Hello Georg,

Jochen Reinecke · ‎08-17-2017

Hello Community,

i worked on an issue with slow network speed between a site router (Cisco 886) and a Palo Alto Firewall for several days now. The site is using VDSL (in Germany) with about 50Mbit/s Downlink and 10Mbit/s Uplink. Here is the output from the "Show Controllers vdsl 0":

Modem Status: TC Sync (Showtime!)

DSL Config Mode: AUTO
Trained Mode: G.993.2 (VDSL2) Profile 17a

Firmware        Source          File Name
--------        ------          ----------
VDSL            user config     flash:VA_B_38V_d24m.bin

Modem FW Version: 170321_1253-4.02L.03.B2pvC038v.d24m

Modem PHY Version: B2pvC038v.d24m

Trellis:                 ON                       ON
Attainable Rate:        48486 kbits/s            15581 kbits/s
Actual Power:            14.5 dBm                 9.2 dBm

At our main site (Palo Alto site) we have a synchronous 100Mbit/s Fiber Connection. When i copy a file from a device at the main site to

our branch i only get about 355KB/s = 2,8 Mbit/s.

So i started to try different TCP MSS and MTU Settings. But always when i tried to get more information about, i found out that there is no clear solution just many considerations and opinions about. Someone configures the TCP MSS on the dialer Interface, another one on the vlan Interface... Same Problem with "ip virtual reassambly in" - Do i Need this command? I am confused. And if i Need all of them, with which Count of Bytes? 1492 on dialer, 1452 on vlan ? Or do i have to substract the IPSEC-Overhead? If yes, how much?

Here is the current Output of our site configuration:

Current configuration : 5157 bytes
!
Last configuration change at 09:26:20 cest Thu Aug 17 2017 by admin
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname ROUTER11
!
boot-start-marker
boot system flash:c800-universalk9-mz.SPA.156-3.M0a.bin
boot-end-marker
!
aqm-register-fnf
!
no logging monitor
no aaa new-model
ethernet lmi ce
clock timezone UTC 1 0
clock summer-time cest recurring
!

!

ip inspect name Firewall tcp

ip inspect name Firewall udp
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
controller VDSL 0
firmware filename flash:VA_B_38V_d24m.bin
lldp run
!
!
!
crypto isakmp policy 1
encr aes 256
hash sha256
authentication pre-share
group 14
lifetime 28800
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set IPSEC-Crypto esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto map VPN 1 ipsec-isakmp
set transform-set IPSEC-Crypto
set pfs group14
match address VPN-Traffic
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface Ethernet0
no ip address
!
interface Ethernet0.7
encapsulation dot1Q 7
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
switchport access vlan 753
switchport voice vlan 713
no ip address
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 753
switchport voice vlan 713
no ip address
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 753
switchport voice vlan 713
no ip address
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 753
switchport voice vlan 713
no ip address
spanning-tree portfast
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 10.10.10.10 255.255.255.0
!
interface Vlan713
ip address 10.221.213.1 255.255.255.0
ip nat inside
no ip virtual-reassembly in
no autostate
!
interface Vlan753
ip address 10.221.253.1 255.255.255.0
ip nat inside
no ip virtual-reassembly in
no autostate
!
interface Dialer0
mtu 1492
ip address negotiated
ip access-group Firewall in
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect Firewall out
ip virtual-reassembly in

ip tcp adjust-mss 1356
encapsulation ppp
no ip route-cache
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname number@t-sys.de
ppp chap password 7 password
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
crypto map VPN
!
ip default-gateway 10.221.253.1
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip tftp source-interface Vlan753
ip nat inside source list NAT interface Dialer0 overload
ip ssh authentication-retries 5
ip ssh version 2
!
ip access-list extended Firewall
ip access-list extended NAT
ip access-list extended VPN-Traffic
permit ip 10.221.253.0 0.0.0.255 any
permit ip 10.221.213.0 0.0.0.255 any
!

end

I hope anyone have a good idea or just a hint.

Best Regards,

Jochen

best regards,

Georg Pauwen · ‎08-17-2017

Hello Jochen,

for VPN, the tcp adjust-mss on the dialer interface looks ok, you could try lowering it to 1300.

That said, is the configuration you posted the full configuration ? If it is, your NAT is not working, since you have no access list defined. Are you trying to use split tunneling, or is the Internet access behind the Palo Alto firewall ?

Jochen Reinecke · ‎08-17-2017

Hello Georg,

thanks for your hint. I have lowered the tcp adjust-mss on dialer Interface but the Speed stays at Maximum of 355 KB/s. The Internet Access is behind the tunnel as you expected. NAT Rule and ACL is cleared for the posting.

Regards,

Jochen

best regards,

Georg Pauwen · ‎08-17-2017

Hello,

sorry for asking stupid questions, but I am not clear on your split tunnel NAT setup.

Your VPN access lists allows everything:

ip access-list extended VPN-Traffic
permit ip 10.221.253.0 0.0.0.255 any
permit ip 10.221.213.0 0.0.0.255 any

Is that the full access list ? If everything goes through the VPN, why do you need NAT ?

I might be missing something...

Slow Site-VPN Connection between Cisco 886 (integrated Modem) and Palo Alto Firewall