1. Home
  2. Cisco Systems
  3. Cisco 3725 not performing well with Comast?

Cisco 3725 not performing well with Comast?

I recently moved to a area with faster internet access then I previously had. I am able to connect directly to the cable modem (comcast) and download starting at 2.0mb/s and it trickles down to about 1.4mb/s from my dedicated host. When I utilize my Cisco 3725 router in the mix router the performance is very poor. It may burst for a second or two but downloads about 100kb/s and I've repeated these results on a Vista box and a Apple notebook. Here's my Config from my router.

Any tips on why I'm having such poor performance with my router would be greatly appreciated. I have tried disabling the built IDS but that didn't seem to make a difference.

Internet -> F0/0 router F1/1.2 -> host 172.16.2.X

! ! Last configuration change at 00:20:30 EST Mon Oct 27 2008 by rsreese ! NVRAM config last updated at 00:22:28 EST Mon Oct 27 2008 by rsreese ! version 12.4 service timestamps debug datetime msec service timestamps log datetime service password-encryption ! hostname 3725router ! boot-start-marker boot system flash:/c3725-adventerprisek9-mz.124-21.bin boot-end-marker ! logging buffered 8192 debugging logging console informational enable secret 5 ! aaa new-model ! ! aaa authentication login default local aaa authentication ppp default local aaa authorization exec default local aaa authorization network default local ! aaa session-id common clock timezone EST -5 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 network-clock-participate slot 1 network-clock-participate slot 2 no ip source-route ! ip traffic-export profile IDS-SNORT interface FastEthernet0/0 bidirectional mac-address 000c.2989.f93a ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 172.16.2.1 ip dhcp excluded-address 172.16.3.1 ! ip dhcp pool VLAN2clients network 172.16.2.0 255.255.255.0 default-router 172.16.2.1 option 66 ip 172.16.2.10 option 150 ip 172.16.2.10 dns-server 68.87.74.162 68.87.68.162 68.87.73.242 ! ip dhcp pool VLAN3clients network 172.16.3.0 255.255.255.0 default-router 172.16.3.1 dns-server 68.87.74.162 68.87.68.162 68.87.73.242 ! ! ip domain name neocipher.net ip name-server 68.87.74.162 ip name-server 68.87.68.162 ip inspect udp idle-time 900 ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW https ip inspect name SDM_LOW icmp ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW esmtp ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ip ips sdf location flash://256MB.sdf ip ips notify SDEE ip ips name sdm_ips_rule vpdn enable ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-995375956 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-995375956 revocation-check none rsakeypair TP-self-signed-995375956 ! ! crypto pki certificate chain TP-self-signed-995375956 certificate self-signed 01

quit ! crypto key pubkey-chain rsa named-key realm-cisco.pub signature key-string quit username rsreese privilege 15 secret 5 ! ! ip ssh authentication-retries 2 ! ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key address 10.0.0.2 no-xauth crypto isakmp key address 74.245.61.45 no-xauth ! crypto isakmp client configuration group VPN-Users key dns 68.87.74.162 68.87.68.162 domain neocipher.net pool VPN_POOL acl 115 include-local-lan netmask 255.255.255.0 crypto isakmp profile IKE-PROFILE match identity group VPN-Users client authentication list default isakmp authorization list default client configuration address initiate client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport ! crypto ipsec profile IPSEC_PROFILE1 set transform-set ESP-3DES-SHA set isakmp-profile IKE-PROFILE ! ! crypto dynamic-map DYNMAP 10 set transform-set ESP-3DES-SHA ! ! crypto map CLIENTMAP client authentication list default crypto map CLIENTMAP isakmp authorization list default crypto map CLIENTMAP client configuration address respond crypto map CLIENTMAP 1 ipsec-isakmp set peer 10.0.0.2 set peer 74.245.61.45 set transform-set ESP-3DES-SHA match address 100 crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP ! ! ! ! interface Loopback0 ip address 192.168.0.1 255.255.255.0 no ip unreachables ip virtual-reassembly ! interface Tunnel0 description HE.net no ip address ipv6 address 2001:470:1F06:3B6::2/64 ipv6 enable tunnel source 68.156.61.58 tunnel destination 209.51.161.14 tunnel mode ipv6ip ! interface Null0 no ip unreachables ! interface FastEthernet0/0 description $ETH-WAN$$FW_OUTSIDE$ ip address dhcp client-id FastEthernet0/0 hostname 3725router ip access-group 104 in no ip unreachables ip nat outside ip inspect SDM_LOW out ip ips sdm_ips_rule in ip virtual-reassembly speed 100 full-duplex crypto map CLIENTMAP ! interface Serial0/0 description $FW_OUTSIDE$ ip address 10.0.0.1 255.255.240.0 ip access-group 105 in ip verify unicast reverse-path no ip unreachables ip inspect SDM_LOW out ip virtual-reassembly clock rate 2000000 crypto map CLIENTMAP ! interface FastEthernet0/1 no ip address no ip unreachables ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1.2 description $FW_INSIDE$ encapsulation dot1Q 2 ip address 172.16.2.1 255.255.255.0 ip access-group 101 in no ip unreachables ip nat inside ip virtual-reassembly ipv6 address 2001:470:1F07:3B6::/64 eui-64 ipv6 enable crypto map CLIENTMAP ! interface FastEthernet0/1.3 description $FW_INSIDE$ encapsulation dot1Q 3 ip address 172.16.3.1 255.255.255.0 ip access-group 102 in no ip unreachables ip nat inside ip virtual-reassembly ! interface FastEthernet0/1.10 ! interface Serial0/1 no ip address no ip unreachables shutdown clock rate 2000000 ! interface Virtual-Template1 type tunnel description $FW_INSIDE$ ip unnumbered Loopback0 ip access-group 103 in no ip unreachables ip virtual-reassembly tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC_PROFILE1 ! ip local pool VPN_POOL 192.168.0.100 192.168.0.105 ip forward-protocol nd ip route 172.16.10.0 255.255.255.0 10.0.0.2 ! ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat translation udp-timeout 900 ip nat inside source list 1 interface FastEthernet0/0 overload ! logging trap debugging logging origin-id hostname logging 172.16.2.5 access-list 1 permit 172.16.2.0 0.0.0.255 access-list 1 permit 172.16.3.0 0.0.0.255 access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255 access-list 100 permit ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255 access-list 101 remark auto generated by SDM firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 permit ahp any host 172.16.2.1 access-list 101 permit esp any host 172.16.2.1 access-list 101 permit udp any host 172.16.2.1 eq isakmp access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 101 deny ip 10.0.0.0 0.0.15.255 any log access-list 101 deny ip 192.168.0.0 0.0.0.255 any log access-list 101 deny ip 172.16.3.0 0.0.0.255 any log access-list 101 deny ip host 255.255.255.255 any log access-list 101 deny ip 127.0.0.0 0.255.255.255 any log access-list 101 deny tcp any any range 1 chargen log access-list 101 deny tcp any any eq whois log access-list 101 deny tcp any any eq 93 log access-list 101 deny tcp any any range 135 139 log access-list 101 deny tcp any any eq 445 log access-list 101 deny tcp any any range exec 518 log access-list 101 deny tcp any any eq uucp log access-list 101 permit ip any any access-list 102 remark auto generated by SDM firewall configuration access-list 102 remark SDM_ACL Category=1 access-list 102 deny ip 172.16.2.0 0.0.0.255 any log access-list 102 deny ip 10.0.0.0 0.0.15.255 any log access-list 102 deny ip 192.168.0.0 0.0.0.255 any log access-list 102 deny ip host 255.255.255.255 any log access-list 102 deny ip 127.0.0.0 0.255.255.255 any log access-list 102 permit ip any any access-list 103 remark auto generated by SDM firewall configuration access-list 103 remark SDM_ACL Category=1 access-list 103 deny ip 172.16.2.0 0.0.0.255 any access-list 103 deny ip 10.0.0.0 0.0.15.255 any access-list 103 deny ip 172.16.3.0 0.0.0.255 any access-list 103 deny ip host 255.255.255.255 any access-list 103 deny ip 127.0.0.0 0.255.255.255 any access-list 103 permit ip any any access-list 104 remark auto generated by SDM firewall configuration access-list 104 remark SDM_ACL Category=1 access-list 104 permit udp host 205.152.132.23 eq domain any access-list 104 permit udp host 205.152.144.23 eq domain any access-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29 access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntp access-list 104 permit ahp any any access-list 104 permit esp any any access-list 104 permit udp any any eq isakmp access-list 104 permit udp any any eq non500-isakmp access-list 104 deny ip 10.0.0.0 0.0.15.255 any log access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 104 deny ip 172.16.2.0 0.0.0.255 any log access-list 104 deny ip 192.168.0.0 0.0.0.255 any log access-list 104 deny ip 172.16.3.0 0.0.0.255 any log access-list 104 permit udp any eq bootps any eq bootpc access-list 104 permit icmp any any echo-reply access-list 104 permit icmp any any time-exceeded access-list 104 permit icmp any any unreachable access-list 104 deny icmp any any echo log access-list 104 deny icmp any any mask-request log access-list 104 deny icmp any any redirect log access-list 104 deny ip 10.0.0.0 0.255.255.255 any log access-list 104 deny ip 172.16.0.0 0.15.255.255 any log access-list 104 deny ip 192.168.0.0 0.0.255.255 any log access-list 104 deny ip 127.0.0.0 0.255.255.255 any log access-list 104 deny ip 224.0.0.0 15.255.255.255 any log access-list 104 deny ip host 255.255.255.255 any log access-list 104 deny tcp any any range 6000 6063 log access-list 104 deny tcp any any eq 6667 log access-list 104 deny tcp any any range 12345 12346 log access-list 104 deny tcp any any eq 31337 log access-list 104 deny udp any any eq 2049 log access-list 104 deny udp any any eq 31337 log access-list 104 deny udp any any range 33400 34400 log access-list 104 deny ip any any log access-list 105 remark auto generated by SDM firewall configuration access-list 105 remark SDM_ACL Category=1 access-list 105 remark Auto generated by SDM for NTP (123) 129.6.15.29 access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq ntp access-list 105 permit ahp host 10.0.0.2 host 10.0.0.1 access-list 105 permit esp host 10.0.0.2 host 10.0.0.1 access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmp access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500- isakmp access-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255 access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog access-list 105 deny ip 172.16.2.0 0.0.0.255 any access-list 105 deny ip 192.168.0.0 0.0.0.255 any access-list 105 deny ip 172.16.3.0 0.0.0.255 any access-list 105 permit icmp any host 10.0.0.1 echo-reply access-list 105 permit icmp any host 10.0.0.1 time-exceeded access-list 105 permit icmp any host 10.0.0.1 unreachable access-list 105 deny ip 10.0.0.0 0.255.255.255 any access-list 105 deny ip 172.16.0.0 0.15.255.255 any access-list 105 deny ip 192.168.0.0 0.0.255.255 any access-list 105 deny ip 127.0.0.0 0.255.255.255 any access-list 105 deny ip host 255.255.255.255 any access-list 105 deny ip host 0.0.0.0 any access-list 105 deny ip any any log access-list 115 permit ip 172.16.0.0 0.0.255.255 any access-list 120 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255 access-list 120 permit ip 172.16.0.0 0.0.255.255 any snmp-server community public RO ipv6 route 2001:470:1F07:3B6::/64 FastEthernet0/1.2 ipv6 route ::/0 Tunnel0 ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 password 7 transport input ssh line vty 5 903 transport input ssh ! ntp clock-period 17180660 ntp server 129.6.15.29 source FastEthernet0/0 prefer ! end

Reply to
Stephen Reese
Loading thread data ...

I wouldn't expect the IDS/FW/NAT on this box to slow down things that much, this router can route a few times faster than what Comcast can deliver.

I don't expect any specific config items to be an issue, but more physical layer things.

Check your interface for duplex. (ie. show int faste ...) is it consistant with what you think? Are any errors showing up in the collisions or late collisions fields?

I suspect you have a duplex mismatch with your cable box and the router, and these sort of things show up in that sort of error detection.

Reply to
Doug McIntyre

Hmmmm, running vpn, firewall, ids, nat, serial interface, access lists, ipv6, dot1q subinterface routing....

I would suspect a cpu issue here. Try checking memory and cpu when you are experiencing the slowdown. Also, check your log for any anomolies that might be happening. My guess is that the vpn is probably taking up a good part of it, depending on the amount of traffic coming through. Might want to try turning that off for a test. vpn would be better in a box that was made for it (encryption done in hardware).

In short, you have a lot happening for this device. You should break off certain functions into other devices (vpn, serial interface, intervlan routing) which could help relieve some of the cpu. Or perhaps upgrade. I would still offload the vpn even if you do upgrade.

Also, I really have an aversion to having a main routing device on my network be the same router that is connected to the internet.

Just some food for thought.

Jim

Reply to
Scooby

Simple.... Your FastEthernet interface is configured for full-duplex, and your cable modem is definately set for auto/auto. This causes a duplex mismatch because auto-detection only works when both sides are set to auto. If you set duplex on one side, you must set duplex on the other. When one side is set to auto, and the other-side is set to full-duplex (as is your case here), the full-duplex side (your router) sets its interface to full-duplex and turns off auto-detection. The auto side (your cable modem) is still set to auto-detection, and when the link comes up the full-duplex side (your router) does not reply to the auto detection phase. The auto side (your cable modem) then assumes that the other side does not support auto-detection and falls back to half-duplex.

Remove the "full-duplex" command from the interface and all will be good.

Reply to
Thrill5

I experienced the same troubles enabling the ip inspect HTTP /https

I removed the ip inspect namerule http and everything went OK

Reply to
Elia Spadoni

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.