Poor Performance on 837 when using IOS firewall?

Discussion in 'Cisco' started by tom, May 16, 2009.

  1. tom

    tom Guest

    I picked up an 837 secondhand this week with the intention of
    replacing a 678 and PIX 501. Things seemed to work well until I
    configured the firewall. Since then I have noticed that performance is
    terrible for my ADSL circuit (1.5mb downstream), particularly for HTTP
    traffic (~300kb), FTP to a lesser degree (~800kb). UDP bit torrent
    traffic seems to be unaffected.

    Some digging around seems to indicate that the ip inspect
    configuration is to blame for the slowness, as removing it completely
    brings my throughput back to expected levels.

    I have included my config and show version. Is there some
    configuration bit that I'm missing? Could the IOS version be buggy? Is
    the 837 platform just so underpowered that it cannot handle the ip
    inspection?

    Thanks in advance!

    Cisco837#show ver
    Cisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.3(11)
    T10, RELEASE SOFTWARE (fc4)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2006 by Cisco Systems, Inc.
    Compiled Sat 04-Mar-06 09:06 by dchih

    ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)

    Cisco837 uptime is 5 minutes
    System returned to ROM by power-on
    System restarted at 12:10:40 CDT Sat May 16 2009
    System image file is "flash:c837-k9o3sy6-mz.123-11.T10.bin"


    Cisco C837 (MPC857DSL) processor (revision 0x400) with 44237K/4915K
    bytes of memory.
    Processor board ID AMB08080SE6 (1373528579), with hardware revision
    0000
    CPU rev number 7
    1 Ethernet interface
    4 FastEthernet interfaces
    1 ATM interface
    128K bytes of NVRAM.
    12288K bytes of processor board System flash (Read/Write)
    2048K bytes of processor board Web flash (Read/Write)

    Configuration register is 0x2102

    Cisco837#show startup-config
    Using 4172 out of 131072 bytes
    !
    ! Last configuration change at 22:47:34 CDT Thu May 14 2009 by tom
    ! NVRAM config last updated at 22:47:44 CDT Thu May 14 2009 by tom
    !
    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Cisco837
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 XXX
    !
    clock timezone CST -6
    clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
    no aaa new-model
    ip subnet-zero
    !
    !
    ip dhcp excluded-address 10.0.0.1 10.0.0.99
    ip dhcp excluded-address 10.0.0.200 10.0.0.254
    !
    ip dhcp pool dhcp_pool
    network 10.0.0.0 255.255.255.0
    default-router 10.0.0.1
    domain-name blah.com
    dns-server 10.0.0.200 209.98.98.98 208.42.42.42
    !
    !
    no ip domain lookup
    ip domain name blah.com
    ip inspect name ethernetin cuseeme timeout 3600
    ip inspect name ethernetin ftp timeout 3600
    ip inspect name ethernetin h323 timeout 3600
    ip inspect name ethernetin http timeout 3600
    ip inspect name ethernetin rcmd timeout 3600
    ip inspect name ethernetin realaudio timeout 3600
    ip inspect name ethernetin smtp timeout 3600
    ip inspect name ethernetin sqlnet timeout 3600
    ip inspect name ethernetin streamworks timeout 3600
    ip inspect name ethernetin tcp timeout 3600
    ip inspect name ethernetin tftp timeout 30
    ip inspect name ethernetin udp timeout 15
    ip inspect name ethernetin vdolive timeout 3600
    ip ips po max-events 100
    no ftp-server write-enable
    !
    !
    username tom secret 5 XXX
    !
    !
    no crypto isakmp ccm
    !
    !
    !
    interface Ethernet0
    ip address 10.0.0.1 255.255.255.0
    ip nat inside
    ip inspect ethernetin in
    ip virtual-reassembly
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 0/32
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet1
    duplex auto
    speed auto
    !
    interface FastEthernet2
    duplex auto
    speed auto
    !
    interface FastEthernet3
    duplex auto
    speed auto
    !
    interface FastEthernet4
    duplex auto
    speed auto
    !
    interface Dialer0
    ip address negotiated
    ip access-group 101 in
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    no cdp enable
    ppp chap hostname XXX
    ppp chap password 0 XXX
    ppp pap sent-username XXX password 0 XXX
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    no ip http server
    no ip http secure-server
    !
    ip nat inside source list 1 interface Dialer0 overload
    ip nat inside source static tcp 10.0.0.200 22 interface Dialer0 2322
    ip nat inside source static udp 10.0.0.200 1194 interface Dialer0 1194
    ip nat inside source static tcp 10.0.0.200 31164 interface Dialer0
    31164
    !
    access-list 1 remark "ACL defines the local LAN"
    access-list 1 permit 10.0.0.0 0.0.0.255
    access-list 101 remark "ACL 101 controls connections inbound to
    interface Dialer0"
    access-list 101 remark "Allow typical useful ICMP traffic"
    access-list 101 permit icmp any host 1.2.3.4 unreachable
    access-list 101 permit icmp any host 1.2.3.4 echo-reply
    access-list 101 permit icmp any host 1.2.3.4 packet-too-big
    access-list 101 permit icmp any host 1.2.3.4 time-exceeded
    access-list 101 permit icmp any host 1.2.3.4 traceroute
    access-list 101 permit icmp any host 1.2.3.4 administratively-
    prohibited
    access-list 101 remark "tcp/2322 has static nat to tcp/22 on server"
    access-list 101 permit tcp any host 1.2.3.4 eq 2322
    access-list 101 remark "tcp/31164 is for bittorrent traffic, static
    nat to server"
    access-list 101 permit tcp any host 1.2.3.4 eq 31164
    access-list 101 remark "udp/1194 is for OpenVPN, static nat to server"
    access-list 101 permit udp any host 1.2.3.4 eq 1194
    access-list 101 deny ip any any
    snmp-server group snmp-v3-users v3 auth access 1
    snmp-server community HomeSNMPXXX RO
    snmp-server contact Tom
    !
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 3000 0
    logging synchronous
    no modem enable
    line aux 0
    line vty 0 4
    access-class 1 in
    exec-timeout 0 0
    logging synchronous
    login local
    transport input ssh
    !
    scheduler max-task-time 5000
    ntp clock-period 17180031
    ntp peer 10.0.0.200
    end
     
    tom, May 16, 2009
    #1
    1. Advertising

  2. tom

    Thrill5 Guest

    The 837 is the previous generation of the current 800 series routers and
    doesn't have the horsepower as the current generation (870/880 series) and
    could be your issue. FYI, a brand new 870 series router can be had for
    only a few hundred dollars.


    "tom" <> wrote in message
    news:...
    >I picked up an 837 secondhand this week with the intention of
    > replacing a 678 and PIX 501. Things seemed to work well until I
    > configured the firewall. Since then I have noticed that performance is
    > terrible for my ADSL circuit (1.5mb downstream), particularly for HTTP
    > traffic (~300kb), FTP to a lesser degree (~800kb). UDP bit torrent
    > traffic seems to be unaffected.
    >
    > Some digging around seems to indicate that the ip inspect
    > configuration is to blame for the slowness, as removing it completely
    > brings my throughput back to expected levels.
    >
    > I have included my config and show version. Is there some
    > configuration bit that I'm missing? Could the IOS version be buggy? Is
    > the 837 platform just so underpowered that it cannot handle the ip
    > inspection?
    >
    > Thanks in advance!
    >
    > Cisco837#show ver
    > Cisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.3(11)
    > T10, RELEASE SOFTWARE (fc4)
    > Technical Support: http://www.cisco.com/techsupport
    > Copyright (c) 1986-2006 by Cisco Systems, Inc.
    > Compiled Sat 04-Mar-06 09:06 by dchih
    >
    > ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
    >
    > Cisco837 uptime is 5 minutes
    > System returned to ROM by power-on
    > System restarted at 12:10:40 CDT Sat May 16 2009
    > System image file is "flash:c837-k9o3sy6-mz.123-11.T10.bin"
    >
    >
    > Cisco C837 (MPC857DSL) processor (revision 0x400) with 44237K/4915K
    > bytes of memory.
    > Processor board ID AMB08080SE6 (1373528579), with hardware revision
    > 0000
    > CPU rev number 7
    > 1 Ethernet interface
    > 4 FastEthernet interfaces
    > 1 ATM interface
    > 128K bytes of NVRAM.
    > 12288K bytes of processor board System flash (Read/Write)
    > 2048K bytes of processor board Web flash (Read/Write)
    >
    > Configuration register is 0x2102
    >
    > Cisco837#show startup-config
    > Using 4172 out of 131072 bytes
    > !
    > ! Last configuration change at 22:47:34 CDT Thu May 14 2009 by tom
    > ! NVRAM config last updated at 22:47:44 CDT Thu May 14 2009 by tom
    > !
    > version 12.3
    > no service pad
    > service timestamps debug datetime msec
    > service timestamps log datetime msec
    > no service password-encryption
    > !
    > hostname Cisco837
    > !
    > boot-start-marker
    > boot-end-marker
    > !
    > enable secret 5 XXX
    > !
    > clock timezone CST -6
    > clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
    > no aaa new-model
    > ip subnet-zero
    > !
    > !
    > ip dhcp excluded-address 10.0.0.1 10.0.0.99
    > ip dhcp excluded-address 10.0.0.200 10.0.0.254
    > !
    > ip dhcp pool dhcp_pool
    > network 10.0.0.0 255.255.255.0
    > default-router 10.0.0.1
    > domain-name blah.com
    > dns-server 10.0.0.200 209.98.98.98 208.42.42.42
    > !
    > !
    > no ip domain lookup
    > ip domain name blah.com
    > ip inspect name ethernetin cuseeme timeout 3600
    > ip inspect name ethernetin ftp timeout 3600
    > ip inspect name ethernetin h323 timeout 3600
    > ip inspect name ethernetin http timeout 3600
    > ip inspect name ethernetin rcmd timeout 3600
    > ip inspect name ethernetin realaudio timeout 3600
    > ip inspect name ethernetin smtp timeout 3600
    > ip inspect name ethernetin sqlnet timeout 3600
    > ip inspect name ethernetin streamworks timeout 3600
    > ip inspect name ethernetin tcp timeout 3600
    > ip inspect name ethernetin tftp timeout 30
    > ip inspect name ethernetin udp timeout 15
    > ip inspect name ethernetin vdolive timeout 3600
    > ip ips po max-events 100
    > no ftp-server write-enable
    > !
    > !
    > username tom secret 5 XXX
    > !
    > !
    > no crypto isakmp ccm
    > !
    > !
    > !
    > interface Ethernet0
    > ip address 10.0.0.1 255.255.255.0
    > ip nat inside
    > ip inspect ethernetin in
    > ip virtual-reassembly
    > hold-queue 100 out
    > !
    > interface ATM0
    > no ip address
    > no atm ilmi-keepalive
    > dsl operating-mode auto
    > pvc 0/32
    > encapsulation aal5mux ppp dialer
    > dialer pool-member 1
    > !
    > !
    > interface FastEthernet1
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet2
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet3
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet4
    > duplex auto
    > speed auto
    > !
    > interface Dialer0
    > ip address negotiated
    > ip access-group 101 in
    > ip nat outside
    > ip virtual-reassembly
    > encapsulation ppp
    > dialer pool 1
    > no cdp enable
    > ppp chap hostname XXX
    > ppp chap password 0 XXX
    > ppp pap sent-username XXX password 0 XXX
    > !
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer0
    > !
    > no ip http server
    > no ip http secure-server
    > !
    > ip nat inside source list 1 interface Dialer0 overload
    > ip nat inside source static tcp 10.0.0.200 22 interface Dialer0 2322
    > ip nat inside source static udp 10.0.0.200 1194 interface Dialer0 1194
    > ip nat inside source static tcp 10.0.0.200 31164 interface Dialer0
    > 31164
    > !
    > access-list 1 remark "ACL defines the local LAN"
    > access-list 1 permit 10.0.0.0 0.0.0.255
    > access-list 101 remark "ACL 101 controls connections inbound to
    > interface Dialer0"
    > access-list 101 remark "Allow typical useful ICMP traffic"
    > access-list 101 permit icmp any host 1.2.3.4 unreachable
    > access-list 101 permit icmp any host 1.2.3.4 echo-reply
    > access-list 101 permit icmp any host 1.2.3.4 packet-too-big
    > access-list 101 permit icmp any host 1.2.3.4 time-exceeded
    > access-list 101 permit icmp any host 1.2.3.4 traceroute
    > access-list 101 permit icmp any host 1.2.3.4 administratively-
    > prohibited
    > access-list 101 remark "tcp/2322 has static nat to tcp/22 on server"
    > access-list 101 permit tcp any host 1.2.3.4 eq 2322
    > access-list 101 remark "tcp/31164 is for bittorrent traffic, static
    > nat to server"
    > access-list 101 permit tcp any host 1.2.3.4 eq 31164
    > access-list 101 remark "udp/1194 is for OpenVPN, static nat to server"
    > access-list 101 permit udp any host 1.2.3.4 eq 1194
    > access-list 101 deny ip any any
    > snmp-server group snmp-v3-users v3 auth access 1
    > snmp-server community HomeSNMPXXX RO
    > snmp-server contact Tom
    > !
    > !
    > control-plane
    > !
    > !
    > line con 0
    > exec-timeout 3000 0
    > logging synchronous
    > no modem enable
    > line aux 0
    > line vty 0 4
    > access-class 1 in
    > exec-timeout 0 0
    > logging synchronous
    > login local
    > transport input ssh
    > !
    > scheduler max-task-time 5000
    > ntp clock-period 17180031
    > ntp peer 10.0.0.200
    > end
     
    Thrill5, May 16, 2009
    #2
    1. Advertising

  3. tom

    tom Guest

    Thanks for the response Elia.

    I had investigating upgrading to 12.4, but I think I may be out of
    luck on upgrading the memory. I think that there were multiple
    versions of the 837 that shipped with different amounts of on-board
    memory. My 837 has a 16MB module in the expansion slot and reports
    48MB of DRAM. From what I've found poking around google, 16MB is the
    largest module that will fit in the expansion slot, which makes me
    think that I've got some older revision of the 837 and 48MB is as high
    as I can go, effectively marooning me in 12.3T.

    If I'm wrong about my memory options, someone please let me know,
    because I would love to get this thing working. The bottom line is
    that I'm not willing to invest too much in getting this 837 running. I
    would like to consolidate to a single device, but my current solution
    is working well enough. Beyond a possible memory upgrade, I don't
    really think it is worth it.


    On May 19, 3:35 am, "Elia" <> wrote:
    > Hello
    > The 837 is NOT an issue.
    > The problems you encountered, were the same I met in the past:
    >
    > I have two 837 working now with the IOS Firewall enabled:
    >
    > These are the steps you should follow:
    >
    > 1) Upgrade the IOS to a newer one, 12.4 is better, you have the memory to
    > run that.
    > 2) Disable protocol specific inspection, http outgoing seems buggy since it
    > limits http downloads to 1mbit/sec.
    > 3) Just try to enable tcp and udp ispection only, it will work flawlessy
    > without any performance issue.
    >
    > try and let me know.
     
    tom, May 20, 2009
    #3
  4. tom <> writes:
    >Thanks for the response Elia.


    >I had investigating upgrading to 12.4, but I think I may be out of
    >luck on upgrading the memory. I think that there were multiple
    >versions of the 837 that shipped with different amounts of on-board
    >memory. My 837 has a 16MB module in the expansion slot and reports
    >48MB of DRAM. From what I've found poking around google, 16MB is the
    >largest module that will fit in the expansion slot, which makes me
    >think that I've got some older revision of the 837 and 48MB is as high
    >as I can go, effectively marooning me in 12.3T.


    >If I'm wrong about my memory options, someone please let me know,
    >because I would love to get this thing working. The bottom line is
    >that I'm not willing to invest too much in getting this 837 running. I
    >would like to consolidate to a single device, but my current solution
    >is working well enough. Beyond a possible memory upgrade, I don't
    >really think it is worth it.



    I think there have been 3 hardware revs of the 837.

    The one I have has a max of 32M of DRAM on it.
    Then they went with the 48M max version that you have.
    The last version was at least a different part number, the cisco837-64
    took 64M of memory max on it.

    Since the slot only takes certain small sized DIMMs, it all comes down
    to what is soldered onto the board, and reworking DRAM chips surface
    mounted to motherboards isn't likely worth the cost of another used 837,
    or even buying an 857/877, its not worth messing with it..
     
    Doug McIntyre, May 20, 2009
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Richard Antony Burton
    Replies:
    0
    Views:
    6,331
    Richard Antony Burton
    Jan 5, 2004
  2. =?Utf-8?B?dW51c3VhbHBzeWNobw==?=

    Poor reception, poor connection, and dropped signal

    =?Utf-8?B?dW51c3VhbHBzeWNobw==?=, Jun 7, 2006, in forum: Wireless Networking
    Replies:
    2
    Views:
    3,974
    Doug Sherman [MVP]
    Jun 7, 2006
  3. John Rennie

    Poor FTP performance with 837

    John Rennie, Oct 1, 2006, in forum: Cisco
    Replies:
    3
    Views:
    697
  4. Mike Rahl
    Replies:
    1
    Views:
    1,349
    Trendkill
    May 30, 2007
  5. Rich

    Poor, poor P&S owner learns too late...

    Rich, May 13, 2009, in forum: Digital Photography
    Replies:
    66
    Views:
    1,969
    Bob Larter
    Jun 11, 2009
Loading...

Share This Page