C1700 slow connection to some domains

[999Dom999]

I having an odd problem, when trying to browse certain websites the pages load incredably slow, and also have problems with some email domains, it times out when trying to connect.

We have 8mb broadband from our isps router then a 1700 with two ethernet ports using NAT. There are quite a few port forwards to various services and using VPN.

I put a pc directly on the isps router, and browsing was lightening fast, took less than a second to load orange.co.uk (this is one of the troublesome domains) but going direct through the cisco it took well over a minute, and clicking any links took ages! I think this is also why certain email domains keep timing out.

So running through the cisco is definately much slower but only to certain domains, this is what I can't understand, other sites through the cisco are very quick.

Any ideas?


System image file is "flash:c1700-k9o3sy7-mz.122-11.T10.bin"

cisco 1720 (MPC860T) processor (revision 0x301) with 36864K/12288K bytes of memo
ry.
Processor board ID JAD0409089Z (139905154), with hardware revision 0000
MPC860T processor: part number 0, mask 32
Bridging software.
X.25 software, Version 3.0.0.
Basic Rate ISDN software, Version 1.1.
1 Ethernet/IEEE 802.3 interface(s)
1 FastEthernet/IEEE 802.3 interface(s)
1 ISDN Basic Rate interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

#sh int fa0
FastEthernet0 is up, line protocol is up
Hardware is PQUICC_FEC, address is 00b0.c288.9ede (bia 00b0.c288.9ede)
Internet address is 192.168.2.150/24
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 17:16:18
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 459000 bits/sec, 65 packets/sec
5 minute output rate 137000 bits/sec, 52 packets/sec
943415 packets input, 703280087 bytes
Received 82236 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
710820 packets output, 302001823 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out


#sh int e0
Ethernet0 is up, line protocol is up
Hardware is PQUICC Ethernet, address is 0004.dd0b.d313 (bia 0004.dd0b.d313)
Internet address is [External IP]
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 7/255, rxload 2/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 10BaseT
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 17:17:58
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 100000 bits/sec, 29 packets/sec
5 minute output rate 313000 bits/sec, 33 packets/sec
650196 packets input, 298668752 bytes, 0 no buffer
Received 83493 broadcasts, 0 runts, 0 giants, 0 throttles
3 input errors, 0 CRC, 0 frame, 3 overrun, 0 ignored
0 input packets with dribble condition detected
711358 packets output, 679022980 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

#sh run
Building configuration...

Current configuration : 8606 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname

memory-size iomem 25
ip subnet-zero
!
!
!
ip inspect name eth_0 tcp
ip inspect name eth_0 cuseeme
ip inspect name eth_0 ftp
ip inspect name eth_0 h323
ip inspect name eth_0 rcmd
ip inspect name eth_0 realaudio
ip inspect name eth_0 streamworks
ip inspect name eth_0 vdolive
ip inspect name eth_0 sqlnet
ip inspect name eth_0 tftp
ip inspect name eth_0 udp
ip inspect name eth_0 http
ip inspect name eth_0 smtp
ip audit notify log
ip audit po max-events 100
vpdn enable
!
vpdn-group pptp
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
!
!
interface BRI0
no ip address
shutdown
!
interface Ethernet0
ip address .227 255.255.255.240 secondary
ip address .228 255.255.255.240 secondary
ip address .229 255.255.255.240 secondary
ip address .230 255.255.255.240 secondary
ip address .231 255.255.255.240 secondary
ip address .232 255.255.255.240 secondary
ip address .226 255.255.255.240
ip access-group 101 in
ip nat outside
full-duplex
!
interface FastEthernet0
ip address 192.168.2.150 255.255.255.0
ip access-group 102 in
ip nat inside
ip inspect eth_0 in
speed auto
no cdp enable
!
interface Virtual-Template1
ip unnumbered FastEthernet0
peer default ip address pool pptp
ppp encrypt mppe auto
ppp authentication ms-chap
!
interface Dialer0
no ip address
!
ip local pool pptp 192.168.2.235 192.168.2.239
ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source static tcp 192.168.3.200 80 .231 80 extendable
ip nat inside source static tcp 192.168.2.200 80 .232 80 extendable
ip nat inside source static tcp 192.168.2.226 4080 .228 4080 extendab
e
ip nat inside source static tcp 192.168.2.226 4081 .228 4081 extendab
e
ip nat inside source static tcp 192.168.2.252 3390 .230 80 extendable
ip nat inside source static tcp 192.168.2.5 80 .226 80 extendable
ip nat inside source static tcp 192.168.2.250 3389 .229 80 extendable
ip nat inside source static tcp 192.168.2.5 1533 .226 1533 extendable
ip nat inside source static tcp 192.168.2.6 25 .226 25 extendable
ip nat inside source static tcp 192.168.2.7 21 .229 21 extendable
ip nat inside source static tcp 192.168.2.7 20 .229 20 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 .225
ip route 192.168.0.0 255.255.255.0 192.168.2.254
ip route 192.168.1.0 255.255.255.0 192.168.2.254
ip route 192.168.3.0 255.255.255.0 192.168.2.254
no ip http server
!
!
access-list 1 remark The local LAN.
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 101 remark Traffic allowed to enter the router from Internet
access-list 101 permit tcp any any eq telnet
access-list 101 deny ip host 218.18.155.153 any
access-list 101 deny ip host 61.144.183.120 any
access-list 101 deny ip host 220.117.231.148 any
access-list 101 deny ip host 61.91.104.77 any
access-list 101 deny ip host 220.117.227.1 any
access-list 101 deny ip host 212.115.7.240 any
access-list 101 deny ip 195.23.83.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 permit tcp host 161.165.202.24 any eq 4080 log
access-list 101 permit tcp host 161.165.202.25 any eq 4080 log
access-list 101 permit tcp host 161.165.202.26 any eq 4080 log
access-list 101 permit tcp host 161.165.202.27 any eq 4080 log
access-list 101 permit tcp host 161.165.202.24 any eq 4081 log
access-list 101 permit tcp host 161.165.202.25 any eq 4081 log
access-list 101 permit tcp host 161.165.202.26 any eq 4081 log
access-list 101 permit tcp host 161.165.202.27 any eq 4081 log
access-list 101 permit udp host 161.165.202.24 any eq 4080 log
access-list 101 permit udp host 161.165.202.25 any eq 4080 log
access-list 101 permit udp host 161.165.202.26 any eq 4080 log
access-list 101 permit udp host 161.165.202.27 any eq 4080 log
access-list 101 permit udp host 161.165.202.24 any eq 4081 log
access-list 101 permit udp host 161.165.202.25 any eq 4081 log
access-list 101 permit udp host 161.165.202.26 any eq 4081 log
access-list 101 permit udp host 161.165.202.27 any eq 4081 log
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq ftp-data
access-list 101 permit tcp any any eq 3101
access-list 101 permit tcp any any eq 3201
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 3390
access-list 101 permit tcp any any eq 1494
access-list 101 permit tcp any any eq 4200
access-list 101 permit tcp any any eq 4100
access-list 101 permit tcp any any eq 1533
access-list 101 permit tcp any any eq 1723
access-list 101 permit tcp any any eq 50102
access-list 101 permit udp any any range 8234 8239
access-list 101 permit tcp any any range 8234 8239
access-list 101 permit gre any any
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 deny ip any any log
access-list 102 remark Traffic allowed to enter the router from the LAN
access-list 102 deny 139 any any
access-list 102 permit ip host 192.168.2.2 any
access-list 102 permit ip host 192.168.2.252 any
access-list 102 permit ip host 192.168.2.5 any
access-list 102 permit ip host 192.168.2.6 any
access-list 102 permit ip host 192.168.2.7 any
access-list 102 permit ip host 192.168.2.10 any
access-list 102 permit ip host 192.168.2.71 any
access-list 102 permit ip host 192.168.2.250 any
access-list 102 permit ip host 192.168.2.200 any
access-list 102 permit ip host 192.168.2.209 any
access-list 102 permit ip host 192.168.2.211 any
access-list 102 permit ip host 192.168.2.212 any
access-list 102 permit ip host 192.168.2.213 any
access-list 102 permit ip host 192.168.2.215 any
access-list 102 permit ip host 192.168.2.226 any
access-list 102 permit ip host 192.168.2.229 any
access-list 102 permit ip host 192.168.2.230 any
access-list 102 permit ip host 192.168.2.233 any
access-list 102 permit ip host 192.168.2.242 any
access-list 102 permit ip host 192.168.2.243 any
access-list 102 permit ip host 192.168.2.244 any
access-list 102 permit ip host 192.168.2.245 any
access-list 102 permit ip host 192.168.2.246 any
access-list 102 permit ip host 192.168.2.247 any
access-list 102 permit ip host 192.168.2.248 any
access-list 102 permit ip host 192.168.0.1 any
access-list 102 permit ip host 192.168.0.6 any
access-list 102 permit ip host 192.168.3.200 any
access-list 102 permit ip host 192.168.3.21 any
access-list 102 permit ip any host 80.253.98.66
access-list 102 permit ip any host 80.165.25.82
access-list 102 permit ip any host 81.144.222.10
access-list 102 permit ip any host 81.144.222.11
access-list 102 permit ip any host 81.144.222.12
access-list 102 permit ip any host 192.168.2.150
access-list 102 permit tcp any any eq 3389
access-list 102 permit tcp any any eq 6129
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny ip any any log
!

 

[vipergg]

It could be the router , you have a lot off stuff configured on the router that could slow down a small router like this . NAT, long ACL's all serve to slow things down because the router has to inspect every single packet that comes down with the ACL . Other than to check your attching links for errors such as speed /duplex problems it could be just the router choking somewhat . What is the CPU running at and what process is taking the most cpu resources ? Makes sure you have some sort of fast switching turned on like CEF .

 

[999Dom999]

How do turn on CEF?

CPU utilization for five seconds: 10%/3%; one minute: 8%; five minutes: 7%
PID QTy PC Runtime (ms) Invoked uSecs Stacks TTY Process
1 Cwe 801A78B8 0 1 0 5800/6000 0 Chunk Manager
2 Csp 801CD6D4 3276 1018262 3 2620/3000 0 Load Meter
3 Mwe 80C3A7F8 8 61 131 5800/6000 0 CRYPTO IKMP IPC
4 Mwe 8039F6C8 536 42430 12 5788/6000 0 DHCPD Timer
5 Lwe 80D3175C 0 2 0 5520/6000 0 IpSecMibTopN
6 Lst 801B3280 4759512 686414 6933 5756/6000 0 Check heaps
7 Cwe 801A78B8 12 46 260 5588/6000 0 Chunk Manager
8 Cwe 801B9144 648 345 1878 5604/6000 0 Pool Manager
9 Mst 800FCF18 0 2 0 5576/6000 0 Timers
10 Mwe 80016DB0 0 2 0 5584/6000 0 Serial Backgroun
11 Lwe 8023E7E8 1344996 2278202 590 5244/6000 0 ARP Input
12 Mwe 8025D5B8 16 344 46 5580/6000 0 DDR Timers
13 Mwe 8027C410 0 2 011588/12000 0 Dialer event
14 Lwe 8064BF0C 8 2 4000 5608/6000 0 Entity MIB API
15 Mwe 8001B628 0 1 0 5792/6000 0 SERIAL A'detect
16 Msp 8013CE20 19128 5088831 3 5620/6000 0 GraphIt
17 Cwe 801BEC54 0 1 0 5804/6000 0 Critical Bkgnd
18 Mwe 801706C4 45732 612268 7410432/12000 0 Net Background
19 Lwe 800F0FBC 50344 2462632 2011464/12000 0 Logger
20 Mwe 801158EC 1083780 5088827 212 5128/6000 0 TTY Background
21 Msp 8016FCEC 112400 5089494 22 8648/9000 0 Per-Second Jobs
22 Hwe 8016FECC 457672 2447719 186 5784/6000 0 Net Input
23 Csp 80178814 7508 1018263 7 5600/6000 0 Compute load avg
24 Msp 8016FD18 2561004 86135 29732 4248/6000 0 Per-minute Jobs
25 Mwe 80528708 0 2 023604/24000 0 ISDN Timer
26 Hwe 8056AF14 0 1 0 5792/6000 0 ISDN From Driver
27 Mwe 800BA634 0 2 0 5596/6000 0 AAA Dictionary R
28 Mwe 8019BDE0 72 351 205 5584/6000 0 AAA Server
PID QTy PC Runtime (ms) Invoked uSecs Stacks TTY Process
29 Mwe 8019DF3C 0 1 0 5792/6000 0 AAA ACCT Proc
30 Mwe 8019E00C 0 1 0 5780/6000 0 ACCT Periodic Pr
31 Mwe 80330FA8 53553768 34227266 1564 8628/12000 0 IP Input
32 Mwe 8035284C 0 1 0 5780/6000 0 ICMP event handl
33 Mwe 804080B4 4283556 651026 6579 5208/6000 0 CDP Protocol
34 Lwe 8070CEE0 0 1 0 5500/6000 0 X.25 Encaps Mana
35 Mwe 807E2B54 0 2 011596/12000 0 PASVC create VA
36 Mwe 807E3158 0 1 0 5816/6000 0 PPPATM Session d
37 Mwe 80D0A9CC 4 2 200011600/12000 0 KRB5 AAA
38 Hwe 8039689C 0 1 0 5788/6000 0 Socket Timers
39 Mwe 803AEC00 344472 91635 3759 8192/9000 0 IP Background
40 Hwe 803B45C8 1180 85198 13 8596/9000 0 IP RIB Update
41 Mst 80315B7C 44 3561 1211380/12000 0 TCP Timer
42 Lwe 8031AE60 24 12 200011280/12000 0 TCP Protocols
43 Lwe 803725FC 0 1 0 5808/6000 0 Probe Input
44 Mwe 8037385C 0 1 0 5808/6000 0 RARP Input
45 Mwe 80388934 0 1 0 5804/6000 0 HTTP Timer
46 Mwe 80309380 6504 8551 760 5424/6000 0 DHCPD Receive
47 Lsi 803FEA74 295824 84821 3487 5324/6000 0 IP Cache Ager
48 Hwe 807270A4 0 1 0 5788/6000 0 PAD InCall
49 Mwe 806DEB10 4 2 200011576/12000 0 X.25 Background
50 Mwe 8069E8E4 772 691 111711252/12000 0 PPP Hooks
51 Mwe 8069E8E4 468 684 68411124/12000 0 PPP IP Route
PID QTy PC Runtime (ms) Invoked uSecs Stacks TTY Process
52 Mwe 8069E8E4 844 1365 61810932/12000 0 PPP IPCP
53 Mwe 806439B8 0 1 0 5764/6000 0 SNMP Timers
54 Mwe 808D8F44 1125796 5032841 223 4068/6000 0 Inspect Timer
55 Mwe 80904308 0 1 0 5804/6000 0 Authentication P
56 Mwe 8090995C 0 1 0 5800/6000 0 IDS Timer
57 Mwe 809DF3D4 0 1 023644/24000 0 COPS
58 Mwe 809EDCD8 0 2 0 5596/6000 0 Dialer Forwarder
59 Mwe 809EF158 0 1 0 5804/6000 0 PPP Forwarder
60 Mwe 80AEAE70 9708 85011 114 5580/6000 0 Adj Manager
61 Mwe 801A36B0 30440 351 86723 5272/6000 0 LOCAL AAA
62 Mwe 801A52F0 0 2 0 5604/6000 0 ENABLE AAA
63 Mwe 801A56C4 0 2 0 5600/6000 0 LINE AAA
64 Mwe 802B2584 0 2 0 5600/6000 0 TPLUS
65 Mwe 804D0E08 172 169728 1 5592/6000 0 CRM_CALL_UPDATE_
66 M* 0 712 213 3342 9932/12000 6 Virtual Exec
67 Mwe 80BC8DA4 4 2 2000 5596/6000 0 Crypto Support
68 Mwe 80BE626C 0 1 011792/12000 0 Crypto SS Proces
69 Lwe 80415E98 0 1 0 5788/6000 0 Router Autoconf
70 Mwe 80BD40AC 512396 5063359 10123468/24000 0 Crypto ACL
71 Mwe 80BC049C 0 1 011800/12000 0 Encrypt Proc
72 Mwe 80BC1974 0 4 0 7620/8000 0 Key Proc
73 Mwe 80C61720 0 3 0 7432/8000 0 Crypto CA
74 Mwe 80C9E640 0 1 0 7820/8000 0 Crypto SSL
PID QTy PC Runtime (ms) Invoked uSecs Stacks TTY Process
75 Mwe 80C115BC 15032 339873 44 6748/12000 0 Crypto IKMP
76 Mwe 80C0786C 1844 792089 2 3340/6000 0 IPSEC key engine
77 Mwe 80C08350 0 1 0 5728/6000 0 IPSEC manual key
78 Mwe 800D5B24 0 2 0 5580/6000 0 AAA SEND STOP EV
79 Mwe 8043BB94 0 1 0 5788/6000 0 ISDNMIB Backgrou
80 Mwe 80445EBC 0 1 0 5788/6000 0 CallMIB Backgrou
81 Mwe 8060F744 0 1 0 5824/6000 0 Syslog Traps
82 Mwe 80793414 6624 84856 78 5584/6000 0 SAA Event Proces
83 Mwe 809FC0FC 0 1 011772/12000 0 VPDN call manage
84 Mwe 80A36334 0 1 011556/12000 0 L2X Socket proce
85 Mwe 80A04A70 11516 1017982 1111764/12000 0 L2F management d
86 Mwe 80A04B70 0 1 011812/12000 0 L2F data daemon
87 Mwe 80A1A580 0 1 011784/12000 0 L2TP data daemon
88 Mwe 80A1A294 0 1 011772/12000 0 L2TP mgmt daemon
89 Mwe 80A2C81C 0 1 0 5808/6000 0 PPPOE discovery
90 Mwe 80A2C8D0 0 1 0 5788/6000 0 PPPOE background
91 Mwe 80A30864 47552 83239 57110584/12000 0 PPTP Mgmt
92 Mwe 80A4B2C4 1128068 1192013 94611376/12000 0 PPTP Data
93 Mwe 80404768 4096 42648 9611300/12000 0 TCP Driver
94 Lwe 80319AD0 388 707 548 4976/6000 0 TCP Listener
95 Mwe 80756CA4 823800 7185281 114 5528/6000 0 IP NAT Ager
96 Mwe 8069E8E4 180916 159182161 110732/12000 0 PPP Events
97 Mwe 806610A4 287968 159018746 110744/12000 0 PPP manager
PID QTy PC Runtime (ms) Invoked uSecs Stacks TTY Process
98 Hwe 80694018 5676 5091090 1 5592/6000 0 Multilink PPP
99 Hwe 80689F10 0 2 0 5596/6000 0 Multilink PPP ou
100 Mwe 806940EC 0 2 0 5584/6000 0 Multilink event
101 Hwe 806A7EB4 2169048 4481274 484 5512/6000 0 CCP manager
102 Hwe 806A7D94 4 2 2000 5600/6000 0 CCP reset pak
103 Mwe 806C1750 68212 926 7366322420/24000 0 VTEMPLATE Backgr
104 Msi 803A9F2C 49724 1441942 34 4988/6000 0 DHCPD Database

 

[999Dom999]

ok I see its just IP CEF on the interface, should I have this switched on, on both interfaces? e0 and fa0

As I say the router is fine on 95% of all websites and emails, but its just the odd few and I know its not a problem with the actual domains because bypassing the router works fine.

 

[JOAMON]

I agree that you have a lot on that router. I would recommend at least getting the 16mb flash upgrade and put a newer IOS on it. The one you have is pretty old. If you do a lot of VPN I would then consider upgrading to a 871, 871W(wireless incl.), or the 1801(wireless incl.) These have onboard hardware VPN encryption, more memory, and a far better CPU.

 

[999Dom999]

Thanks Joamon, I will check out those routers

 

[BuckWeet]

Turn this off

ip inspect name eth_0 http

That will fix it


BuckWeet

 

[BuckWeet]

did you fix it yet?

 

[999Dom999]

I removed the ip inspect name eth_0 http and it didn't make any difference.

Its weird cos only a few domains are causing problems, orange.co.uk ba.com and a few others, they take ages to load but only through the cisco. Everything else runs pretty fast its 8mb broadband and get full speed downloads.

There is a small pause on all sites before the page loads that you don't get when connected directly.

I can get an 871 for about £250 if this is a much better router then it may worth a look.

 

[JOAMON]

Take a look at the CPU load. Do a show process cpu and a show process cpu history and see what your average cpu useage is. If average is near or over 80% then would be good time to consider upgrade.

 

[BuckWeet]

try turning off ip inspectiong totally and see what happens..
just leave plain NAT enabled.

 

[999Dom999]

Joamon - last 60 sec 10% last 60min up to 20% last 72 hours its highest was 60% but average was 10%

Buckweet will try it now

Thanks!

 

[999Dom999]

I only have basic skills with IOS

I tried removing it off fa0 and then I couldn't browse

To remove inspecting, do I need to take it off the interface and remove all the ip inspects?

Or is there something else I need to do?

Thanks

 

[999Dom999]

I was playing around with this again, I found that if I removed ip inspect eth_0 in off fa0 and remove ip access-group 101 in off of e0 then it works fine from taking 95 secs to load the website is now 1sec. Thing is if I put the access-list back on then I can't browse at all. What other change do I need to do to make this work??