.255.255.0
ip access-group 101 in
no ip redirects
ip mtu 1400
ip nhrp authentication VPN
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf priority 20
delay 10
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile SDM_Profile1
!
interface Null0
no ip unreachables
!
interface Loopback0
ip address 192.168.210.1 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
interface FastEthernet0/0
description $FW_INSIDE$
ip address 10.10.100.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map server-nat
duplex auto
speed auto
no mop enabled
service-policy output VOIP
!
interface FastEthernet0/1
description $FW_OUTSIDE$
ip address IP REMOVED NETMASK REMOVED
ip access-group 102 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
load-interval 30
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1/0
load-interval 30
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
router ospf 100
log-adjacency-changes
passive-interface FastEthernet0/0
passive-interface FastEthernet0/1
passive-interface FastEthernet0/1/0
network 10.10.100.0 0.0.0.255 area 0
network 10.10.200.0 0.0.0.255 area 0
network 10.10.201.0 0.0.0.255 area 0
network 192.168.210.1 0.0.0.0 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 REMOVED
ip route REMOVED NETMASK REMOVED
ip route REMOVED NETMASK REMOVED
ip route REMOVED NETMASK REMOVED
!
ip flow-capture ip-id
ip flow-capture mac-addresses
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 30000
!
ip http server
ip http authentication local
ip http secure-server
ip nat pool nat REMOVED netmask REMOVED
ip nat inside source list 150 interface FastEthernet0/1 overload
!
access-list 100 deny ip 10.10.200.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 deny ip 10.10.201.0 0.0.0.255 any
access-list 101 remark Tunnel ACL
access-list 101 deny ip REMOVED 0.0.0.7 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 permit ip 10.10.100.0 0.0.0.255 10.10.110.0 0.0.0.255 log
access-list 101 permit ip 10.10.100.0 0.0.0.255 10.10.120.0 0.0.0.255 log
access-list 101 permit ip 10.10.100.0 0.0.0.255 10.10.130.0 0.0.0.255 log
access-list 101 permit ip host 10.10.100.10 any log
access-list 101 permit ip host 10.10.100.12 any log
access-list 101 permit ip host 10.10.100.20 any log
access-list 101 permit ip host 10.10.100.21 any log
access-list 101 permit ip host 10.10.100.45 any log
access-list 101 permit ip any host 10.10.100.10 log
access-list 101 permit ip any host 10.10.100.12 log
access-list 101 permit ip any host 10.10.100.20 log
access-list 101 permit ip any host 10.10.100.21 log
access-list 101 permit ip any host 10.10.100.45 log
access-list 101 permit ospf any any
access-list 101 permit icmp any any
access-list 101 deny ip 10.10.100.0 0.0.0.255 any log
access-list 101 permit ip 10.10.110.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 101 permit ip 10.10.120.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 101 permit ip 10.10.130.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 102 remark Outside ACL
access-list 102 permit tcp host REMOVED host REMOVED eq 22
access-list 102 permit tcp REMOVED 0.0.0.15 host REMOVED eq 22
access-list 102 permit udp any host REMOVED eq non500-isakmp
access-list 102 permit udp any host REMOVED eq isakmp
access-list 102 permit esp any host REMOVED
access-list 102 permit ahp any host REMOVED
access-list 102 permit gre any host REMOVED
access-list 102 permit icmp any host REMOVED echo-reply
access-list 102 permit icmp any host REMOVED time-exceeded
access-list 102 permit icmp any host REMOVED unreachable
access-list 102 permit ip any host 10.10.100.10
access-list 102 permit ip any host 10.10.100.12
access-list 102 permit ip any host 10.10.100.20
access-list 102 permit ip any host 10.10.100.21
access-list 102 permit ip any host 10.10.100.45
access-list 102 deny ip 10.10.100.0 0.0.0.255 any
access-list 102 deny ip 10.10.200.0 0.0.0.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 103 permit ip REMOVED 0.0.0.15 any
access-list 103 permit ip 10.10.200.0 0.0.0.255 any
access-list 103 permit ip 10.10.100.0 0.0.0.255 any
access-list 103 permit ip 10.10.110.0 0.0.0.255 any
access-list 103 permit ip 10.10.120.0 0.0.0.255 any
access-list 103 permit ip 10.10.130.0 0.0.0.255 any
access-list 110 deny ip host 10.10.100.12 10.10.110.0 0.0.0.255
access-list 110 deny ip host 10.10.100.12 10.10.130.0 0.0.0.255
access-list 110 deny ip host 10.10.100.10 10.10.110.0 0.0.0.255
access-list 110 deny ip host 10.10.100.10 10.10.130.0 0.0.0.255
access-list 110 deny ip host 10.10.100.20 10.10.110.0 0.0.0.255
access-list 110 deny ip host 10.10.100.20 10.10.130.0 0.0.0.255
access-list 110 deny ip host 10.10.100.21 10.10.110.0 0.0.0.255
access-list 110 deny ip host 10.10.100.21 10.10.130.0 0.0.0.255
access-list 110 deny ip host 10.10.100.45 10.10.110.0 0.0.0.255
access-list 110 deny ip host 10.10.100.45 10.10.130.0 0.0.0.255
access-list 110 permit ip host 10.10.100.12 any
access-list 110 permit ip host 10.10.100.10 any
access-list 110 permit ip host 10.10.100.20 any
access-list 110 permit ip host 10.10.100.21 any
access-list 110 permit ip host 10.10.100.45 any
access-list 120 permit udp any any eq 5060
access-list 150 deny ip host 10.10.100.10 any
access-list 150 deny ip host 10.10.100.12 any
access-list 150 deny tcp host 10.10.100.20 any eq 3389
access-list 150 deny ip host 10.10.100.21 any
access-list 150 deny tcp host 10.10.100.45 any eq 22
access-list 150 deny tcp host 10.10.100.45 any eq 443
access-list 150 deny udp host 10.10.100.45 any eq 5060
access-list 150 deny udp host 10.10.100.45 any range 10000 10500
access-list 150 deny ip 10.10.110.0 0.0.0.255 any
access-list 150 deny ip 10.10.120.0 0.0.0.255 any
access-list 150 deny ip 10.10.130.0 0.0.0.255 any
access-list 150 permit ip 10.10.100.0 0.0.0.255 any
!
route-map server-nat permit 10
match ip address 110
set ip next-hop 10.10.200.3
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner motd ^CC
<@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>
Authorized access only
<@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>
Disconnect IMEDIATELY if you are not an authorized user !
^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 103 in
privilege level 15
login local
transport input ssh
line vty 5 15
access-class 103 in
privilege level 15
login local
transport input ssh
!
end
Solved! Go to Solution.
07-31-2013 10:48 PM
Hello Jason,
you can find may articles saying that MS auto-tuning feature doesn't work well with some stateful inspection firewalls and/or VPNs.
In CSC I found another interesting one:
https://supportforums.cisco.com/thread/2169557
Maybe Joseph joins this discussion later with some new/additional information.
Best regards
Rolf
07-31-2013 10:48 PM
Hello Jason,
you can find may articles saying that MS auto-tuning feature doesn't work well with some stateful inspection firewalls and/or VPNs.
In CSC I found another interesting one:
https://supportforums.cisco.com/thread/2169557
Maybe Joseph joins this discussion later with some new/additional information.
Best regards
Rolf
08-01-2013 05:33 AM
Thanks,
So It sounds like it's an issue with the age of our devices, and it not know about TCP Window Scaling.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide