Cisco 1812 Router and Verizon FIOS Service

Jun 4th, 2009

Hope someone can help!

We have Verizon FIOS 20/20Mbps service at our facility connected to a 1812 router.

We seem to be having a performce issue. Some websites display slowly. Can someone have a look and see what is wrong with my config?

ip tcp selective-ack

ip tcp window-size 1045440

ip tcp synwait-time 10

ip tcp path-mtu-discovery

no ip bootp server

ip domain name

ip name-server

ip ssh time-out 60

ip ssh authentication-retries 2

ip inspect alert-off

ip inspect one-minute high 1100

ip inspect one-minute low 950

interface FastEthernet0

description Internet$ES_WAN$$FW_OUTSIDE$$ETH-WAN$

ip address x.x.x.x

ip access-group 101 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect DEFAULT100 in

ip inspect DEFAULT100 out

ip virtual-reassembly

ip route-cache flow

speed 100


crypto map SDM_CMAP_1

Verizon suggest that I run their optimizer on all 100 of my workstation/laptops. Is this really neccessary?

Really need help on this one, thanks!

sachinraja Thu, 06/04/2009 - 07:16

Hello Bob

Are all the internet sites having issues ? Did you do "speed tests" with arbitary servers on the internet to notice the performance (download and upload speeds) ? How many PC's are you trying to serve here ? There is nothing major with the config sent which could affect the performance.. not sure if optimizer is needed here..


salterinc Thu, 06/04/2009 - 07:23

Some more then others. I have used both and verison's speed test, both seem pretty good, but some web pages can sometimes take a minute to display, especially from one of our ASP's.

We have about 50 PC's here. Bandwidth usage is nominal around 500k on average.

sachinraja Thu, 06/04/2009 - 07:27


Did you try accessing these sites from home or from any other internet connection (comcast, etc) ? what sites are these ? http/https only, or some kinda java based applicaiton sites ? do a "show log" on the router and see if you get any deny messages locally or from the IPS ? lastly you can run a sniffer and see exactly what is happening on the network, to confirm on the issue !


salterinc Thu, 06/04/2009 - 07:48

All the websites I have problems with, I have tried from home, which I have a 3Mbps DSL line, and they work great. Here I have a 20/20Mbps FIOS and it seems slower than DSL at times.

As for the router log, I have granted the laptops that are having the most problems, entire access to internet, no blocks.

I just think it's some kind of packet loss, etc on the WAN side of the router.

salterinc Thu, 06/04/2009 - 07:41

Here you go. I have removed all sensitive information, let me know if I missed something I should remove from this site.


sachinraja Thu, 06/04/2009 - 08:10

Hello Bob

If it works from your home, it surely seems a local issue.. Is the traffic to the sites having issues going through the IPSEC tunnel to some other location for exit, or going locally on the circuit provisioned on your router ? Just to isolate the issue, can u try:

1) removing the IPS statements from the outbound interface (ip inspect commands), and see if it solves the issue ?

2) check acl 101 and see if it blocks any communication with the sites involved ? just try removing it to isolate the issue.

3) try to run a sniffer to see the exact nature of this issue !

4) can you give us a show interface output to see if there are any errors on the link ?

5) Is the issue only with certain PCs on your LAN, or on all PCs ?


salterinc Thu, 06/04/2009 - 08:21

If I remove the inspect statment from outside int will it disrupt network?

what is the command I should run on the interface to see output?

Sorry, but I'm not familiar with using a sniffer.

Yes, all PC's, workstations and laptops.

sachinraja Thu, 06/04/2009 - 09:57

I dont think it will disrupt the network.. In any case you can do it after hours, and run some testings.. You can login to the router and given a "show interface serx/x" to find status about the WAN interface.


salterinc Thu, 06/04/2009 - 10:06

I removed all inspections except for tcp and udp.

Here is the output...

rtr-win#show inter fast0

FastEthernet0 is up, line protocol is up

Hardware is PQ3_TSEC, address is 001a.2fe3.ff1e (bia 001a.2fe3.ff1e)

Description: Internet$ES_WAN$$FW_OUTSIDE$$ETH-WAN$

Internet address is x.x.x.x/24

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s, 100BaseTX/FX

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:01, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 451

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 759000 bits/sec, 95 packets/sec

5 minute output rate 297000 bits/sec, 72 packets/sec

9301173 packets input, 2058587644 bytes

Received 1484 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog

0 input packets with dribble condition detected

8280686 packets output, 3747420086 bytes, 0 underruns

0 output errors, 0 collisions, 3 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

salterinc Thu, 06/04/2009 - 08:23

If I remove the inspect statment from outside int will it disrupt network?

what is the command I should run on the interface to see output?

Sorry, but I'm not familiar with using a sniffer.

Yes, all PC's, workstations and laptops.

salterinc Thu, 06/04/2009 - 10:10

Got to tell you, seems quicker already now that I have removed the inspections.

rtr-win#show inter fast0 stats


Switching path Pkts In Chars In Pkts Out Chars Out

Processor 611893 153518672 3681948 1410979892

Route cache 8708853 1920921216 4612785 2339656510

Total 9320746 2074439888 8294733 3750636402


rtr-win#show cpu per

PQ3 Performance Monitor Counters


PMGC0 =0x00000000

PMLCA0=0x00000000, PMLCB0=0x00000000, PMC0= 0x00001F16:78BE621B

PMLCA1=0x00000000, PMLCB1=0x00000000, PMC1= 0x00000000:00000000

PMLCA2=0x00000000, PMLCB2=0x00000000, PMC2= 0x00000000:00000000

PMLCA3=0x00000000, PMLCB3=0x00000000, PMC3= 0x00000000:00000000

PMLCA4=0x00000000, PMLCB4=0x00000000, PMC4= 0x00000000:00000000

PMLCA5=0x00000000, PMLCB5=0x00000000, PMC5= 0x00000000:00000000

PMLCA6=0x00000000, PMLCB6=0x00000000, PMC6= 0x00000000:00000000

PMLCA7=0x00000000, PMLCB7=0x00000000, PMC7= 0x00000000:00000000

PMLCA8=0x00000000, PMLCB8=0x00000000, PMC8= 0x00000000:00000000

E500 Performance Monitor Counters


PMGC0 =0x00000000

PMLCA0=0x00000000,PMLCB0=0x00000000, PMC0= 0x00000000:00000000

PMLCA1=0x00000000,PMLCB1=0x00000000, PMC1= 0x00000000:00000000

PMLCA2=0x00000000,PMLCB2=0x00000000, PMC2= 0x00000000:00000000

PMLCA3=0x00000000,PMLCB3=0x00000000, PMC3= 0x00000000:00000000



