VPN Slow 256k T1

KevinLause used Ask the Experts™
Ok here is the problem. I have a 256k T1 running to my site in Canada. It is connected to a Cisco 1721 with the T1 CSU/DSU wic card. I run a VPN back to my main office which has a Cisco 2600 with a full T1. I also have 8 other sites coming into this 2600 and they are all fine. The Canadian site is slow.....I mean dial up slow. I am in the process of contacting Sprint to see if it is a line issue, but I am assuming like all ISP's they will say it is my issue. I have attached the config for the 1721 in hopes that there is a tweak I can make to improve speed back to our main office. I know security is mor ethan a little laxed on this, but I'm more interested in speed as we run oracle apps accross the network and it takes them like 15 minutes to enter an order due to speed issues. Any help would be great!

Current configuration : 1783 bytes
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname oakville
enable password 7 <removed>
ip subnet-zero
ip name-server
ip name-server
ip name-server
ip name-server
ip name-server
ip name-server
ip audit notify log
ip audit po max-events 100
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key key123 address x.x.x.x
crypto ipsec transform-set default-3 ah-md5-hmac esp-des
crypto map map 1 ipsec-isakmp
 set peer x.x.x.x
 set transform-set default-3
 match address 111
interface FastEthernet0
 description NAT INSIDE going to private network
 ip address
 ip nat inside
 speed auto
 no cdp enable
interface Serial0
 description NAT OUTSIDE going to the Internet
 ip address x.x.x.x
 ip nat outside
 no fair-queue
 service-module t1 timeslots 1-4
 no cdp enable
 crypto map map
ip nat pool nat-pool x.x.x.x x.x.x.x netmask
ip nat inside source list 110 pool nat-pool overload
ip classless
ip route Serial0
ip http server
access-list 110 deny   ip x.x.0.0
access-list 110 permit ip any
access-list 110 permit ip any
access-list 110 deny   ip any
access-list 111 permit ip
access-list 111 permit ip host host x.x.x.x
access-list 111 permit ip
no cdp run
line con 0
line aux 0
line vty 0 4
 password 7 <removed>
no scheduler allocate
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
mikecrIT Architect/Technology Delivery Manager

First, get rid of the HTTP Server, this causes CPU overhead on the router.

no ip http server

Next, please post "show int s0" here so we can see if your getting any errors. Also, do a "show ip interface s0" also and post it here.


Http server is off now.

show int s0
Serial0 is up, line protocol is up
  Hardware is PQUICC with Fractional T1 CSU/DSU
  Description: NAT OUTSIDE going to the Internet
  Internet address is x.x.x.x/30
  MTU 1500 bytes, BW 256 Kbit, DLY 20000 usec,
     reliability 255/255, txload 9/255, rxload 22/255
  Encapsulation HDLC, loopback not set
  Keepalive set (10 sec)
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 1/75/5/0 (size/max/drops/flushes); Total output drops: 1792
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 23000 bits/sec, 9 packets/sec
  5 minute output rate 10000 bits/sec, 10 packets/sec
     263865 packets input, 95099469 bytes, 0 no buffer
     Received 4253 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     1560886 packets output, 175901059 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 output buffer failures, 0 output buffers swapped out
     1 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up
 show ip interface s0

Serial0 is up, line protocol is up
  Internet address is x.x.x.x./30
  Broadcast address is
  Address determined by non-volatile memory
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is enabled
  IP Flow switching is disabled
  IP CEF switching is disabled
  IP Feature Fast switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain outside
  WCCP Redirect outbound is disabled
  WCCP Redirect inbound is disabled
  WCCP Redirect exclude is disabled
  BGP Policy Mapping is disabled
IT Architect/Technology Delivery Manager
Look over this document as you may want to set up some queueing. Your getting to many output drops. Output drops means that the packet is dropped entirely which will cause a retransmit from the end station which can slow you down. Also you may want to enable CEF on your router. This should help a little with the performance also as it will fast switch packets between interfaces according to the route table. To turn it on the command is "ip cef".



The CEF made a difference I think I put it in, saved the config, then reloaded and things started moving much faster. I'm going to look into the queueing and see what I can do to clean that up. Thanks for the help!
mikecrIT Architect/Technology Delivery Manager

No problem. Good luck!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial