Slower internet connection after implementing Cisco 2610 router

I have a small business network setup where I just added a cisco 2610 router. The problem I am having is the internet is now slower then it was when we were using the dual wan port router. I used speedtest.net to base my assumptions of the problem. First of all, I used the cisco 2610 as my gateway and did serveral tests which resulted in about 12Mbps down. I then changed my gateway to the dual wan port router and did the same tests which gave me about 20Mbps down.

Comcast buisness modem--------Linksys Dual Wan Router-----unmanaged switch----pc
                             |                                                                                         |
                             |                                                                                         |
                             |                                                                                         |
                         Cisco 2610----------------------------------------------------------


I know the setup is weird. We just added the Cisco 2610 to replace the linksys which we had setup for vpn purposes, but since we have the 2610 doing that we dont need it.  My question is, why is the internet now slower when I am using the Cisco 2610 then it was when using the Linksys?

I have not drawn the entire network as I believe the problem is some router configuration.  The public side of the cisco does have a public IP.

This is the router configuration. Go easy, I'm a newbie :)


version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname ResRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
!
no aaa new-model
memory-size iomem 10
clock timezone mst -7
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
ip name-server 192.168.0.103
!
multilink bundle-name authenticated
!
password encryption aes
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-216213128
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-216213128
 revocation-check none
 rsakeypair TP-self-signed-216213128
!
!
crypto pki certificate chain TP-self-signed-216213128
 certificate self-signed 01
  30820238 308201A1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32313632 31333132 38301E17 0D313130 33323131 39303430
  395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3231 36323133
  31323830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  A4256131 5AF6430F 100ED3C0 FCFC8B09 F797B19D 1EE42350 1EA79175 46404135
  1E85C8BF 835C8D76 25510E4C 75F95D84 5FC59377 235F0361 20EBC9F3 5E90638F
  7304C9B9 226A3F67 38FE9405 48A10CED 5E079FE5 E84458A8 5D4FE7B8 3B2311BB
  FC7827F7 7D47359E 27150099 C6003ED5 B41AF33D FC963722 F06CA784 4CEC18EB
  02030100 01A36230 60300F06 03551D13 0101FF04 05300301 01FF300D 0603551D
  11040630 04820252 32301F06 03551D23 04183016 801417B6 63C8D1AA 8F9CACFE
  45216C6F AB74BDAB 9538301D 0603551D 0E041604 1417B663 C8D1AA8F 9CACFE45
  216C6FAB 74BDAB95 38300D06 092A8648 86F70D01 01040500 03818100 8844D4F9
  1C5533D7 09C12C69 19DC5B3F 691E2EEC 07554050 85450DD0 B10A2E14 C955A4A1
  C5117756 B7AC4F46 B986E190 5EEB19F8 CF454A9B 4775B14A E36691B6 949984E9
  AB704DAA 4AD80214 5B548157 65095F7D 262F98D8 0F91D503 A9A00B2A E3BBFA3E
  B67F51B3 30BD4CDD 9FA69AD1 B1A504EB B9499A40 61D82FC9 9893902D
        quit
!
!
username manager privilege 15 password 7 1336031319000D2C3F
archive
 log config
  hidekeys
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key 6 ][HEeSD\gR^JIGELE[Z[FC^HSDPGPZDDRNeCNJZS_A address 173.165.x.x
!
crypto ipsec transform-set FirstStep esp-3des esp-md5-hmac
!
crypto map FirstStep 1 ipsec-isakmp
 set peer 173.165.x.x
set transform-set FirstStep
 set pfs group2
 match address 110
!
!
!
controller T1 0/0
 framing sf
 linecode ami
!
controller T1 0/1
 framing sf
 linecode ami
!
!
!
!
!
interface FastEthernet0/0
 description LAN connection
 ip address 192.168.0.200 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Internet Connection
 ip address 70.91.x.x 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map FirstStep
!
interface Serial0/2
 description WAN connection to OP
 ip address 192.168.10.2 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 encapsulation ppp
 service-module t1 clock source internal
 service-module t1 timeslots 1-24
!
router rip
 version 2
 passive-interface FastEthernet0/0
 passive-interface FastEthernet0/1
 network 192.168.0.0
 network 192.168.10.0
 default-information originate
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 70.91.x.x
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map NONAT_NAT interface FastEthernet0/1 overload
!
ip access-list extended nonat_nat
 remark No NAT local network to remote vpn network
 deny   ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 remark NAT local network to Internet
 permit ip 192.168.0.0 0.0.255.255 any
!
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
route-map NONAT_NAT permit 1
 match ip address nonat_nat
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C
***********************************************************************
WARNING - PRIVATE ELECTRONIC DEVICE - ACCESS PROHIBITED

This device is a private network device.  Access to this device is

not authorized.  Any attempt for unauthorized access will be logged

and appropriate legal action will be taken.

***********************************************************************^C
!
line con 0
 password 7 06351B205E42001F11
 logging synchronous
 login local
line aux 0
line vty 0 3
 logging synchronous
 login local
 terminal-type monitor
line vty 4
 password 7 00370707165702001B
 logging synchronous
 login local
 terminal-type monitor
!
ntp clock-period 17208273
ntp server 192.168.0.103
!
end


cameron213Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jgibbarCommented:
Have you checked what Speed/Duplex your interfaces negotiate to on the Cisco device?
0
cameron213Author Commented:
Yes, if you look at the above configuration you'll see they are at full duplex and not half.
0
mpickreignCommented:
Do a show ver and post it.

My guess is that the 2610 has a slower processor and less memory than the Linksys did, and in addition you are using a router as a VPN endpoint which means you are heavily taxing what processor and memory power that you do have.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

cameron213Author Commented:
This is the output of the show ver


Cisco IOS Software, C2600 Software (C2600-ADVIPSERVICESK9-M), Version 12.4(15)T1
4, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 17-Aug-10 05:40 by prod_rel_team

ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)

ResRouter uptime is 2 days, 4 hours, 51 minutes
System returned to ROM by power-on
System image file is "flash:c2600-advipservicesk9-mz.124-15.t14.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 2611XM (MPC860P) processor (revision 1.0) with 118784K/12288K bytes of mem
ory.
Processor board ID JAD07080FQB
M860 processor: part number 5, mask 2
2 FastEthernet interfaces
1 Serial interface
2 Channelized T1/PRI ports
32K bytes of NVRAM.
49152K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102
0
Marius GunnerudSenior Systems EngineerCommented:
Actually the duplex is set to auto which basically means it will default to half duplex. I would suggest hardcoding the speed and duplex to double check.

Also could you do a show processes cpu just to double check that there isn't large cpu usage ( i doubt it)
0
mpickreignCommented:
Here are the numbers.

Linksys Dual Wan Router Throughput: 148.8k pps

Cisco 2611XM Throughput: 20k pps

I would recommend replacing the Cisco 2611xm with a device that is designed more appropriately for what you are trying to do. That being a Cisco ASA firewall.
The 5505 gets 85k pps, and the 5510 gets 195k pps throughput. They also both have vpn accelerator cards to offload the encryption/decryption processor burden.
0
cameron213Author Commented:
Would be nice to get some better equiptment. We are however, a non-profit organization and most of this equiptment is donated.
0
IT-Monkey-DaveCommented:
Duplexing: Set explicitly to FULL, not AUTO.  You may need to do the same thing at the other side of the connections if possible.
0
cameron213Author Commented:
I went ahead and set duplex to full and speed to 100, also verified that the comcast gateway was set to the same thing. Still having problems.
0
cameron213Author Commented:
I did a show on the interface that is connected to the comcast gateway.

  Hardware is AmdFE, address is 000c.308d.6de1 (bia 000c.308d.6de1)
  Description: Internet Connection
  Internet address is 70.91.210.67/29
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 253/255, txload 1/255, rxload 12/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 5015000 bits/sec, 530 packets/sec
  5 minute output rate 321000 bits/sec, 454 packets/sec
     22506775 packets input, 1992128313 bytes
     Received 8388 broadcasts, 0 runts, 0 giants, 0 throttles
     13172 input errors, 5742 CRC, 0 frame, 350 overrun, 7080 ignored
     0 watchdog
     0 input packets with dribble condition detected
     21504739 packets output, 2295036605 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     217 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
ResRouter#

What are the input errors and crc? they are incrementing quickly as I did it a few min later and they were higher.
0
Marius GunnerudSenior Systems EngineerCommented:
Is the interface a serial interface?

input errors: Includes runts, giants, no buffer, CRC, frame, overrun, and ignored counts. Other input-related errors can also cause the input errors count to be increased, and some datagrams may have more than one error; therefore, this sum may not balance with the sum of enumerated input error counts.

CRC: Cyclic redundancy checksum generated by the originating LAN station or far-end device does not match the checksum calculated from the data received. On a LAN, this usually indicates noise or transmission problems on the LAN interface or the LAN bus itself. A high number of CRCs is usually the result of collisions or a station transmitting bad data.
(taken from a cisco document)
0
cameron213Author Commented:
No, its a fastethernet interface straight to the comcast gateway. The other fastethernet plugs into an un-managed switch. I do not see any of these errors on that interface.
0
IT-Monkey-DaveCommented:
Hmm, there should be next to zero errors on the interface connecting to the Comcast gatway.  

I've found on our Comcast cable modem I have to explicity tell it to use Full Duplex on the port connected to our firewall.  The Comcast port wants to come up in half-duplex.  If you can login to the Comcast admin interface, check the duplex & speed settings on the port that connects to the Cisco.

You might swap out the patch cable while you're at it just to eliminate that as a possibility.

If all that checks out and you still have a high error rate, I'd be looking at a bad ethernet port either on the Comcast device, or on the Cisco.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Marius GunnerudSenior Systems EngineerCommented:
Well, IT-monkey beat me to it...what he said :-)
0
IT-Monkey-DaveCommented:
@MAG03, Sorry, I'm not trying to steal your points!  *looks around nervously*
0
cameron213Author Commented:
I've checked the port on the comcast gateway, its set to full duplex and speed 100. I noticed that the input errors and CRC are relatively close now, about 40,000.  I was downloading a 2GB file from the network on one of our machines. I notice that the errors and not incrementing as much as they were before.
0
cameron213Author Commented:
@IT-Monkey, you were right about the comcast. It was set to auto and had defaulted back to half duplex. I disabled the auto feature and set it back to Full. This seemed to help dramatically as before I was getting average 3Mbps and now im getting around 12Mbps. Still wondering why im not getting closer to 20.
0
IT-Monkey-DaveCommented:
Glad that helped.  I had that happen when we switched from Qwest to Comcast about six months ago.  Then Comcast came out to upgrade our modem and the same thing happened again.  That modem wants to use half-duplex for some reason.

As far as measuring the b/w, it's pretty hard sometimes to get an accurate reading due to all the variables.  I monitor our b/w with mrtg and can see that, in aggregate, we're getting the promised b/w, but I almost never get that number when using speed tools like dslreports.
0
cameron213Author Commented:
I understand that its hard to get an accurate reading, its just weird how when I use the linksys as the gateway to do a test at speedtest.net its closer to 20Mbps and then when switching back to Cisco as the gateway the same test is 12Mbps. I do notice that if do a ping from a host to the internet the first packet is usally dropped, resulting in 25% loss. However, the router always gets 100% success. It takes about 5 seconds for google homepage to load on any hosts using the cisco as the gateway.  Not sure if this has to do with an arp request or not.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.