I have an 1841 router that I use as a firewall and gateway for a small LAN of about 12 PCs.  The  1841 is connected with a 100MB full duplex Ethernet connection to a Samsung ISP router which has two bonded T1 for a 3MB channel to the Internet.

Testing connection speeds with various test sites I noticed that download speeds were quite close to the theoretical maximum of 3MB.  I get consistent results between 2.6 and 2.8MB down.  However upload speeds are quite different.  The max I have seen is 2.2MB and it usually averages somewhere

between .8 and 1.2MB down.  I inquired with the ISP and they had me connect a laptop directly to their router with a public IP.  Speed test from there showed a very consistent 2.8MB up and down.

At this point they of course claim the problem is on my end and close the case and I can't blame them because it does seem exonerate them.

The 1841 does nothing else on this LAN.  No IPSec, no IDS or VoIP services nothing but Internet gateway.  As such the only services running on it are IP routing with CEF enabled and inspect/CBAC services.  Interfaces do not show any CRC or other errors.

I tried to turn off the inspect/CBAC which is the only thing left to turn off but when I do web browsing doesn't work.

What can be causing this?  How can I troubleshoot?


Paolo Bevilacqua Fri, 02/12/2010 - 11:07

I would upgrade to some 15.0M, remove all inspect, remove virtual-reassembly. Also you don't really need ACL, since you are using NAT.

If nothing helps, set speed to WAN device to 10 mbps.

DIEGO ALONSO Fri, 02/12/2010 - 11:51

What exactly do you mean upgrade to 15.0M? Also, if I get rid of the inspect browsing doesn't work.  How can I get browing to work correctly without inspect commands?



Paolo Bevilacqua Fri, 02/12/2010 - 11:52

That is IOS 15.0 M.

Make sure you zap each and any ip inspect statemente. Most routers in the world work just fine without it.

DIEGO ALONSO Fri, 02/12/2010 - 13:50

Is 15.0 M a major release?  I am at 12.4.24T1 and I had no idea that I am 3 major IOS versions behind!!!

I removed the virtual-reassembly and it had no effect.  When I remove the inspect the clients behind the router cannot browse the Internet.  How is it that other IOS routers work without this?



Richard Burts Sat, 02/13/2010 - 07:44


I wonder if the performance issue might be caused by a duplex mismatch. I see that your router interfaces are configured for negotiation of speed and duplex. But I wonder if some interface might be connected to a device that is not negotiating correctly. I have recently faced this issue several times. In one case the router was connected to a hub and in another case the router was connected to a device that hard coded its speed (which causes the negotiation of duplex to not be successful). What do you see in the output of show interface?



cciesec2011 Sat, 02/13/2010 - 11:50

With all due respect, upgrading to IOS 15.0 is a dumb idea. I would not do it.

The original poster indicated that there is no CRC errors in the output, that eliminates the speed/duplex mismatch, IMHO.

AFAIK, your IOS version c1841-advipservicesk9-mz.124-24.T1.bin is an "interim" release to fix something like logging failed user

attempts in syslog with actual failed username.  I would try a more stable release such as c1841nm-adventerprisek9-mz.124-15.T10.bin

and see it it resolves your issue.

Richard Burts Sat, 02/13/2010 - 16:32

With all due respect, I am not convinced that absence of CRC will eliminate the possibility of duplex mismatch.

I hope that Diego will post the output of show interface from the router. This will allow us to see if any interfaces are operating in half duplex mode. And if any interfaces are in half duplex mode the presence of late collisions would be a good indicator that there is a duplex mismatch.

It might also be helpful if Diego can tell us what devices are connected on the interfaces and if he could verify the operating state (speed and duplex) of those connected devices.



cciesec2011 Sat, 02/13/2010 - 18:59

With all due respect, this is what I am seeing on my router.  The interface on the router is set to 100/full but the switchport on the catalyst 3750 is set auto/auto thus resulting in half duplex, and as you can see from the output below, lot of CRC errors.

*Feb 14 02:58:45.169: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/0 (not half duplex), with C3750 FastEthernet0/37 (half duplex).

cciesec2011#sh int f0/0
FastEthernet0/0 is up, line protocol is up
  Hardware is MV96340 Ethernet, address is 001e.7a6d.9147 (bia 001e.7a6d.9147)
  Internet address is
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 248/255, txload 1/255, rxload 43/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters 00:00:06
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  30 second input rate 17017000 bits/sec, 1420 packets/sec
  30 second output rate 570000 bits/sec, 1205 packets/sec
     10422 packets input, 15553127 bytes
     Received 9 broadcasts, 31 runts, 0 giants, 0 throttles
     517 input errors, 486 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog
     0 input packets with dribble condition detected
     8642 packets output, 521827 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

Whenever you have speed/duplex mis-match, based on my experience, you will almost always see CRC errors.  if you do not see CRC errors, it is safe to say that speed/duplex mis-match is not a root cause.

DIEGO ALONSO Sun, 02/14/2010 - 08:23


Thanks for all the input.

The router was rebooted a little over 3 days ago and it does not show any significant errors, see below.  I don't mind hardcoding the speed and duplex to test but I don't think it will make much difference.

The 1841 is connected to a Samsung router via crossover cable.  So there is no switch in between them.  Basically we have (2xT1)<>Samsung<>1841<>LAN switch.  The cable is about 100ft long so that should be a problem either.  Very simple and clean setup.  I also don't mind updating to a more stable IOS but I don't think that will make a difference either.

If you do some quick Google searches this seems to be a common occurence with Cisco devices.  I see a lot of references to ASA devices having the same problem.  This is dissapointing because since this router is basically only a firewall I thought about switch it out for an ASA but its starting to look like this might not help either.

My guess is that it has something to to with either the NAT or inspect process but if it does what do I do?  Both are needed for LAN clients to work properly or at least I don't know how to make them work properly without those two techniques.

I am starting to think of doing some crazy stuff like turning off CEF or something.  I know its counterintuituve but who knows?  Also thinking maybe I need to start messing with advanced parameters that change settings like MTU or cache buffers or some kind of packet buffer settings? Any ideas of where I should start?



