3640 some sites slow....

Discussion in 'Cisco' started by Timo, May 10, 2007.

  1. Timo

    Timo Guest

    Hi

    Ive got a 3640 that is running as a router on a stick with a 2924.
    The 3640 routes traffic for 5 vlans.

    My ISP is Verizon FIOS, 15Mb\2Mb. So my ISP's network link is fairly
    fast. In general everything works however , some sites are just
    horribly slow.... like ebay & a few php forum sites ... At my
    work the sites are flying fast . I'm wondering if something on the
    3640 is not optimal....

    Please take a look at my config and point out any issues you may see.

    The router has lots going on. IPNAT, QoS for Vonage, IPSEC
    tunnel...

    HNet-3640#
    HNet-3640#sh runn
    Building configuration...

    Current configuration : 15002 bytes
    !
    ! Last configuration change at 19:36:33 edt Wed May 2 2007 by me
    !
    version 12.4
    service nagle
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    no service password-encryption
    service linenumber
    !
    hostname HNet-3640
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 40960 notifications
    no logging console
    enable secret 5
    !
    aaa new-model
    !
    !
    aaa authentication banner ^CCC

    ******************************************
    ** Unauthorized access prohibited **
    ** Exit NOW if unauthorized, **
    ** these systems are monitored **
    ******************************************

    ^C
    aaa authentication fail-message ^CCC

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!! FAILED LOGINS ARE LOGGED AND RECORDED !!!
    !!! ALERTS WILL BE GOING OFF SOON !!!
    !!! NOW WOULD BE THE TIME TO DISCONNECT IF !!!
    !!! YOUR NEXT LOGIN ISNT GONNA BE SUCCESSFUL !!!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    ^C
    aaa authentication password-prompt "Enter Your Password : "
    aaa authentication username-prompt "Enter Your Username : "
    aaa authentication login VTYAccess group radius local-case
    aaa authentication ppp default local
    aaa authorization exec VTYAccess group radius if-authenticated
    !
    aaa session-id common
    clock timezone est -5
    clock summer-time edt recurring
    no ip source-route
    !
    !
    ip cef
    no ip domain lookup
    ip name-server 192.168.10.19
    !
    !
    no ip bootp server
    ip inspect audit-trail
    ip inspect max-incomplete high 750
    ip inspect max-incomplete low 750
    ip inspect dns-timeout 7
    ip inspect name CBAC2 tcp timeout 3600
    ip inspect name CBAC2 ftp timeout 3600
    ip inspect name CBAC2 rcmd timeout 3600
    ip inspect name CBAC2 sqlnet timeout 3600
    ip inspect name CBAC2 tftp timeout 30
    ip inspect name CBAC2 http
    ip inspect name CBAC2 udp
    !
    !
    !
    key chain dummy
    key 1
    key chain crypto
    key 1
    !
    !
    class-map match-all voice-traffic
    match ip rtp 10000 10000
    !
    !
    policy-map voice-policy
    class voice-traffic
    priority 200
    class class-default
    fair-queue
    policy-map shaper
    class class-default
    shape average 2000000 200000 0
    service-policy voice-policy
    !
    !
    !
    crypto isakmp policy 10
    encr aes 256
    authentication pre-share
    crypto isakmp key mykey address vpn.server.ip.address
    !
    !
    crypto ipsec transform-set to-asi esp-aes 256 esp-sha-hmac
    !
    crypto map vpn-endpoint 10 ipsec-isakmp
    set peer vpn.server.ip.address
    set transform-set to-asi
    match address 191
    !
    !
    !
    !
    interface FastEthernet0/0
    description Link to FIOS Internet
    mac-address 0050.5474.231f
    bandwidth 15000
    no ip address
    speed 100
    full-duplex
    pppoe enable group global
    pppoe-client dial-pool-number 1
    !
    interface FastEthernet0/1
    description Link to Inside Network Homenet-2924 f0/2
    no ip address
    speed 100
    full-duplex
    !
    interface FastEthernet0/1.1
    description Native VLAN
    encapsulation dot1Q 1 native
    no ip redirects
    no ip unreachables
    !
    interface FastEthernet0/1.4
    description VLAN for Wireless SSID:free-internet
    encapsulation dot1Q 4
    ip address 192.168.4.1 255.255.254.0
    ip access-group free-internet in
    ip helper-address 192.168.10.21
    no ip redirects
    no ip unreachables
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    interface FastEthernet0/1.10
    description VLAN for Wired Network
    encapsulation dot1Q 10
    ip address 192.168.10.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    interface FastEthernet0/1.11
    description VLAN for Wireless SSID:zilla
    encapsulation dot1Q 11
    ip address 192.168.11.209 255.255.255.240
    ip helper-address 192.168.10.21
    no ip redirects
    no ip unreachables
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    interface FastEthernet0/1.12
    description VLAN for Wireless SSID:chump
    encapsulation dot1Q 12
    ip address 192.168.11.193 255.255.255.240
    ip helper-address 192.168.10.21
    ip tcp adjust-mss 1452
    !
    interface FastEthernet0/1.13
    description VLAN for Wireless SSID:eek:therboxes
    encapsulation dot1Q 13
    ip address 192.168.11.177 255.255.255.240
    ip helper-address 192.168.10.21
    ip tcp adjust-mss 1452
    !
    interface FastEthernet0/1.98
    encapsulation dot1Q 98
    ip address 192.168.98.1 255.255.255.0
    !
    interface FastEthernet0/1.111
    encapsulation dot1Q 111
    !
    interface Ethernet1/0
    no ip address
    shutdown
    half-duplex
    !
    interface Ethernet3/0
    no ip address
    shutdown
    half-duplex
    !
    interface Serial3/0
    no ip address
    shutdown
    !
    interface Serial3/1
    no ip address
    shutdown
    !
    interface Virtual-Template1
    no ip address
    service-policy output shaper
    !
    interface Dialer1
    bandwidth 15000
    ip address negotiated
    ip access-group acl_out in
    ip accounting access-violations
    ip mtu 1492
    ip nat outside
    ip inspect CBAC2 in
    ip virtual-reassembly
    encapsulation ppp
    no ip mroute-cache
    dialer pool 1
    dialer-group 1
    ppp authentication pap callin
    ppp pap sent-username fios-username password 0 fios-password
    crypto map vpn-endpoint
    !
    interface Virtual-TokenRing1
    no ip address
    ring-speed 16
    !
    router bgp 12345
    no synchronization
    bgp log-neighbor-changes
    neighbor 192.168.10.19 remote-as 64512
    neighbor 192.168.10.19 filter-list 56 in
    no auto-summary
    !
    no ip http server
    no ip http secure-server
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    !
    ip as-path access-list 50 permit ^5650_[0-9]_[0-9]*$
    ip as-path access-list 50 permit ^1_[0-9]_[0-9]*$
    ip as-path access-list 50 permit ^1668_[0-9]_[0-9]*$
    ip as-path access-list 55 permit ^5650_[0-9]+_[0-9]*$
    ip as-path access-list 56 permit ^5650_[0-9]*$
    ip nat translation timeout never
    ip nat inside source static udp 192.168.10.24 21000 interface Dialer1
    21000
    ip nat inside source static tcp 192.168.10.24 21000 interface Dialer1
    21000
    ip nat inside source static tcp 192.168.10.35 3389 interface Dialer1
    3389
    ip nat inside source static tcp 192.168.10.24 6861 interface Dialer1
    6861
    ip nat inside source static tcp 192.168.11.212 6889 interface Dialer1
    6889
    ip nat inside source static tcp 192.168.11.212 6888 interface Dialer1
    6888
    ip nat inside source static tcp 192.168.11.212 6887 interface Dialer1
    6887
    ip nat inside source static tcp 192.168.11.212 6886 interface Dialer1
    6886
    ip nat inside source static tcp 192.168.11.212 6885 interface Dialer1
    6885
    ip nat inside source static tcp 192.168.11.212 6884 interface Dialer1
    6884
    ip nat inside source static tcp 192.168.11.212 6883 interface Dialer1
    6883
    ip nat inside source static tcp 192.168.11.212 6882 interface Dialer1
    6882
    ip nat inside source static tcp 192.168.11.212 6881 interface Dialer1
    6881
    ip nat inside source static tcp 192.168.10.21 6898 interface Dialer1
    6898
    ip nat inside source static tcp 192.168.10.21 6897 interface Dialer1
    6897
    ip nat inside source static tcp 192.168.10.21 6896 interface Dialer1
    6896
    ip nat inside source static tcp 192.168.10.21 6895 interface Dialer1
    6895
    ip nat inside source static tcp 192.168.10.21 6894 interface Dialer1
    6894
    ip nat inside source static tcp 192.168.10.21 6893 interface Dialer1
    6893
    ip nat inside source static tcp 192.168.10.21 6892 interface Dialer1
    6892
    ip nat inside source static tcp 192.168.10.21 6891 interface Dialer1
    6891
    ip nat inside source static tcp 192.168.10.21 5001 interface Dialer1
    5001
    ip nat inside source static tcp 192.168.10.30 99 interface Dialer1 99
    ip nat inside source static tcp 192.168.10.35 2222 interface Dialer1
    2222
    ip nat inside source static tcp 192.168.10.35 8192 interface Dialer1
    8192
    ip nat inside source static tcp 192.168.10.35 8190 interface Dialer1
    8190
    ip nat inside source route-map nat-map interface Dialer1 overload
    !
    !
    ip access-list extended acl_out
    deny ip host 0.0.0.0 any
    deny ip 0.0.0.0 0.255.255.255 any
    deny ip 10.0.0.0 0.255.255.255 any log
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip 169.254.0.0 0.0.255.255 any
    permit ip 172.25.0.0 0.0.255.255 any
    deny ip 172.16.0.0 0.0.15.255 any
    deny ip 192.0.2.0 0.0.0.255 any
    deny ip 192.168.8.0 0.0.7.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    deny ip 224.0.0.0 15.255.255.255 any
    deny ip 240.0.0.0 7.255.255.255 any
    deny ip 248.0.0.0 7.255.255.255 any
    deny ip host 255.255.255.255 any
    permit tcp any eq ftp-data any
    permit tcp any any eq 22
    permit tcp any any eq 2222
    permit tcp any any eq 4662
    permit tcp any any eq 4672
    permit tcp any any eq 4711
    permit tcp any any eq 5001
    permit udp any any eq 5001
    permit tcp any any eq 6891
    permit tcp any any eq 6892
    permit tcp any any eq 6893
    permit tcp any any eq 6894
    permit tcp any any eq 6895
    permit tcp any any eq 6896
    permit tcp any any eq 6897
    permit tcp any any eq 6898
    permit tcp any any eq 6881
    permit tcp any any eq 6882
    permit tcp any any eq 6883
    permit tcp any any eq 6884
    permit tcp any any eq 6885
    permit tcp any any eq 6886
    permit tcp any any eq 6887
    permit tcp any any eq 6888
    permit tcp any any eq 6889
    permit tcp any any eq 6861
    permit tcp any any eq 8190
    permit tcp any any eq 8192
    permit tcp any any eq 3389
    permit tcp any any eq 21000
    permit udp any any eq 21000
    permit udp host vpn.server.ip.address any eq isakmp
    permit udp host vpn.server.ip.address any eq isakmp
    permit udp host vpn.server.ip.address any eq isakmp
    permit udp host vpn.server.ip.address any eq non500-isakmp
    permit udp host vpn.server.ip.address any eq non500-isakmp
    permit udp host vpn.server.ip.address any eq non500-isakmp
    permit esp host vpn.server.ip.address any
    permit esp host vpn.server.ip.address any
    permit esp host vpn.server.ip.address any
    permit ip vpn.server.ip.address 0.0.0.3 any log
    permit tcp vpn.server.ip.address 0.0.3.255 any
    permit tcp any any established
    permit udp any eq domain any
    permit udp any any eq ntp
    permit udp any any eq bootpc
    permit udp any any log
    permit icmp any any echo
    permit icmp any any echo-reply
    permit icmp any any host-unknown
    permit icmp any any time-exceeded
    deny ip any any log
    ip access-list extended crap
    permit ip 19.0.84.176 0.0.0.3 any
    ip access-list extended free-internet
    permit tcp host 192.168.5.57 any log
    permit udp host 192.168.5.57 any log
    permit icmp host 192.168.5.57 any log
    permit tcp host 192.168.4.25 host 192.168.4.1 eq telnet
    permit udp any any eq bootps
    permit udp any any eq bootpc
    deny udp 192.168.4.0 0.0.1.255 any eq snmp
    deny udp any any eq snmp
    deny ip 192.168.4.0 0.0.1.255 10.0.0.0 0.255.255.255
    deny ip 192.168.4.0 0.0.1.255 172.25.0.0 0.0.255.255
    deny ip 192.168.4.0 0.0.1.255 172.16.0.0 0.15.255.255
    deny ip 192.168.4.0 0.0.1.255 192.168.8.0 0.0.7.255
    deny ip 192.168.4.0 0.0.1.255 192.168.0.0 0.0.255.255
    deny ip 169.254.0.0 0.0.255.255 any
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 172.25.0.0 0.0.255.255 any
    deny tcp 192.168.4.0 0.0.1.255 host 192.168.4.1 eq telnet
    deny tcp 192.168.4.0 0.0.1.255 host 192.168.4.1 eq 22
    permit udp 192.168.4.0 0.0.1.255 any eq domain
    permit tcp 192.168.4.0 0.0.1.255 any eq www
    permit tcp 192.168.4.0 0.0.1.255 any eq 8080
    permit udp 192.168.4.0 0.0.1.255 any eq ntp
    permit tcp 192.168.4.0 0.0.1.255 any eq ftp
    permit tcp 192.168.4.0 0.0.1.255 any eq smtp
    permit tcp 192.168.4.0 0.0.1.255 any eq domain
    permit tcp 192.168.4.0 0.0.1.255 any eq pop3
    permit tcp 192.168.4.0 0.0.1.255 any eq 443
    permit icmp 192.168.4.0 0.0.1.255 any echo
    permit icmp 192.168.4.0 0.0.1.255 any echo-reply
    permit icmp 192.168.4.0 0.0.1.255 any port-unreachable
    deny tcp 192.168.4.0 0.0.1.255 any log
    deny udp 192.168.4.0 0.0.1.255 any log
    deny ip any any log
    deny ospf any any log
    logging trap debugging
    logging source-interface FastEthernet0/1.1
    logging 192.168.10.35
    access-list 1 permit 192.168.8.0 0.0.7.255
    access-list 11 permit 192.168.10.35
    access-list 11 permit 192.168.10.19
    access-list 11 permit 192.168.11.215
    access-list 11 deny any
    access-list 21 permit 199.0.184.0 0.0.3.255
    access-list 21 permit 192.168.10.0 0.0.0.255
    access-list 21 permit 192.168.11.208 0.0.0.15
    access-list 21 deny any
    access-list 111 remark APPLIED TO ROUTE-MAP NAT-MAP
    access-list 111 permit ip 192.168.10.0 0.0.0.255 any
    access-list 111 permit ip 192.168.11.208 0.0.0.15 any
    access-list 111 permit ip 192.168.4.0 0.0.0.255 any
    access-list 112 remark PLACE HOLDER
    access-list 113 remark APPLIED TO ROUTE-MAP NAT-MAP
    access-list 113 deny ip 192.168.8.0 0.0.7.255 172.25.0.0 0.0.255.255
    access-list 113 permit ip 192.168.4.0 0.0.1.255 any
    access-list 113 permit ip 192.168.8.0 0.0.7.255 any
    access-list 113 permit ip 192.168.0.0 0.0.255.255 any
    access-list 113 deny ip any any log
    access-list 114 remark PLACE HOLDER
    access-list 115 remark APPLIED TO ROUTE-MAP NAT-MAP
    access-list 120 remark PLACE HOLDER
    access-list 130 permit tcp any any range 6800 6900
    access-list 131 permit tcp any range 6800 6900 any
    access-list 177 permit icmp any any
    access-list 177 permit tcp any any eq www
    access-list 177 permit tcp any eq www any
    access-list 178 permit icmp any any
    access-list 178 permit tcp 192.168.11.0 0.0.0.255 any
    access-list 178 permit tcp any 192.168.11.0 0.0.0.255
    access-list 190 permit ip 192.168.10.0 0.0.0.255 172.25.0.0
    0.0.255.255
    access-list 190 permit ip 192.168.11.0 0.0.0.255 172.25.0.0
    0.0.255.255
    access-list 190 deny ip 192.168.4.0 0.0.0.255 172.25.0.0 0.0.255.255
    access-list 190 deny ip any any
    access-list 190 remark USED FOR VPN MAP
    access-list 191 remark APPLIED TO CRYPTO-MAP
    access-list 191 permit ip 192.168.8.0 0.0.7.255 172.25.0.0 0.0.255.255
    access-list 191 permit ip 192.168.8.0 0.0.7.255 10.1.0.0 0.0.255.255
    access-list 191 permit ip 192.168.8.0 0.0.7.255 10.2.0.0 0.0.255.255
    access-list 191 permit ip 192.168.8.0 0.0.7.255 10.25.0.0 0.0.255.255
    dialer-list 1 protocol ip permit
    snmp-server community
    snmp-server community
    snmp-server contact
    snmp-server chassis-id
    snmp-server system-shutdown
    snmp-server enable traps tty
    !
    route-map nat-map permit 10
    description ATTACHED TO `IP NAT INSIDE`
    match ip address 113
    !
    !
    radius-server host 192.168.10.21 auth-port 1645 acct-port 1646
    radius-server key removed
    !
    control-plane
    !
    !
    !
    !
    alias exec ct conf t
    alias exec wm copy running-config startup-config
    alias exec tr trace
    alias exec sr sho runn
    alias exec ssa sh crypto isakmp sa
    alias exec nda no debug all
    alias exec si sho ip route
    alias exec sbgp sh ip bgp
    alias exec sibs sh ip bgp summ
    alias exec cc1 clear crypto isakmp
    alias exec cc2 clear crypto ipsec client ezvpn
    alias exec cc3 clear crypto sa
    alias exec ssad sh crypto isakmp sa detail
    alias exec sntr sh ip nat tr
    alias exec spi sh policy-map interface
    !
    line con 0
    exec-timeout 240 0
    line aux 0
    line vty 0 4
    access-class 21 in
    exec-timeout 480 0
    authorization exec VTYAccess
    login authentication VTYAccess
    line vty 5 15
    access-class 21 in
    exec-timeout 480 0
    authorization exec VTYAccess
    login authentication VTYAccess
    !
    scheduler allocate 4000 1000
    ntp clock-period 17179823
    ntp server 81.187.242.38
    !
    end

    HNet-3640#
     
    Timo, May 10, 2007
    #1
    1. Advertisements

  2. Timo

    Thrill5 Guest

    A 3640 is quite anemic, and I doubt it has the horsepower to do all you need
    it to do. 3640's do NAT and VPN in software and never had high hardware
    routing numbers to begin with. Do a "show proc cpu", and if CPU utilization
    gets up above 50%, you should consider buying a new router, or splitting the
    load between two routers. (one for routing between the VLAN's and another
    for the Internet connection that's doing NAT and VPN) A 2821 should work
    great in this situation.

    Scott

     
    Thrill5, May 11, 2007
    #2
    1. Advertisements

  3. Timo

    Timo Guest

    Hey

    I should have mentioned the CPU doesnt really go above 25%.
    Sometimes when large downloads are occuring , MRTG shows 10, 11Mbits
    coming down from the ISP it spikes up to 80 - 90%. But the slow
    browsing probs occur all the time, even when the router is running
    at 20 - 21% util.


    HNet-3640#
    HNet-3640# sh proc cpu | inc CPU
    CPU utilization for five seconds: 26%/22%; one minute: 23%; five
    minutes: 23%
    HNet-3640#

    I really dont think its a horsepower issue. forum sites are slow as
    heck and Ill click on something like http://news.google.com and it
    comes up real quick , images and all.

    I have a 2621 too and when I swap it in place of the 3640 I get the
    same performance. Now I know thats a slower router but the CPU was
    right in the 20 - 25% range just like on the 3640.

    Thanks

    Timo
     
    Timo, May 11, 2007
    #3
  4. Timo

    Mike Dorn Guest

    Take out the inspect http. I used to have the same problem. The inspection
    engine in the IOS firewall requires that http packets be received in correct
    order for it to properly inspect them--isn't set up to retain them for later
    resorting. If packets arrive out-of-order, they're dropped, and you wait for
    the web server to resend. Large sites with multiple physical connections can
    send you packets over several pathways, and they sometimes get out of order,
    causing really nasty slowdowns. (Trying to get large documents from cisco.com
    used to take forever.)
     
    Mike Dorn, May 11, 2007
    #4
  5. Ensure that you're not filtering ICMP inappropriately. You're MTU/MSS is
    8 bytes less than the typical 1500/1460. If you're filtering PMTUD, you
    may run into oddities if fragmentation is required.
     
    fugettaboutit, May 11, 2007
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.