Slow internet access/ downloads from Cisco 1721 ADSL router

[darren97]

Hi

I wonder if you can help me. We contracted a 3rd party company to help with our branch to branch configuration. We have a 2Mb leased line going from branch A to branch B and we have 2Mb broadband at each branch connected to a Cisco 1721 broadband router. In the event of either broadband being unavailable at one of the branches we can access the internet from the other branch. Ever since the system went in we have been experiencing really slow downloads and slow internet browsing. The third part company say that they can't see anything wrong but we have had a normal ADSL modem on the line and the speed of download / access is much faster. My cisco knowledge is limited but I have posted the config below for one of the branches and was hoping someone could glance over it and see if there appears to be anything wrong with the config.
Everything works fine, failover works, just very slow access to the internet from either location.
I really appreciate your help.


!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot system flash:c1700-k9o3sy7-mz.123-8.T5.bin
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 xxxxxxxxxxx
enable password 7 xxxxxxxxxx
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip domain lookup source-interface Dialer1
ip name-server (isp's DNS)
ip name-server (isp's DNS)
ip cef
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw sqlnet timeout 3600
ip inspect name myfw streamworks timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw vdolive
ip ips po max-events 1
no ftp-server write-enable
!
!
!
!
!
track 1 interface ATM0 line-protocol
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key name address (WAN IP of other branch router)
crypto isakmp keepalive 60
!
!
crypto ipsec transform-set name esp-3des esp-md5-hmac
!
crypto map name-vpn local-address Dialer1
crypto map name-vpn 10 ipsec-isakmp
set peer x.x.x.x
set transform-set name
match address traffic-to-encrypt
!
!
!
interface ATM0
description BT ADSL
bandwidth 288
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
description Local LAN
ip address 192.0.0.3 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
!
interface Serial0
description 2Meg to other site
ip address 172.16.0.5 255.255.255.252
ip verify unicast reverse-path
ip nat inside
ip virtual-reassembly
!
interface Dialer1
description INTERNET
bandwidth 2272
ip address (This routers WAN ip address) 255.255.255.240
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect myfw out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname username
ppp chap password password
crypto map name-vpn
!
router eigrp 100
redistribute static
network 172.16.0.0
network 192.0.0.0
default-metric 1000 10 255 1 1500
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 other branch router track 1
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static tcp 192.0.0.207 25 217.36.14.150 25 extendable
ip nat inside source static tcp 192.0.0.24 50 (WAN IP address of router) 50 extendable
ip nat inside source static tcp 192.0.0.24 51 (WAN IP address of router) 51 extendable
ip nat inside source static tcp 192.0.0.207 80 (WAN IP address of router) 80 extendable
ip nat inside source static tcp 192.0.0.207 143 (WAN IP address of router) 143 extendable
ip nat inside source static tcp 192.0.0.5 333 (WAN IP address of router) 333 extendable
ip nat inside source static tcp 192.0.0.207 443 (WAN IP address of router) 443 extendable
ip nat inside source static udp 192.0.0.24 500 (WAN IP address of router) 500 extendable
ip nat inside source static tcp 192.0.0.207 585 (WAN IP address of router) 585 extendable
ip nat inside source static tcp 192.0.0.207 993 (WAN IP address of router) 993 extendable
ip nat inside source static tcp 192.0.0.207 1723 (WAN IP address of router) 1723 extendable
ip nat inside source static udp 192.0.0.24 10001 (WAN IP address of router) 10001 extendable
!
!
!
ip access-list extended inbound-security
permit icmp any x.x.x.x 0.0.0.15 unreachable
permit icmp any x.x.x.x 0.0.0.15 echo-reply
permit icmp any x.x.x.x 0.0.0.15 packet-too-big
permit icmp any x.x.x.x 0.0.0.15 time-exceeded
permit icmp any x.x.x.x 0.0.0.15 traceroute
permit icmp any x.x.x.x 0.0.0.15 administratively-prohibited
permit icmp any x.x.x.x 0.0.0.15 echo
permit tcp any host (WAN IP address of router)(WAN IP address of router)eq 143
permit tcp any host(WAN IP address of router)eq 585
permit tcp any host (WAN IP address of router)eq 993
permit tcp any host (WAN IP address of router)eq smtp
permit tcp any host (WAN IP address of router)eq www
permit tcp host (external ip address) host (WAN IP address of router)eq 333
permit tcp host (external ip address)host (WAN IP address of router)eq 333
permit tcp host (external ip address)host (WAN IP address of router)eq 1723
permit tcp host (external ip address)host (WAN IP address of router)eq 1723
permit gre host (external ip address)host (WAN IP address of router)
permit gre host (external ip address)host (WAN IP address of router)
permit udp any host (external ip address) eq isakmp
permit esp any host (external ip address)
permit ahp any host (external ip address)
permit tcp host (external ip address) host (WAN IP address of router)eq 50
permit tcp host (external ip address) host (WAN IP address of router)eq 51
permit udp host (external ip address) host (WAN IP address of router)eq isakmp
permit udp host (external ip address) host (WAN IP address of router)eq 10001
permit udp host (external ip address) eq isakmp host (WAN IP address of router)
permit esp host (external ip address) host (WAN IP address of router)
ip access-list extended traffic-to-encrypt
permit ip 192.0.0.0 0.0.0.255 192.0.1.0 0.0.0.255
ip access-list extended traffic-to-internet
deny ip 192.0.0.0 0.0.0.255 192.0.1.0 0.0.0.255
permit ip 192.0.0.0 0.0.0.255 any
permit ip 192.0.1.0 0.0.0.255 any
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address traffic-to-internet
!
!
control-plane
!
!
line con 0
password xxxxxxxxx
line aux 0
password xxxxxxxxx
line vty 0 4
password xxxxxxxxx
login
!
end

Regards, Darren

 

[JOAMON]

With this config and this static default address:ip route 0.0.0.0 0.0.0.0 other branch router track 1, won't all the traffic to the internet go to the other branch instead of the ADSL on the dialer interface?

Wouldn't you want something like the following:

ip route 192.0.1.0 255.255.255.0 serial0
ip route 192.0.1.0 255.255.255.0 dialer1 200
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx (next hop router from dialer interface)

This would send all traffic to the other branch over the serial link first and if it cant do that then default to the VPN over internet link. Also all internet traffic would then go out through the local internet connection.

I am a little rusty on EIGRP and it may already be doing this. Can you post the output from show ip route please.

 

[JOAMON]

Also I see the following in this config:
ip access-list extended inbound-security
It does not appear to be applied anywhere.....is this correct?

 

[darren97]

Hi Joamon

I really appreciate you looking at this, here is the output.


Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is (WAN IP) to network 0.0.0.0

WAN IP/32 is subnetted, 1 subnets
C WAN IP is directly connected, Dialer1
172.16.0.0/30 is subnetted, 1 subnets
C 172.16.0.4 is directly connected, Serial0
WAN IP/28 is subnetted, 1 subnets
C WAN IP is directly connected, Dialer1
C 192.0.0.0/24 is directly connected, FastEthernet0
D 192.0.1.0/24 [90/2172416] via 172.16.0.6, 5d16h, Serial0
S* 0.0.0.0/0 [1/0] via 217.36.14.158
Router#

Regards, Darren

 

[darren97]

Hi Joamon

With reference to ip access-list extended inbound-security, it should be applied to inbound traffic, I was under the impression that this was handling the inbound NAT etc, how do I apply this to the Cisco's WAN interface?

Regards, Darren

 

[JOAMON]

It should be applies to the dialer interface as follows:


router#config terminal
router(config)#interface dialer1
router(config-if)#ip access-group inbound-security in
router(config-if)#cntrl Z
router#write

If it causes any problems simply remove it by putting a "no" in front of ip access-group inbound-security in. Recommend being on site when applying this as if there is an issue you may lose remote access to the router.

 

[JOAMON]

You may also want ot check with your ISP and see if they recommend change the MTU setting for the dialer interface to 1492 instead of the default 1500. I have heard that this is sometimes an issue with DSL.

 

[darren97]

Thanks for the suggestions, but just to confirm, in your opinion the routing looks fine? I can apply the access-list inbound security to dialer1 locally and will contact the ISP with reference to changing the MTU size.

Again, thanks for your help

Regards, Darren

 

[plshlpme]

on your dialer since its pppoe you should have

ip mtu 1492
ip tcp adjust-mss 1452

 

[JOAMON]

You routing looks OK. You could do a series of traceroutes to different locations to verify that the traffic is using the best path first. Traffic to the other branch for example should cross on the serial and not the VPN unless the Serial was down. Internet traffic should go out locally and not cross the point to point to get to it.

 

[JOAMON]

Actually with this in the routing table I am not sure:
S* 0.0.0.0/0 [1/0] via 217.36.14.158
If the IP listed is the other branch router then default traffic will go out through the other router. Do the traces and see how the traffic flows.

 

[darren97]

Hi Joamon

The trace routes come back fine and I think we have resolved the problem. On dialer1 we have a ip inspect myfw out, which refers to:
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw sqlnet timeout 3600
ip inspect name myfw streamworks timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw vdolive

Once I removed the ip inspect myfw out command dialer1 our internet speed increased to the expected speed.


Regards, Darren

 

[JOAMON]

Could be that it was slow as the inbound access-list was not applied to the interface when the firewall out was. They usually go together. You might try them both at the same time and monitor results.