Poor FTP performance with 837

I've found that using FTP to a server behind a Cisco 837 gives poor performance. The server is published using static NAT:

ip nat inside source static 192.168.168.14 123.123.123.82

with an ACL that includes:

no access-list 111 access-list 111 remark Incoming access from the Internet ... access-list 111 permit tcp any host 123.123.123.82 eq 21 ... access-list 111 deny ip any any log

I've attached the full config below.

Using the WinXP command line FTP client to connect to the external address,

123.123.123.82, I only get 16-18KB/sec transfers on both uploads and downloads. But if I go through the LAN to LAN VPN and connect to the LAN address, 192.168.168.14, I get 75KB download and about 250KB upload, which matches the ADSLMax line speed of 3Mbps/800Kbps.

My guess is that the VPN bypasses the firewall, and it's the firewall that is responsible for the poor performance. Is there a way round this? I know the

837 is entry level in Cisco standards, but even a Draytek 2800 at half the price can do FTP at full speed. Incidentally I've tested this at two of our remote offices and I get the slow FTP problem at both, so it's not just a duff router. Also HTTP downloads from the same server through the same 837 runs at the expected 75KB/sec so the problem seems restricted to FTP, possibly because the FTP requires secondary connections so it's more work for the firewall?

Anyhow, thanks for any help.

John Rennie

----8

Reply to
John Rennie
Loading thread data ...

Put one more line in your access-list

access-list 111 permit tcp any host 123.123.123.82 eq 20

It might help you.

~/Dev

John Rennie wrote:

Reply to
Dev

Thanks Dev.

Some minor and apparently unrelated changes and one reload later and the problem seems to have disappeared. I now wait and see if it recurs I suppose!

JR

Reply to
John Rennie

this is not necessary with

As the inspect system notices the port that ftp resuests for it's data transfer.

Or at least it should.

You can check what inspect thinks is happening with sh ip ins sess

you should see the ftp control and data sessions there.

I have seen a problem with 837 not handling more than

1 packet as the first data transfer of a new TCP session. This prevented for example successful use of Hotmail. when you logged in to hotmail a new session got opened and say 2k of data was sent. The second packet was dropped, I gusee since the inspect system was still getting going.

Turning off fast switching fixed or upgrading the software fixed it.

I would also make sure that I was not getting buffer failures.

sh buff

Reply to
Bod43

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.