Solved: Cisco 861 Router - Slow Internet performance

Dmitry Golovenkin · ‎07-22-2012

Hi,

I have a new 861 router which I have connected to my home broadband cable modem. Got it all working okay and I have access to the Internet but its not as fast as it is if I connect my laptop to the modem.

My Internet is 60mb (was 100 but I downgraded).

When I cannot my laptop directly to the cable modem, I get 60mb download speed on speedtest.net

If I connect the router's WAN port back to the modem then I roughly get about 40mb, sometimes even 50.

I do not have any IOS firewall configured on the router, just basic ACLs to stop SSH and TELNET from public networks. If I do enable firewall then my Internet connection halves itself. I have read around that this is the case with ios firewalls on these small routers so I've disabled the firewall but I still don't know why I cannot get full Internet speed.

Any ideas?

Regards,

Dmitry

Sent from Cisco Technical Support iPhone App

Leo Laohoo · ‎07-22-2012

My Internet is 60mb (was 100 but I downgraded).

Let me get this straight:

1. You have a Cisco 860; and

2. Your internet speed is 60 Mbps

If these are the case then you will NOT get more than 6-10 Mbps internet speed. This is because the 860 is rated for 12.8 Mbps. This value is also expressed in HALF duplex and NO encryption.

For 60 Mbps WAN link I'd be looking at a 1941 (minimum).

View solution in original post

Peter Paluch · ‎07-22-2012

Hi Dima,

I am afraid that because these are low-end software routers, the incurred work related to routing your packets, perhaps NATting them and doing other (even if simple) operations on these routers may be what is causing the decreased throughput. I am therefore not sure if we can do anything about it. Still, it is worth a try.

Can I ask you for the complete output of the show running-config command? Of course, remove passwords and other sensitive information but otherwise leave all commands present. Perhaps we can find something we can tweak to obtain better performance.

Best regards,

Peter

Dmitry Golovenkin · ‎07-22-2012

Hi Peter,

Oh I see.. so these routers aren't designed to work on fast broadband connections? The router that comes with my cable can just do all that fine but of course it isn't cisco and cannot do VPN and etc. I would have thought that a $500 router would cope fine! Haha

Here is my config, as you can see I have ip inspect in place but it isn't activated on any of the interfaces. Thanks

Current configuration : 5697 bytes

!

! Last configuration change at 01:32:11 PCTime Mon Jan 2 2006 by admin

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname home-virgin-r01

!

boot-start-marker

boot system flash:c860-universalk9-mz.152-3.T1.bin

boot-end-marker

!

logging buffered 50000

no logging monitor

!

no aaa new-model

memory-size iomem 10

clock timezone PCTime 0 0

clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-2487148037

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2487148037

revocation-check none

rsakeypair TP-self-signed-2487148037

!

crypto pki certificate chain TP-self-signed-2487148037

certificate self-signed 01

30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32343837 31343830 3337301E 170D3036 30313032 31323030

34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34383731

34383033 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100A640 37FD39F4 599765B5 FE8A4BAA 66B0145A 24BC88F8 039E059C A8DF6581

16605A0F B87005ED DF394B28 5335F5F5 270E0833 A8D1EDAC DE0D19F8 33F2278F

1603DA0F C375C674 FECCA9DC BD73FCFE B4630270 2DD76398 93567572 EFB0AD3E

83D5AED7 887C6614 98BEF651 98B69D9F D62160D1 F2CAFA1D 84E34796 9E2C8822

50D90203 010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603

551D1104 20301E82 1C656B74 726F6E2D 63697363 6F383631 2E656B74 726F6E2E

6C6F6361 6C301F06 03551D23 04183016 8014C5A0 09E09EA0 C3ACD9BB DCFB6506

B598718A F6AE301D 0603551D 0E041604 14C5A009 E09EA0C3 ACD9BBDC FB6506B5

98718AF6 AE300D06 092A8648 86F70D01 01040500 03818100 836BEA3B 6F0BBEE9

D20ABE37 22BDD667 B682490D BBC45380 A788F6C9 39F604CA 55E7137B 37EC541A

E6A14B30 5ECD9C8A F0A66B89 EEF4988B B8836C08 D4F2FF9E D0BCC285 8BD4B225

1D4AC63F DE000BF5 E98B254F D21D1DF1 3B31F85B 52BAC304 8B1DC304 77858A69

46F429BD 541370B2 14A6F2E1 78456D14 E8776E89 17245EC7

quit

no ip source-route

!

ip dhcp relay information trust-all

ip dhcp excluded-address 192.168.55.1 192.168.55.9

ip dhcp excluded-address 192.168.55.201 192.168.55.254

!

ip dhcp pool data

import all

network 192.168.55.0 255.255.255.0

default-router 192.168.55.250

domain-name home.local

dns-server 194.168.4.100 194.168.8.100

!

ip inspect audit-trail

ip inspect udp idle-time 1800

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect name ethernetin ftp timeout 3600

ip inspect name ethernetin h323 timeout 3600

ip inspect name ethernetin http timeout 3600

ip inspect name ethernetin rcmd timeout 3600

ip inspect name ethernetin realaudio timeout 3600

ip inspect name ethernetin smtp timeout 3600

ip inspect name ethernetin sqlnet timeout 3600

ip inspect name ethernetin streamworks timeout 3600

ip inspect name ethernetin tcp timeout 3600

ip inspect name ethernetin tftp timeout 30

ip inspect name ethernetin udp timeout 15

ip inspect name ethernetin vdolive timeout 3600

ip domain name home.local

ip name-server 194.168.8.100

ip name-server 194.168.4.100

ip name-server 8.8.8.8

ip cef

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

!

license udi pid CISCO861-K9 sn

!

vtp mode transparent

username avecsys privilege 15 secret 4

username admin privilege 15 secret 4

!

crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 1

!

vlan 100

!

ip tcp synwait-time 10

ip tcp path-mtu-discovery

ip ssh time-out 60

ip ssh authentication-retries 2

!

interface FastEthernet0

switchport mode trunk

no ip address

!

interface FastEthernet1

switchport mode trunk

no ip address

!

interface FastEthernet2

switchport mode trunk

no ip address

!

interface FastEthernet3

switchport mode trunk

no ip address

!

interface FastEthernet4

description $ETH-WAN$$FW_OUTSIDE$

ip address dhcp hostname virgin-router-home

ip access-group protect_in in

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

!

interface Vlan1

description **CONNECTION TO SWITCH***$FW_INSIDE$

ip address 192.168.55.250 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Vlan100

no ip address

!

ip forward-protocol nd

ip http server

ip http authentication local

no ip http secure-server

!

ip dns server

ip nat inside source list 1 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp 2

!

ip access-list extended SDM_BOOTPC

remark CCP_ACL Category=0

permit udp any any eq bootpc

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

ip access-list extended protect_in

deny tcp any any eq 3389

deny udp any any eq 3389

deny tcp any any eq ftp

deny tcp any any eq ftp-data

deny tcp any any eq www 443

deny tcp any any eq 5060

deny udp any any eq 5060

deny icmp any any

permit ip any any

ip access-list extended ssh_access_in

remark SSH Access

remark CCP_ACL Category=1

permit ip 192.168.55.0 0.0.0.255 any

deny ip any any

!

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.55.0 0.0.0.255

!

line con 0

login local

line aux 0

line vty 0 4

access-class ssh_access_in in

privilege level 15

login local

transport input ssh

!

scheduler max-task-time 5000

ntp server 0.uk.pool.ntp.org prefer source

!

end

Peter Paluch · ‎07-22-2012

Hi Dima,

Although Leo already gave his idea about the limits of the 800 platform series, I nevertheless have a couple of suggestions (but beware - no guarantees that any of these will help):

Using the show ip route, verify that the default route is recognized through the next hop IP address and not just through the exit interface. Especially look for the line saying "Gateway of last resort is ...". If this is not the case and the default route is recognized only through the exit interface, I suggest replacing your current static default route pointing out the Fa4 interface using a default route pointing towards the proper gateway IP address.
Verify using the show interface fa4 that the Fa4 interface operates in the same duplex mode as the broadband cable modem. Ideally, they should both use full duplex but in any case, the mode must be identical.
Your protect_in ACL contains the line "deny ip any any". This is not recommended - among other things, it breaks the PMTU Discovery process. Remove that line from this ACL.
Try using the ip tcp adjust-mss 1400 on your interface Vlan1. This will cause the router to affect TCP streams in a way that will cause smaller packets to be exchanged, possibly removing the need to fragment the packets somewhere upstream.
Try removing the ip virtual-reassembly commands from all your interfaces.

Best regards,

Peter

Leo Laohoo · ‎07-22-2012

My Internet is 60mb (was 100 but I downgraded).

Let me get this straight:

1. You have a Cisco 860; and

2. Your internet speed is 60 Mbps

If these are the case then you will NOT get more than 6-10 Mbps internet speed. This is because the 860 is rated for 12.8 Mbps. This value is also expressed in HALF duplex and NO encryption.

For 60 Mbps WAN link I'd be looking at a 1941 (minimum).

Dmitry Golovenkin · ‎07-24-2012

Thanks to all of your. Ended up taking the router out completely. I will just end up getting an ASA instead

Thanks.

Dmitry