I have an 1841 router that I use as a firewall and gateway for a small LAN of about 12 PCs. The 1841 is connected with a 100MB full duplex Ethernet connection to a Samsung ISP router which has two bonded T1 for a 3MB channel to the Internet.
Testing connection speeds with various test sites I noticed that download speeds were quite close to the theoretical maximum of 3MB. I get consistent results between 2.6 and 2.8MB down. However upload speeds are quite different. The max I have seen is 2.2MB and it usually averages somewhere
between .8 and 1.2MB down. I inquired with the ISP and they had me connect a laptop directly to their router with a public IP. Speed test from there showed a very consistent 2.8MB up and down.
At this point they of course claim the problem is on my end and close the case and I can't blame them because it does seem exonerate them.
The 1841 does nothing else on this LAN. No IPSec, no IDS or VoIP services nothing but Internet gateway. As such the only services running on it are IP routing with CEF enabled and inspect/CBAC services. Interfaces do not show any CRC or other errors.
I tried to turn off the inspect/CBAC which is the only thing left to turn off but when I do web browsing doesn't work.
What can be causing this? How can I troubleshoot?
I would upgrade to some 15.0M, remove all inspect, remove virtual-reassembly. Also you don't really need ACL, since you are using NAT.
If nothing helps, set speed to WAN device to 10 mbps.
What exactly do you mean upgrade to 15.0M? Also, if I get rid of the inspect browsing doesn't work. How can I get browing to work correctly without inspect commands?
That is IOS 15.0 M.
Make sure you zap each and any ip inspect statemente. Most routers in the world work just fine without it.
Is 15.0 M a major release? I am at 12.4.24T1 and I had no idea that I am 3 major IOS versions behind!!!
I removed the virtual-reassembly and it had no effect. When I remove the inspect the clients behind the router cannot browse the Internet. How is it that other IOS routers work without this?
I wonder if the performance issue might be caused by a duplex mismatch. I see that your router interfaces are configured for negotiation of speed and duplex. But I wonder if some interface might be connected to a device that is not negotiating correctly. I have recently faced this issue several times. In one case the router was connected to a hub and in another case the router was connected to a device that hard coded its speed (which causes the negotiation of duplex to not be successful). What do you see in the output of show interface?
With all due respect, upgrading to IOS 15.0 is a dumb idea. I would not do it.
The original poster indicated that there is no CRC errors in the output, that eliminates the speed/duplex mismatch, IMHO.
AFAIK, your IOS version c1841-advipservicesk9-mz.124-24.T1.bin is an "interim" release to fix something like logging failed user
attempts in syslog with actual failed username. I would try a more stable release such as c1841nm-adventerprisek9-mz.124-15.T10.bin
and see it it resolves your issue.
With all due respect, I am not convinced that absence of CRC will eliminate the possibility of duplex mismatch.
I hope that Diego will post the output of show interface from the router. This will allow us to see if any interfaces are operating in half duplex mode. And if any interfaces are in half duplex mode the presence of late collisions would be a good indicator that there is a duplex mismatch.
It might also be helpful if Diego can tell us what devices are connected on the interfaces and if he could verify the operating state (speed and duplex) of those connected devices.
With all due respect, this is what I am seeing on my router. The interface on the router is set to 100/full but the switchport on the catalyst 3750 is set auto/auto thus resulting in half duplex, and as you can see from the output below, lot of CRC errors.
*Feb 14 02:58:45.169: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet0/0 (not half duplex), with C3750 FastEthernet0/37 (half duplex).
cciesec2011#sh int f0/0
FastEthernet0/0 is up, line protocol is up
Hardware is MV96340 Ethernet, address is 001e.7a6d.9147 (bia 001e.7a6d.9147)
Internet address is 192.168.1.199/24
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 248/255, txload 1/255, rxload 43/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters 00:00:06
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 17017000 bits/sec, 1420 packets/sec
30 second output rate 570000 bits/sec, 1205 packets/sec
10422 packets input, 15553127 bytes
Received 9 broadcasts, 31 runts, 0 giants, 0 throttles
517 input errors, 486 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
8642 packets output, 521827 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Whenever you have speed/duplex mis-match, based on my experience, you will almost always see CRC errors. if you do not see CRC errors, it is safe to say that speed/duplex mis-match is not a root cause.
Thanks for all the input.
The router was rebooted a little over 3 days ago and it does not show any significant errors, see below. I don't mind hardcoding the speed and duplex to test but I don't think it will make much difference.
The 1841 is connected to a Samsung router via crossover cable. So there is no switch in between them. Basically we have (2xT1)<>Samsung<>1841<>LAN switch. The cable is about 100ft long so that should be a problem either. Very simple and clean setup. I also don't mind updating to a more stable IOS but I don't think that will make a difference either.
If you do some quick Google searches this seems to be a common occurence with Cisco devices. I see a lot of references to ASA devices having the same problem. This is dissapointing because since this router is basically only a firewall I thought about switch it out for an ASA but its starting to look like this might not help either.
My guess is that it has something to to with either the NAT or inspect process but if it does what do I do? Both are needed for LAN clients to work properly or at least I don't know how to make them work properly without those two techniques.
I am starting to think of doing some crazy stuff like turning off CEF or something. I know its counterintuituve but who knows? Also thinking maybe I need to start messing with advanced parameters that change settings like MTU or cache buffers or some kind of packet buffer settings? Any ideas of where I should start?