I picked up an 837 secondhand this week with the intention of replacing a 678 and PIX 501. Things seemed to work well until I configured the firewall. Since then I have noticed that performance is terrible for my ADSL circuit (1.5mb downstream), particularly for HTTP traffic (~300kb), FTP to a lesser degree (~800kb). UDP bit torrent traffic seems to be unaffected.
Some digging around seems to indicate that the ip inspect configuration is to blame for the slowness, as removing it completely brings my throughput back to expected levels.
I have included my config and show version. Is there some configuration bit that I'm missing? Could the IOS version be buggy? Is the 837 platform just so underpowered that it cannot handle the ip inspection?
Thanks in advance!
Cisco837#show ver Cisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.3(11) T10, RELEASE SOFTWARE (fc4) Technical Support:
ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
Cisco837 uptime is 5 minutes System returned to ROM by power-on System restarted at 12:10:40 CDT Sat May 16 2009 System image file is "flash:c837-k9o3sy6-mz.123-11.T10.bin"
Cisco C837 (MPC857DSL) processor (revision 0x400) with 44237K/4915K bytes of memory. Processor board ID AMB08080SE6 (1373528579), with hardware revision
0000 CPU rev number 7 1 Ethernet interface 4 FastEthernet interfaces 1 ATM interface 128K bytes of NVRAM. 12288K bytes of processor board System flash (Read/Write) 2048K bytes of processor board Web flash (Read/Write)Configuration register is 0x2102
Cisco837#show startup-config Using 4172 out of 131072 bytes ! ! Last configuration change at 22:47:34 CDT Thu May 14 2009 by tom ! NVRAM config last updated at 22:47:44 CDT Thu May 14 2009 by tom ! version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Cisco837 ! boot-start-marker boot-end-marker ! enable secret 5 XXX ! clock timezone CST -6 clock summer-time CDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 no aaa new-model ip subnet-zero ! ! ip dhcp excluded-address 10.0.0.1 10.0.0.99 ip dhcp excluded-address 10.0.0.200 10.0.0.254 ! ip dhcp pool dhcp_pool network 10.0.0.0 255.255.255.0 default-router 10.0.0.1 domain-name blah.com dns-server 10.0.0.200 209.98.98.98 208.42.42.42 ! ! no ip domain lookup ip domain name blah.com ip inspect name ethernetin cuseeme timeout 3600 ip inspect name ethernetin ftp timeout 3600 ip inspect name ethernetin h323 timeout 3600 ip inspect name ethernetin http timeout 3600 ip inspect name ethernetin rcmd timeout 3600 ip inspect name ethernetin realaudio timeout 3600 ip inspect name ethernetin smtp timeout 3600 ip inspect name ethernetin sqlnet timeout 3600 ip inspect name ethernetin streamworks timeout 3600 ip inspect name ethernetin tcp timeout 3600 ip inspect name ethernetin tftp timeout 30 ip inspect name ethernetin udp timeout 15 ip inspect name ethernetin vdolive timeout 3600 ip ips po max-events 100 no ftp-server write-enable ! ! username tom secret 5 XXX ! ! no crypto isakmp ccm ! ! ! interface Ethernet0 ip address 10.0.0.1 255.255.255.0 ip nat inside ip inspect ethernetin in ip virtual-reassembly hold-queue 100 out ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto pvc 0/32 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet1 duplex auto speed auto ! interface FastEthernet2 duplex auto speed auto ! interface FastEthernet3 duplex auto speed auto ! interface FastEthernet4 duplex auto speed auto ! interface Dialer0 ip address negotiated ip access-group 101 in ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 no cdp enable ppp chap hostname XXX ppp chap password 0 XXX ppp pap sent-username XXX password 0 XXX ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! no ip http server no ip http secure-server ! ip nat inside source list 1 interface Dialer0 overload ip nat inside source static tcp 10.0.0.200 22 interface Dialer0 2322 ip nat inside source static udp 10.0.0.200 1194 interface Dialer0 1194 ip nat inside source static tcp 10.0.0.200 31164 interface Dialer0
31164 ! access-list 1 remark "ACL defines the local LAN" access-list 1 permit 10.0.0.0 0.0.0.255 access-list 101 remark "ACL 101 controls connections inbound to interface Dialer0" access-list 101 remark "Allow typical useful ICMP traffic" access-list 101 permit icmp any host 1.2.3.4 unreachable access-list 101 permit icmp any host 1.2.3.4 echo-reply access-list 101 permit icmp any host 1.2.3.4 packet-too-big access-list 101 permit icmp any host 1.2.3.4 time-exceeded access-list 101 permit icmp any host 1.2.3.4 traceroute access-list 101 permit icmp any host 1.2.3.4 administratively- prohibited access-list 101 remark "tcp/2322 has static nat to tcp/22 on server" access-list 101 permit tcp any host 1.2.3.4 eq 2322 access-list 101 remark "tcp/31164 is for bittorrent traffic, static nat to server" access-list 101 permit tcp any host 1.2.3.4 eq 31164 access-list 101 remark "udp/1194 is for OpenVPN, static nat to server" access-list 101 permit udp any host 1.2.3.4 eq 1194 access-list 101 deny ip any any snmp-server group snmp-v3-users v3 auth access 1 snmp-server community HomeSNMPXXX RO snmp-server contact Tom ! ! control-plane ! ! line con 0 exec-timeout 3000 0 logging synchronous no modem enable line aux 0 line vty 0 4 access-class 1 in exec-timeout 0 0 logging synchronous login local transport input ssh ! scheduler max-task-time 5000 ntp clock-period 17180031 ntp peer 10.0.0.200 end