I could use some help from the community on this weird issue.

Please see the design attached.

Setup:

We have a 200Mbps connection through our internet provider. We have a Juniper switch at the core with a Cisco 4331 router ver 16.9.4, A Fortigate firewall and two computers connected. On the 4331 router we have upgraded to the 300Mbps performance license.

We also have an IPSLA that redirects 0.0.0.0 traffic to the Fortigate firewall. All other inside traffic is routed over our MPLS network.

Issue:

When any PC has it's gateway set directly to the Fortigate Firewall we get close the the bandwidth purchased from the ISP.

However, when we set the PC gateway to the router we are getting throttled somewhere. We get about 100Mbps download and only 8Mbps upload.

I have checked the interfaces on the Router and on the switch and cannot find this elusive error. Any assistance would be great!

Config:

version 16.9
service timestamps debug uptime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
service unsupported-transceiver
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 300000
!
hostname YVR-MOSR-C4331-Rtr
!
boot-start-marker
boot system bootflash:/isr4300-universalk9.16.09.04.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 116384

no aaa new-model
clock timezone PST -8 0
clock summer-time PDT recurring
!
no ip domain lookup
ip domain name
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
flow record Netflow-In
match flow direction
match interface input
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect counter bytes
collect counter packets
collect interface output
!
!
flow record Netflow-Out
match flow direction
match interface output
match ipv4 destination address
match ipv4 protocol
match ipv4 source address
match ipv4 tos
match transport destination-port
match transport source-port
collect counter bytes
collect counter packets
collect interface input
!
!
flow exporter Netflow-to-NetflowAnalyzer
destination nnn.nnn10.44
source GigabitEthernet0/0/0
transport udp 9996
!
!
flow monitor Netflow-Monitor-In
exporter Netflow-to-NetflowAnalyzer
cache timeout inactive 10
cache timeout active 60
record Netflow-In
!
!
flow monitor Netflow-Monitor-Out
exporter Netflow-to-NetflowAnalyzer
cache timeout inactive 10
cache timeout active 60
record Netflow-Out
!
!
!
!

!
license udi pid ISR4331/K9 sn nnnnn
no license smart enable
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
!

redundancy
mode none
!
!
!
track 1 ip sla 1 reachability
delay down 60 up 60
!
lldp run
!
!
!
!
!
interface Loopback0
description Mgmt address for YVR-MOCC-C4331-Rtr
ip address 172.16.98.19 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface GigabitEthernet0/0/0
description Connection_To_YVR-WAN-Rtr
ip flow monitor Netflow-Monitor-In input
ip flow monitor Netflow-Monitor-Out output
ip flow monitor Netflow-Monitor-In output
ip address 172.21.0.5 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
speed 1000
no negotiation auto
spanning-tree portfast disable
!
interface GigabitEthernet0/0/1
description LAN Connection to YVR-LAN
ip address 192.168.50.9 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
negotiation auto
spanning-tree portfast disable
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
router ospf 1
router-id 172.16.98.19
network 172.16.98.19 0.0.0.0 area 0
network 172.21.0.4 0.0.0.3 area 0
network 192.168.50.0 0.0.0.255 area 0
default-information originate
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http client source-interface GigabitEthernet0/0/1
ip tftp source-interface GigabitEthernet0/0/1
ip tftp blocksize 8192
ip route 0.0.0.0 0.0.0.0 192.168.50.251 track 1
ip route 4.2.2.2 255.255.255.255 192.168.50.251
!
!
ip sla 1
icmp-echo 4.2.2.2 source-ip 192.168.50.9
threshold 500
frequency 20
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts
logging trap notifications
logging host nnn.nnn1.216
!
!
snmp-server community nnnn RO
snmp-server location YVR
snmp-server contact Net
snmp-server chassis-id YVR-MOSR-C4331-Rtr
snmp-server enable traps snmp authentication coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps config
snmp-server enable traps fru-ctrl
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server enable traps flash insertion
snmp-server enable traps flash removal
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps bgp
snmp-server enable traps rf
snmp-server host nnn.nnn1.216 version 2c NNNN
snmp-server host nnn.nnn10.44 version 2c NNNN udp-port 161
!
!
control-plane
!
banner login ^CCCCC
################################################################################
## WARNING ##
################################################################################
Only authorized users are allowed to access this system. By logging in to this
this system you acknowledge and agree that such access and use may be
monitored. No one accessing or using the system can have any expectation
whatsoever of privacy with regard to accessing or using the system.
################################################################################
^C
!
line con 0
login local
transport input none
stopbits 1
line aux 0
stopbits 1
line vty 0 4
privilege level 15
login local
transport input ssh
transport output ssh
line vty 5 15
privilege level 15
login local
transport input none
!
ntp server nnn.nnn10.40 prefer
!
!
!
!
!
end

GigabitEthernet0/0/1 is up, line protocol is up
Hardware is ISR4331-3x1GE, address is 5ce1.76f1.cef1 (bia 5ce1.76f1.cef1)
Description: LAN Connection to LILCOYVR-LAN
Internet address is 192.168.50.9/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
Full Duplex, 1000Mbps, link type is auto, media type is RJ45
output flow-control is on, input flow-control is on
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:01, output hang never
Last clearing of "show interface" counters 02:10:32
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 597000 bits/sec, 260 packets/sec
5 minute output rate 327000 bits/sec, 222 packets/sec
2681650 packets input, 864944764 bytes, 0 no buffer
Received 33075 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 19292 multicast, 0 pause input
2395293 packets output, 561600101 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
8476 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out