atitc
asked on
Cisco 877 performance problems
Hello,
I have a bit of an annoying problem with a Cisco 877 that I cannot seem to get to the bottom of. Last week I changed the config of the ACL on my Cisco 877 to try and improve security, as the previouse ACL on there, that someone else created, was very lax. The next day however, a new problem started to occure. After a few hours, web browsing slows down to the point where most pages stop loading. Other services, such as smtp still seem to work ok though over the same link. If I then do a reload on the router, everything works perfectly again for a few hours, and then the problem returns. My ISP is Demon Internet, the line is ADSL, and I have posted the 2 ACLS below. The first one is the config that was running, and the second is the one that is running now. ACL 100 is applied on Interface Dialer0 IN.
Old ACL
access-list 100 permit tcp any any eq 443
access-list 100 permit ip any host xxx.xxx.xxx.xxx (public IP removed)
access-list 100 permit icmp any any administratively-prohibite
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 permit udp any eq bootps any eq bootpc
access-list 100 permit udp any eq bootps any eq bootps
access-list 100 permit udp any eq domain any
access-list 100 permit esp any any
access-list 100 permit udp any any eq isakmp
access-list 100 permit udp any any eq 10000
access-list 100 permit tcp any any eq 139
access-list 100 permit udp any any eq netbios-ns
access-list 100 permit udp any any eq netbios-dgm
access-list 100 permit gre any any
access-list 100 deny ip any any
New ACL
access-list 100 permit tcp any any established
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq 1723
access-list 100 permit tcp any any eq 443
access-list 100 permit udp any eq domain any
access-list 100 permit gre any any
access-list 100 permit icmp any any
access-list 100 permit udp any eq bootps any eq bootpc
access-list 100 deny ip any any
Can anyone tell me if they think this problem is related to this ACL config, is a router fault or an ISP issue.
Any help much appreciated.
Robert
I have a bit of an annoying problem with a Cisco 877 that I cannot seem to get to the bottom of. Last week I changed the config of the ACL on my Cisco 877 to try and improve security, as the previouse ACL on there, that someone else created, was very lax. The next day however, a new problem started to occure. After a few hours, web browsing slows down to the point where most pages stop loading. Other services, such as smtp still seem to work ok though over the same link. If I then do a reload on the router, everything works perfectly again for a few hours, and then the problem returns. My ISP is Demon Internet, the line is ADSL, and I have posted the 2 ACLS below. The first one is the config that was running, and the second is the one that is running now. ACL 100 is applied on Interface Dialer0 IN.
Old ACL
access-list 100 permit tcp any any eq 443
access-list 100 permit ip any host xxx.xxx.xxx.xxx (public IP removed)
access-list 100 permit icmp any any administratively-prohibite
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any packet-too-big
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any traceroute
access-list 100 permit icmp any any unreachable
access-list 100 permit udp any eq bootps any eq bootpc
access-list 100 permit udp any eq bootps any eq bootps
access-list 100 permit udp any eq domain any
access-list 100 permit esp any any
access-list 100 permit udp any any eq isakmp
access-list 100 permit udp any any eq 10000
access-list 100 permit tcp any any eq 139
access-list 100 permit udp any any eq netbios-ns
access-list 100 permit udp any any eq netbios-dgm
access-list 100 permit gre any any
access-list 100 deny ip any any
New ACL
access-list 100 permit tcp any any established
access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq 1723
access-list 100 permit tcp any any eq 443
access-list 100 permit udp any eq domain any
access-list 100 permit gre any any
access-list 100 permit icmp any any
access-list 100 permit udp any eq bootps any eq bootpc
access-list 100 deny ip any any
Can anyone tell me if they think this problem is related to this ACL config, is a router fault or an ISP issue.
Any help much appreciated.
Robert
asavener
First thing I'd suggest is to make sure you have the latest IOS image available for your router.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello,
Asavener - I do have the latest general release IOS on the router.
Decoleur - I have checked most of these things, and I agree with you, I do not think it is the ACL. The only reason I raised the question of the ACL, is that the problem started immediatly after I changed it. I was just wondering if there was something that I may not be aware of that this ACL could be doing.
The problem with all of those other diagnostics is, none of them seem to indicate anything. INT utilisation does not seem to be different between good and bad times. Pings are good, name resolution is quick, and ping response is consistently about 26ms. There does not seem to be a fixed time interval before the probelm starts, it can be anything from 1 hour to 24 hours (although, it is most often a longer period, like over night, ie it works this afternoon, but then not tomorrow morning).
The other strange thing is it only seems to affect HTTP traffic. If I run an ftp, ping or VPN, all seem to run perfectly.
I agree the ACL is not very secure, but it is more secure than what was there, PPTP is a requirement of the site.
I do think that you have answerd my initial question though, which is, is there anything "wrong" with this ACL, and it seems that the answer is no.
Asavener - I do have the latest general release IOS on the router.
Decoleur - I have checked most of these things, and I agree with you, I do not think it is the ACL. The only reason I raised the question of the ACL, is that the problem started immediatly after I changed it. I was just wondering if there was something that I may not be aware of that this ACL could be doing.
The problem with all of those other diagnostics is, none of them seem to indicate anything. INT utilisation does not seem to be different between good and bad times. Pings are good, name resolution is quick, and ping response is consistently about 26ms. There does not seem to be a fixed time interval before the probelm starts, it can be anything from 1 hour to 24 hours (although, it is most often a longer period, like over night, ie it works this afternoon, but then not tomorrow morning).
The other strange thing is it only seems to affect HTTP traffic. If I run an ftp, ping or VPN, all seem to run perfectly.
I agree the ACL is not very secure, but it is more secure than what was there, PPTP is a requirement of the site.
I do think that you have answerd my initial question though, which is, is there anything "wrong" with this ACL, and it seems that the answer is no.