3640 some sites slow....

Hi

Ive got a 3640 that is running as a router on a stick with a 2924. The 3640 routes traffic for 5 vlans.

My ISP is Verizon FIOS, 15Mb\\2Mb. So my ISP's network link is fairly fast. In general everything works however , some sites are just horribly slow.... like ebay & a few php forum sites ... At my work the sites are flying fast . I'm wondering if something on the

3640 is not optimal....

Please take a look at my config and point out any issues you may see.

The router has lots going on. IPNAT, QoS for Vonage, IPSEC tunnel...

HNet-3640# HNet-3640#sh runn Building configuration...

Current configuration : 15002 bytes ! ! Last configuration change at 19:36:33 edt Wed May 2 2007 by me ! version 12.4 service nagle no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime service timestamps log datetime msec localtime no service password-encryption service linenumber ! hostname HNet-3640 ! boot-start-marker boot-end-marker ! logging buffered 40960 notifications no logging console enable secret 5 ! aaa new-model ! ! aaa authentication banner ^CCC

****************************************** ** Unauthorized access prohibited ** ** Exit NOW if unauthorized, ** ** these systems are monitored ** ******************************************

^C aaa authentication fail-message ^CCC

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! FAILED LOGINS ARE LOGGED AND RECORDED !!! !!! ALERTS WILL BE GOING OFF SOON !!! !!! NOW WOULD BE THE TIME TO DISCONNECT IF !!! !!! YOUR NEXT LOGIN ISNT GONNA BE SUCCESSFUL !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ^C aaa authentication password-prompt "Enter Your Password : " aaa authentication username-prompt "Enter Your Username : " aaa authentication login VTYAccess group radius local-case aaa authentication ppp default local aaa authorization exec VTYAccess group radius if-authenticated ! aaa session-id common clock timezone est -5 clock summer-time edt recurring no ip source-route ! ! ip cef no ip domain lookup ip name-server 192.168.10.19 ! ! no ip bootp server ip inspect audit-trail ip inspect max-incomplete high 750 ip inspect max-incomplete low 750 ip inspect dns-timeout 7 ip inspect name CBAC2 tcp timeout 3600 ip inspect name CBAC2 ftp timeout 3600 ip inspect name CBAC2 rcmd timeout 3600 ip inspect name CBAC2 sqlnet timeout 3600 ip inspect name CBAC2 tftp timeout 30 ip inspect name CBAC2 http ip inspect name CBAC2 udp ! ! ! key chain dummy key 1 key chain crypto key 1 ! ! class-map match-all voice-traffic match ip rtp 10000 10000 ! ! policy-map voice-policy class voice-traffic priority 200 class class-default fair-queue policy-map shaper class class-default shape average 2000000 200000 0 service-policy voice-policy ! ! ! crypto isakmp policy 10 encr aes 256 authentication pre-share crypto isakmp key mykey address vpn.server.ip.address ! ! crypto ipsec transform-set to-asi esp-aes 256 esp-sha-hmac ! crypto map vpn-endpoint 10 ipsec-isakmp set peer vpn.server.ip.address set transform-set to-asi match address 191 ! ! ! ! interface FastEthernet0/0 description Link to FIOS Internet mac-address 0050.5474.231f bandwidth 15000 no ip address speed 100 full-duplex pppoe enable group global pppoe-client dial-pool-number 1 ! interface FastEthernet0/1 description Link to Inside Network Homenet-2924 f0/2 no ip address speed 100 full-duplex ! interface FastEthernet0/1.1 description Native VLAN encapsulation dot1Q 1 native no ip redirects no ip unreachables ! interface FastEthernet0/1.4 description VLAN for Wireless SSID:free-internet encapsulation dot1Q 4 ip address 192.168.4.1 255.255.254.0 ip access-group free-internet in ip helper-address 192.168.10.21 no ip redirects no ip unreachables ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! interface FastEthernet0/1.10 description VLAN for Wired Network encapsulation dot1Q 10 ip address 192.168.10.1 255.255.255.0 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! interface FastEthernet0/1.11 description VLAN for Wireless SSID:zilla encapsulation dot1Q 11 ip address 192.168.11.209 255.255.255.240 ip helper-address 192.168.10.21 no ip redirects no ip unreachables ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! interface FastEthernet0/1.12 description VLAN for Wireless SSID:chump encapsulation dot1Q 12 ip address 192.168.11.193 255.255.255.240 ip helper-address 192.168.10.21 ip tcp adjust-mss 1452 ! interface FastEthernet0/1.13 description VLAN for Wireless SSID:otherboxes encapsulation dot1Q 13 ip address 192.168.11.177 255.255.255.240 ip helper-address 192.168.10.21 ip tcp adjust-mss 1452 ! interface FastEthernet0/1.98 encapsulation dot1Q 98 ip address 192.168.98.1 255.255.255.0 ! interface FastEthernet0/1.111 encapsulation dot1Q 111 ! interface Ethernet1/0 no ip address shutdown half-duplex ! interface Ethernet3/0 no ip address shutdown half-duplex ! interface Serial3/0 no ip address shutdown ! interface Serial3/1 no ip address shutdown ! interface Virtual-Template1 no ip address service-policy output shaper ! interface Dialer1 bandwidth 15000 ip address negotiated ip access-group acl_out in ip accounting access-violations ip mtu 1492 ip nat outside ip inspect CBAC2 in ip virtual-reassembly encapsulation ppp no ip mroute-cache dialer pool 1 dialer-group 1 ppp authentication pap callin ppp pap sent-username fios-username password 0 fios-password crypto map vpn-endpoint ! interface Virtual-TokenRing1 no ip address ring-speed 16 ! router bgp 12345 no synchronization bgp log-neighbor-changes neighbor 192.168.10.19 remote-as 64512 neighbor 192.168.10.19 filter-list 56 in no auto-summary ! no ip http server no ip http secure-server ip route 0.0.0.0 0.0.0.0 Dialer1 ! ! ip as-path access-list 50 permit ^5650_[0-9]_[0-9]*$ ip as-path access-list 50 permit ^1_[0-9]_[0-9]*$ ip as-path access-list 50 permit ^1668_[0-9]_[0-9]*$ ip as-path access-list 55 permit ^5650_[0-9]+_[0-9]*$ ip as-path access-list 56 permit ^5650_[0-9]*$ ip nat translation timeout never ip nat inside source static udp 192.168.10.24 21000 interface Dialer1

21000 ip nat inside source static tcp 192.168.10.24 21000 interface Dialer1 21000 ip nat inside source static tcp 192.168.10.35 3389 interface Dialer1 3389 ip nat inside source static tcp 192.168.10.24 6861 interface Dialer1 6861 ip nat inside source static tcp 192.168.11.212 6889 interface Dialer1 6889 ip nat inside source static tcp 192.168.11.212 6888 interface Dialer1 6888 ip nat inside source static tcp 192.168.11.212 6887 interface Dialer1 6887 ip nat inside source static tcp 192.168.11.212 6886 interface Dialer1 6886 ip nat inside source static tcp 192.168.11.212 6885 interface Dialer1 6885 ip nat inside source static tcp 192.168.11.212 6884 interface Dialer1 6884 ip nat inside source static tcp 192.168.11.212 6883 interface Dialer1 6883 ip nat inside source static tcp 192.168.11.212 6882 interface Dialer1 6882 ip nat inside source static tcp 192.168.11.212 6881 interface Dialer1 6881 ip nat inside source static tcp 192.168.10.21 6898 interface Dialer1 6898 ip nat inside source static tcp 192.168.10.21 6897 interface Dialer1 6897 ip nat inside source static tcp 192.168.10.21 6896 interface Dialer1 6896 ip nat inside source static tcp 192.168.10.21 6895 interface Dialer1 6895 ip nat inside source static tcp 192.168.10.21 6894 interface Dialer1 6894 ip nat inside source static tcp 192.168.10.21 6893 interface Dialer1 6893 ip nat inside source static tcp 192.168.10.21 6892 interface Dialer1 6892 ip nat inside source static tcp 192.168.10.21 6891 interface Dialer1 6891 ip nat inside source static tcp 192.168.10.21 5001 interface Dialer1 5001 ip nat inside source static tcp 192.168.10.30 99 interface Dialer1 99 ip nat inside source static tcp 192.168.10.35 2222 interface Dialer1 2222 ip nat inside source static tcp 192.168.10.35 8192 interface Dialer1 8192 ip nat inside source static tcp 192.168.10.35 8190 interface Dialer1 8190 ip nat inside source route-map nat-map interface Dialer1 overload ! ! ip access-list extended acl_out deny ip host 0.0.0.0 any deny ip 0.0.0.0 0.255.255.255 any deny ip 10.0.0.0 0.255.255.255 any log deny ip 127.0.0.0 0.255.255.255 any deny ip 169.254.0.0 0.0.255.255 any permit ip 172.25.0.0 0.0.255.255 any deny ip 172.16.0.0 0.0.15.255 any deny ip 192.0.2.0 0.0.0.255 any deny ip 192.168.8.0 0.0.7.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 224.0.0.0 15.255.255.255 any deny ip 240.0.0.0 7.255.255.255 any deny ip 248.0.0.0 7.255.255.255 any deny ip host 255.255.255.255 any permit tcp any eq ftp-data any permit tcp any any eq 22 permit tcp any any eq 2222 permit tcp any any eq 4662 permit tcp any any eq 4672 permit tcp any any eq 4711 permit tcp any any eq 5001 permit udp any any eq 5001 permit tcp any any eq 6891 permit tcp any any eq 6892 permit tcp any any eq 6893 permit tcp any any eq 6894 permit tcp any any eq 6895 permit tcp any any eq 6896 permit tcp any any eq 6897 permit tcp any any eq 6898 permit tcp any any eq 6881 permit tcp any any eq 6882 permit tcp any any eq 6883 permit tcp any any eq 6884 permit tcp any any eq 6885 permit tcp any any eq 6886 permit tcp any any eq 6887 permit tcp any any eq 6888 permit tcp any any eq 6889 permit tcp any any eq 6861 permit tcp any any eq 8190 permit tcp any any eq 8192 permit tcp any any eq 3389 permit tcp any any eq 21000 permit udp any any eq 21000 permit udp host vpn.server.ip.address any eq isakmp permit udp host vpn.server.ip.address any eq isakmp permit udp host vpn.server.ip.address any eq isakmp permit udp host vpn.server.ip.address any eq non500-isakmp permit udp host vpn.server.ip.address any eq non500-isakmp permit udp host vpn.server.ip.address any eq non500-isakmp permit esp host vpn.server.ip.address any permit esp host vpn.server.ip.address any permit esp host vpn.server.ip.address any permit ip vpn.server.ip.address 0.0.0.3 any log permit tcp vpn.server.ip.address 0.0.3.255 any permit tcp any any established permit udp any eq domain any permit udp any any eq ntp permit udp any any eq bootpc permit udp any any log permit icmp any any echo permit icmp any any echo-reply permit icmp any any host-unknown permit icmp any any time-exceeded deny ip any any log ip access-list extended crap permit ip 19.0.84.176 0.0.0.3 any ip access-list extended free-internet permit tcp host 192.168.5.57 any log permit udp host 192.168.5.57 any log permit icmp host 192.168.5.57 any log permit tcp host 192.168.4.25 host 192.168.4.1 eq telnet permit udp any any eq bootps permit udp any any eq bootpc deny udp 192.168.4.0 0.0.1.255 any eq snmp deny udp any any eq snmp deny ip 192.168.4.0 0.0.1.255 10.0.0.0 0.255.255.255 deny ip 192.168.4.0 0.0.1.255 172.25.0.0 0.0.255.255 deny ip 192.168.4.0 0.0.1.255 172.16.0.0 0.15.255.255 deny ip 192.168.4.0 0.0.1.255 192.168.8.0 0.0.7.255 deny ip 192.168.4.0 0.0.1.255 192.168.0.0 0.0.255.255 deny ip 169.254.0.0 0.0.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 172.25.0.0 0.0.255.255 any deny tcp 192.168.4.0 0.0.1.255 host 192.168.4.1 eq telnet deny tcp 192.168.4.0 0.0.1.255 host 192.168.4.1 eq 22 permit udp 192.168.4.0 0.0.1.255 any eq domain permit tcp 192.168.4.0 0.0.1.255 any eq www permit tcp 192.168.4.0 0.0.1.255 any eq 8080 permit udp 192.168.4.0 0.0.1.255 any eq ntp permit tcp 192.168.4.0 0.0.1.255 any eq ftp permit tcp 192.168.4.0 0.0.1.255 any eq smtp permit tcp 192.168.4.0 0.0.1.255 any eq domain permit tcp 192.168.4.0 0.0.1.255 any eq pop3 permit tcp 192.168.4.0 0.0.1.255 any eq 443 permit icmp 192.168.4.0 0.0.1.255 any echo permit icmp 192.168.4.0 0.0.1.255 any echo-reply permit icmp 192.168.4.0 0.0.1.255 any port-unreachable deny tcp 192.168.4.0 0.0.1.255 any log deny udp 192.168.4.0 0.0.1.255 any log deny ip any any log deny ospf any any log logging trap debugging logging source-interface FastEthernet0/1.1 logging 192.168.10.35 access-list 1 permit 192.168.8.0 0.0.7.255 access-list 11 permit 192.168.10.35 access-list 11 permit 192.168.10.19 access-list 11 permit 192.168.11.215 access-list 11 deny any access-list 21 permit 199.0.184.0 0.0.3.255 access-list 21 permit 192.168.10.0 0.0.0.255 access-list 21 permit 192.168.11.208 0.0.0.15 access-list 21 deny any access-list 111 remark APPLIED TO ROUTE-MAP NAT-MAP access-list 111 permit ip 192.168.10.0 0.0.0.255 any access-list 111 permit ip 192.168.11.208 0.0.0.15 any access-list 111 permit ip 192.168.4.0 0.0.0.255 any access-list 112 remark PLACE HOLDER access-list 113 remark APPLIED TO ROUTE-MAP NAT-MAP access-list 113 deny ip 192.168.8.0 0.0.7.255 172.25.0.0 0.0.255.255 access-list 113 permit ip 192.168.4.0 0.0.1.255 any access-list 113 permit ip 192.168.8.0 0.0.7.255 any access-list 113 permit ip 192.168.0.0 0.0.255.255 any access-list 113 deny ip any any log access-list 114 remark PLACE HOLDER access-list 115 remark APPLIED TO ROUTE-MAP NAT-MAP access-list 120 remark PLACE HOLDER access-list 130 permit tcp any any range 6800 6900 access-list 131 permit tcp any range 6800 6900 any access-list 177 permit icmp any any access-list 177 permit tcp any any eq www access-list 177 permit tcp any eq www any access-list 178 permit icmp any any access-list 178 permit tcp 192.168.11.0 0.0.0.255 any access-list 178 permit tcp any 192.168.11.0 0.0.0.255 access-list 190 permit ip 192.168.10.0 0.0.0.255 172.25.0.0 0.0.255.255 access-list 190 permit ip 192.168.11.0 0.0.0.255 172.25.0.0 0.0.255.255 access-list 190 deny ip 192.168.4.0 0.0.0.255 172.25.0.0 0.0.255.255 access-list 190 deny ip any any access-list 190 remark USED FOR VPN MAP access-list 191 remark APPLIED TO CRYPTO-MAP access-list 191 permit ip 192.168.8.0 0.0.7.255 172.25.0.0 0.0.255.255 access-list 191 permit ip 192.168.8.0 0.0.7.255 10.1.0.0 0.0.255.255 access-list 191 permit ip 192.168.8.0 0.0.7.255 10.2.0.0 0.0.255.255 access-list 191 permit ip 192.168.8.0 0.0.7.255 10.25.0.0 0.0.255.255 dialer-list 1 protocol ip permit snmp-server community snmp-server community snmp-server contact snmp-server chassis-id snmp-server system-shutdown snmp-server enable traps tty ! route-map nat-map permit 10 description ATTACHED TO `IP NAT INSIDE` match ip address 113 ! ! radius-server host 192.168.10.21 auth-port 1645 acct-port 1646 radius-server key removed ! control-plane ! ! ! ! alias exec ct conf t alias exec wm copy running-config startup-config alias exec tr trace alias exec sr sho runn alias exec ssa sh crypto isakmp sa alias exec nda no debug all alias exec si sho ip route alias exec sbgp sh ip bgp alias exec sibs sh ip bgp summ alias exec cc1 clear crypto isakmp alias exec cc2 clear crypto ipsec client ezvpn alias exec cc3 clear crypto sa alias exec ssad sh crypto isakmp sa detail alias exec sntr sh ip nat tr alias exec spi sh policy-map interface ! line con 0 exec-timeout 240 0 line aux 0 line vty 0 4 access-class 21 in exec-timeout 480 0 authorization exec VTYAccess login authentication VTYAccess line vty 5 15 access-class 21 in exec-timeout 480 0 authorization exec VTYAccess login authentication VTYAccess ! scheduler allocate 4000 1000 ntp clock-period 17179823 ntp server 81.187.242.38 ! end

HNet-3640#

Reply to
Timo
Loading thread data ...

A 3640 is quite anemic, and I doubt it has the horsepower to do all you need it to do. 3640's do NAT and VPN in software and never had high hardware routing numbers to begin with. Do a "show proc cpu", and if CPU utilization gets up above 50%, you should consider buying a new router, or splitting the load between two routers. (one for routing between the VLAN's and another for the Internet connection that's doing NAT and VPN) A 2821 should work great in this situation.

Scott

Reply to
Thrill5

Hey

I should have mentioned the CPU doesnt really go above 25%. Sometimes when large downloads are occuring , MRTG shows 10, 11Mbits coming down from the ISP it spikes up to 80 - 90%. But the slow browsing probs occur all the time, even when the router is running at 20 - 21% util.

HNet-3640# HNet-3640# sh proc cpu | inc CPU CPU utilization for five seconds: 26%/22%; one minute: 23%; five minutes: 23% HNet-3640#

I really dont think its a horsepower issue. forum sites are slow as heck and Ill click on something like

formatting link
and it comes up real quick , images and all.

I have a 2621 too and when I swap it in place of the 3640 I get the same performance. Now I know thats a slower router but the CPU was right in the 20 - 25% range just like on the 3640.

Thanks

Timo

Reply to
Timo

Take out the inspect http. I used to have the same problem. The inspection engine in the IOS firewall requires that http packets be received in correct order for it to properly inspect them--isn't set up to retain them for later resorting. If packets arrive out-of-order, they're dropped, and you wait for the web server to resend. Large sites with multiple physical connections can send you packets over several pathways, and they sometimes get out of order, causing really nasty slowdowns. (Trying to get large documents from cisco.com used to take forever.)

Reply to
Mike Dorn

Ensure that you're not filtering ICMP inappropriately. You're MTU/MSS is

8 bytes less than the typical 1500/1460. If you're filtering PMTUD, you may run into oddities if fragmentation is required.
Reply to
fugettaboutit

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.