I just installed a new Cisco DPC3825 DOCSIS 3.0 Gateway and have run into an interesting problem.
No problems - System 1 (Windows Vista-old pc) Connected by wifi
No problems - Other wifi connections with phones etc - No problems
Slow opening of web pages - System 2 (New PC with Windows 7) when connected either by lan or by wifi - slow response time opening a web page (takes 8 sec to open www.google.ca and 30+ seconds to open something like www.tomshardware.com). Data flows very well once a connection is opened (speedtest.net with 8ms ping, 38 Mbps down, 2.5 Mbps up) pingtest.net failed with a warning that a firewall was blocking packets. It should be noted that although great speeds were observed on speedtest.net it took 30+ seconds to load the webpage. Speedtest.net and pingtest.net worked on other computers connected to the network with no issues.
When the SPI Firewall in the router is "off" System 2 works great. When SPI Firewall in the router is "on" System 2 has the above problems.
Is there an underlying cause or some sort of driver compatibility with SPI Firewall? Obviously things all great with SPI Firewall off but this present its own issues.
I came in to same problem, but here im using Cisco 1721 with CBAC SPI. But the weird things is, I applied the inspection rule on the internet interface, and we have another interface for Private Point-to-point link to HQ. User access HQ server via PtoP link, Windows 7 users facing above same problem, all other windows no problem. P2P interface doent not have any inspectiion rule. If I remove the inspection rule from Internet interface, everything seems to be working fine on windows 7. Why this is so? Any idea. Sorry if posting on wrong session.
I hope you get a response, I'm still looking for one to solve the problem. I have no issue with SPI off when using the DPC3825. Placing SPI on an alternate Cisco router (WRT610) causes no issue with the exact same system.
CBAC is old method. Now ZBF (Zone Based Firewall) is the way to go. If you have many inspections configured then, it may lead to latency issues. I am not sure why windows 7 shows the problem but other windows OS don't.
Leave only the basic inspection for tcp, udp, ftp and icmp and see if the problem persists.
Using an elevated command prompt ran the following command and found that ECN Capability was enabled.
netsh int tcp show global
I suspect an ECN compatibility with the Windows 7 TCP/IP protocol and the router. Turning of the TCP/IP ECN Capability solved the problem when set to either default or disabled. This is done with the command.
netsh int tcp set global ecncapability=default
netsh int tcp set global ecncapability=disabled
I just stuck with default for now.
For more information refer to the following as other issue in the other post may also be one related to autotuning...not so in my case.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...