Solved

Sluggish browsing after IOS upgrade on Cisco 851 router

Posted on 2010-11-10
8
741 Views
Last Modified: 2012-05-10
After upgrading to Version 12.4(15)T14, RELEASE SOFTWARE (fc2) the internet browsing is very sluggish. I can usually see the browser status saying something along the lines of "waiting for abcsite.com" then hang, then suddenly the page loads up pretty quickly.

I've done numerous speed tests and they all show pretty good speeds for sustained transfers, also tried different DNS without any luck. Is there anything wrong with the config maybe?

Building configuration...

Current configuration : 7173 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!

hostname sw01
!
boot-start-marker
boot system flash
boot system flash c850-advsecurityk9-mz.124-9.T2.bin
boot system flash:c850-advsecurityk9-mz.124-15.T14.bin
boot-end-marker
!
logging buffered 51200
logging console informational
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization console
aaa authorization exec default local
aaa authorization network groupauthor local
!
!
aaa session-id common
memory-size iomem 15
clock timezone PCTime 1
!
crypto pki trustpoint TP-self-signed-3743990007
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3743990007
 revocation-check none
 rsakeypair TP-self-signed-3743990007
!
!
crypto pki certificate chain TP-self-signed-3743990007
 certificate self-signed 01
  30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  ::snip::
  1FA06ABA 89103F2C 3F43560A DDB78D5B 0EB306F8 38C8E37A 66F0E437 6CC71C5E
  E965D121 B37575DC E27A79B7 2EF46B98 0939485A ED762245 B7
        quit
dot11 syslog
no ip source-route
!
!
ip cef
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name ADMIN tcp
ip inspect name ADMIN udp
ip inspect name ADMIN ftp
ip inspect name ADMIN smtp
ip inspect name ADMIN icmp
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW icmp
ip inspect name FW smtp
no ip bootp server
ip domain name something.local
ip name-server 193.213.112.4
!
!
!
username ::snip::
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp keepalive 30 5
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group vpnclient
 dns 192.168.79.10
 ::snip::
 pool vpnclientpool
 acl 175
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec transform-set stronger esp-3des esp-sha-hmac
!
crypto dynamic-map vpnclient 10
 set transform-set stronger
 match address 176
 reverse-route
!
!
crypto map VPNmap client authentication list userauthen
crypto map VPNmap isakmp authorization list groupauthor
crypto map VPNmap client configuration address respond
crypto map VPNmap 10 ipsec-isakmp dynamic vpnclient
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface FastEthernet0
 no cdp enable
!
interface FastEthernet1
 no cdp enable
!
interface FastEthernet2
 no cdp enable
!
interface FastEthernet3
 no cdp enable
!
interface FastEthernet4
 no ip address
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1350
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1395
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Vlan1
 description LAN
 ip address 192.168.79.1 255.255.255.0
 ip access-group fraAdmin in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1392
 ip inspect ADMIN in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1352
!
interface Dialer0
 description TELENOR ADSL
 ip address negotiated
 ip access-group fraInternet in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1392
 ip inspect FW in
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 1352
 dialer pool 1
 dialer-group 1
 keepalive 9
 no cdp enable
 ppp authentication pap callin
 crypto map VPNmap
!
ip local pool vpnclientpool 192.168.250.1 192.168.250.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list NATliste interface Dialer0 overload
!
ip access-list extended NATliste
 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
 permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended alterlov
 permit ip any any
ip access-list extended fraAdmin
 remark DHCP
 permit udp any eq bootpc any eq bootps
 permit udp any eq bootpc any eq bootpc
 remark tillater alt annet
 permit ip 192.168.79.0 0.0.0.255 any
 deny   ip any any log
ip access-list extended fraInternet
 permit icmp any any
 remark PING
 permit icmp any any echo-reply
 permit icmp any any host-unreachable
 permit icmp any any host-unknown
 remark VPN
 permit esp any any
 permit ahp any any
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit ip 192.168.250.0 0.0.0.255 192.168.79.0 0.0.0.255
 remark Vedlikehold fra Allianse
 remark Mail inn
 permit tcp any host 193.213.20.8 eq smtp
 remark Tillater icmp til offentlig ip
 remark Nekter RFC 1918 adresser
 deny   ip 192.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip any any log
!
logging trap debugging
access-list 175 permit ip 192.168.79.0 0.0.0.255 192.168.250.0 0.0.0.255
access-list 176 permit ip any 192.168.250.0 0.0.0.255
no cdp run
!
control-plane
!
bridge 1 protocol ieee
banner login ^CCCC
-----------------------------------------------------------------------
Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
Please leave, restricted area!
-----------------------------------------------------------------------
^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
end

Open in new window


Thanks!
0
Comment
Question by:Spanjis
  • 5
  • 2
8 Comments
 
LVL 10

Accepted Solution

by:
cstosgale earned 300 total points
ID: 34106670
One thing is your MTU is pretty low. Usually ADSL lines can be higher than that. I would probably try 1492, and a tcp adjust-mss value of 1460.

Does reverting back to the old IOS image resolve the problem? This is probably worth trying to confirm it is the IOS image that has caused the problem.

Also, the MTU for ethernet interfaces should always be 1500, and there is rarely a good reason to change it. I would also take the MSS command off of there and just have it on the dialer interface.
0
 

Author Comment

by:Spanjis
ID: 34112047
Thanks for the reply cstosgale, the changes had no effect. I'll try reverting back to old IOS image tomorrow, I'll let you now how it goes.
0
 

Author Comment

by:Spanjis
ID: 34132754
Sluggish browsing stopped after downgrading to c850-advsecurityk9-mz.123-8.YI2, but now there is problem accessing sites like apple.com and me.com. The browser says "waiting for apple.com..." and times out.
0
 
LVL 4

Assisted Solution

by:t509
t509 earned 200 total points
ID: 34135802
I had exactly the same problem you´re experiencing right now. My solution (on three 1812, to triple check this behaviour) was to downgrade to 12.4(15)T13, this worked fine for me. Your MTU/MSS values aren´t optimal, but they aren´t the root cause. I tested for several days to get a clue how to "tune" the 12.4(15)T14 to get better performance regarding simple browsing...no chance.

Just do a downgrade to T13.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Spanjis
ID: 34164154
Upgraded to 12.4(15)T13, still having problems with with certain sites, working on Win 7, but not XP and Mac.

But the problem with sluggish browsing is solved, so I'm going to close this and create a new question.

Thanks for the help guys!
0
 

Author Closing Comment

by:Spanjis
ID: 34164173
New problems occurred after downgrading, problem accessing certain sites like apple.com, me.com... from windows XP.
0
 
LVL 4

Expert Comment

by:t509
ID: 34172569
Hi, i´ve got none of these problems...actually using 1812 with the mentioned T13 @home.
I own one Win7 x64 Box, one iMac27", one MBP 15". I´m able to access these sites without any hassles...
0
 

Author Comment

by:Spanjis
ID: 34180914
Thanks for the input t509, I'm guessing there's a problem with the hardware.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now