Hello Community,
i worked on an issue with slow network speed between a site router (Cisco 886) and a Palo Alto Firewall for several days now. The site is using VDSL (in Germany) with about 50Mbit/s Downlink and 10Mbit/s Uplink. Here is the output from the "Show Controllers vdsl 0":
Modem Status: TC Sync (Showtime!)
DSL Config Mode: AUTO
Trained Mode: G.993.2 (VDSL2) Profile 17a
Firmware Source File Name
-------- ------ ----------
VDSL user config flash:VA_B_38V_d24m.bin
Modem FW Version: 170321_1253-4.02L.03.B2pvC038v.d24m
Modem PHY Version: B2pvC038v.d24m
Trellis: ON ON
Attainable Rate: 48486 kbits/s 15581 kbits/s
Actual Power: 14.5 dBm 9.2 dBm
At our main site (Palo Alto site) we have a synchronous 100Mbit/s Fiber Connection. When i copy a file from a device at the main site to
our branch i only get about 355KB/s = 2,8 Mbit/s.
So i started to try different TCP MSS and MTU Settings. But always when i tried to get more information about, i found out that there is no clear solution just many considerations and opinions about. Someone configures the TCP MSS on the dialer Interface, another one on the vlan Interface... Same Problem with "ip virtual reassambly in" - Do i Need this command? I am confused. And if i Need all of them, with which Count of Bytes? 1492 on dialer, 1452 on vlan ? Or do i have to substract the IPSEC-Overhead? If yes, how much?
Here is the current Output of our site configuration:
Current configuration : 5157 bytes
!
Last configuration change at 09:26:20 cest Thu Aug 17 2017 by admin
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname ROUTER11
!
boot-start-marker
boot system flash:c800-universalk9-mz.SPA.156-3.M0a.bin
boot-end-marker
!
aqm-register-fnf
!
no logging monitor
no aaa new-model
ethernet lmi ce
clock timezone UTC 1 0
clock summer-time cest recurring
!
!
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
controller VDSL 0
firmware filename flash:VA_B_38V_d24m.bin
lldp run
!
!
!
crypto isakmp policy 1
encr aes 256
hash sha256
authentication pre-share
group 14
lifetime 28800
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set IPSEC-Crypto esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto map VPN 1 ipsec-isakmp
set transform-set IPSEC-Crypto
set pfs group14
match address VPN-Traffic
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface Ethernet0
no ip address
!
interface Ethernet0.7
encapsulation dot1Q 7
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
switchport access vlan 753
switchport voice vlan 713
no ip address
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 753
switchport voice vlan 713
no ip address
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 753
switchport voice vlan 713
no ip address
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 753
switchport voice vlan 713
no ip address
spanning-tree portfast
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 10.10.10.10 255.255.255.0
!
interface Vlan713
ip address 10.221.213.1 255.255.255.0
ip nat inside
no ip virtual-reassembly in
no autostate
!
interface Vlan753
ip address 10.221.253.1 255.255.255.0
ip nat inside
no ip virtual-reassembly in
no autostate
!
interface Dialer0
mtu 1492
ip address negotiated
ip access-group Firewall in
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect Firewall out
ip virtual-reassembly in
ip tcp adjust-mss 1356
encapsulation ppp
no ip route-cache
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname number@t-sys.de
ppp chap password 7 password
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
crypto map VPN
!
ip default-gateway 10.221.253.1
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip tftp source-interface Vlan753
ip nat inside source list NAT interface Dialer0 overload
ip ssh authentication-retries 5
ip ssh version 2
!
ip access-list extended Firewall
ip access-list extended NAT
ip access-list extended VPN-Traffic
permit ip 10.221.253.0 0.0.0.255 any
permit ip 10.221.213.0 0.0.0.255 any
!
end
I hope anyone have a good idea or just a hint.
Best Regards,
Jochen
best regards,