Solved

Cisco 1811 Config Slowing Down Image Downloads

Posted on 2012-03-13
5
883 Views
Last Modified: 2012-06-21
Hello!

We have a client that needs to connect their internal LAN with two external networks: the Internet and a private hospital network. The network layout is pretty simple:

Outside Interface: Internet - FastEthernet0 - 192.168.3.1/29
Inside Interface: Internal - FastEthernet1 - 192.168.2.254/24
Outside Interface: Hospital - VLAN1 - 172.17.4.32/24

Most of the things they connect to are on the Internet. However, the also connect to the Hospital's EMR system via the Hospital network. This is all done via Telnet, not HTTP. They have specialized Telnet terminal emulation software that does the work.

When they do connect to the Hospital EMR system, their specialized Telnet client allows them to download large image files of various patient records.

Their router used to be a Windows 2003 server with RRAS. When that was in place, the image files would download in just seconds. We have replaced that with a Cisco 1811 router. Now that the Cisco 1811 is in place, each image file takes 2-5 minutes to download, which is unacceptable.

I've pasted the Cisco 1811's configuration file below. Can anyone tell me what is causing this bottleneck and what we can do to fix it without sacrificing connectivity? I'm am farily sure that the only service we need from hospital network is Telnet.

I suspect it is the packet inspection stuff that's causing problems, but when I elminiate packet inspection completely (remove the "ip inspect CCP_LOW in" line from the FastEthernet1 interface) then nothing connects at all.

Thank you in advance.

Current configuration : 7273 bytes
!
version 12.3
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service udp-small-servers
service tcp-small-servers
service sequence-numbers
!
hostname client-rt1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$jSCY$KfiP016xxxxx.xxxxxxxx/
!
username client privilege 15 secret 5 $1$dkQC$Y2Zj9oDS6usv8LxyJxxxx/
clock timezone PCTime -7
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip gratuitous-arps
!
!
ip cef
!
!
ip finger
ip tcp synwait-time 10
ip domain lookup source-interface FastEthernet0
ip domain name client.local
ip name-server 192.168.3.2
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface FastEthernet0
 description $ES_WAN$$FW_OUTSIDE$
 ip address 192.168.3.1 255.255.255.248
 ip access-group 101 in
 ip verify unicast reverse-path
 ip mask-reply
 ip directed-broadcast
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet1
 description $ETH-SW-LAUNCH$$INTF-INFO-ETH-WAN$$ES_LAN$$FW_INSIDE$
 ip address 192.168.2.254 255.255.255.0
 ip access-group 103 in
 ip mask-reply
 ip directed-broadcast
 ip nat inside
 ip inspect CCP_LOW in
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet2
 no ip address
 no cdp enable
!
interface FastEthernet3
 no ip address
 no cdp enable
!
interface FastEthernet4
 no ip address
 no cdp enable
!
interface FastEthernet5
 no ip address
 no cdp enable
!
interface FastEthernet6
 no ip address
 no cdp enable
!
interface FastEthernet7
 no ip address
 no cdp enable
!
interface FastEthernet8
 no ip address
 no cdp enable
!
interface FastEthernet9
 no ip address
 no cdp enable
!
interface Vlan1
 description $ETH-FE 2$$FW_OUTSIDE$
 ip address 172.17.4.32 255.255.255.0
 ip access-group 104 in
 ip verify unicast reverse-path
 ip mask-reply
 ip directed-broadcast
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Async1
 no ip address
 ip mask-reply
 ip directed-broadcast
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.3.2
ip route 10.2.0.0 255.255.0.0 172.17.4.1
ip route 172.17.4.0 255.255.255.0 172.17.4.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool Inet-Pool 192.168.3.1 192.168.3.1 prefix-length 24
ip nat pool HOSPITAL-Pool 172.17.4.32 172.17.4.37 prefix-length 24
ip nat inside source route-map Inet-Map pool Inet-Pool overload
ip nat inside source route-map HOSPITAL-Map pool HOSPITAL-Pool
ip nat inside source static tcp 192.168.2.20 1723 interface FastEthernet0 1723
ip nat inside source static tcp 192.168.2.20 987 interface FastEthernet0 987
ip nat inside source static tcp 192.168.2.20 443 interface FastEthernet0 443
ip nat inside source static tcp 192.168.2.20 80 interface FastEthernet0 80
ip nat inside source static tcp 192.168.2.20 25 interface FastEthernet0 25
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark CCP_ACL Category=1
access-list 101 permit udp host 192.168.3.2 eq domain any
access-list 101 permit tcp any host 192.168.3.1 eq smtp
access-list 101 permit tcp any host 192.168.3.1 eq www
access-list 101 permit tcp any host 192.168.3.1 eq 443
access-list 101 permit tcp any host 192.168.3.1 eq 987
access-list 101 permit tcp any host 192.168.3.1 eq 1723
access-list 101 permit gre any host 192.168.3.1
access-list 101 remark Inbound SMTP
access-list 101 permit tcp any host 192.168.2.20 eq smtp
access-list 101 remark Inbound HTTP
access-list 101 permit tcp any host 192.168.2.20 eq www
access-list 101 remark Inbound HTTPS
access-list 101 permit tcp any host 192.168.2.20 eq 443
access-list 101 permit tcp any host 192.168.2.20 eq 987
access-list 101 permit tcp any host 192.168.2.20 eq 1723
access-list 101 permit gre any host 192.168.2.20
access-list 101 permit icmp any host 192.168.3.1 echo-reply
access-list 101 permit icmp any host 192.168.3.1 time-exceeded
access-list 101 permit icmp any host 192.168.3.1 unreachable
access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark CCP_ACL Category=1
access-list 101 remark Inbound SMTP
access-list 101 remark Inbound HTTP
access-list 101 remark Inbound HTTPS
access-list 101 permit tcp any any eq 7627
access-list 101 permit udp any any eq 7627
access-list 103 remark auto generated by CCP firewall configuration
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp any any eq telnet
access-list 103 permit icmp any any administratively-prohibited
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 permit icmp any any echo
access-list 103 permit ip any any
access-list 103 remark auto generated by CCP firewall configuration
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp any any eq 7627
access-list 103 permit udp any any eq 7627
access-list 104 remark auto generated by CCP firewall configuration
access-list 104 remark CCP_ACL Category=1
access-list 104 permit udp host 172.17.4.1 eq domain any
access-list 104 permit tcp any any eq telnet
access-list 104 permit icmp any any administratively-prohibited
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 permit icmp any any echo
access-list 104 deny   ip 192.168.2.0 0.0.0.255 any
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
access-list 104 remark auto generated by CCP firewall configuration
access-list 104 remark CCP_ACL Category=1
no cdp run
!
route-map HOSPITAL-Map permit 10
 match ip address 1
 match interface Vlan1
!
route-map Inet-Map permit 10
 match ip address 1
 match interface FastEthernet0
!
!
!
!
control-plane
!
banner exec ^C
client Router 1
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line 1
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
0
Comment
Question by:moaneye
  • 2
  • 2
5 Comments
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
The interfaces are 100Mbps only.

Did the Windows server have a 1Gbps NIC?

Is the internal network 1 Gbps?
0
 

Author Comment

by:moaneye
Comment Utility
The Windows server had a 1GB NIC on the internal interface but the Hospital-facing interface was ony 100MB. Also, the entire internal network was based on a 100GB switch. When we replaced the server with the Cisco 1811 router we also replaced the 100GB switch with a gigabit switch. So now it should be either the same speed or faster overall.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 100 total points
Comment Utility
Well depending on what the NIC's are on the other devices on the network it may not be faster.  But I do agree it should be just as fast.

Now one issue could be duplex mismatch.  If possible can you hard code all interfaces involved to 100 Full duplex.  This means both on the 1811 and the switch(es) it is connected to.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 400 total points
Comment Utility
I would start by removing several commands from the inside and hospital interfaces and see what the results are each time..

interface FastEthernet1
 description $ETH-SW-LAUNCH$$INTF-INFO-ETH-WAN$$ES_LAN$$FW_INSIDE$
 ip address 192.168.2.254 255.255.255.0
 ip access-group 103 in  <== remove this. The basic result is permit ip any any which matches the acl
 ip mask-reply <== remove
 ip directed-broadcast <== remove
 ip nat inside
 ip inspect CCP_LOW in <== remove
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable

interface Vlan1
 description $ETH-FE 2$$FW_OUTSIDE$
 ip address 172.17.4.32 255.255.255.0
 ip access-group 104 in  <== remove
 ip verify unicast reverse-path  <== remove
 ip mask-reply <== remove
 ip directed-broadcast <== remove
 ip nat outside
 ip virtual-reassembly <== remove
 ip tcp adjust-mss 1452 <== remove

Start with basic interfaces and check the speed. If better, then add back the access-groups, but fix them first.
If speed is acceptible, no further action is necessary
0
 

Author Comment

by:moaneye
Comment Utility
Thank you all very much for your help. After much troubleshooting, we discovered that the problem was not related to the router at all. It exhibits itself only on windows 7 computers that are joined to the internal network's windows 2011-based active directory domain. Windows XP computers whether joined to the domain or not and standalone windows 7 computers not joined to the domain are not affected. We suspect something in the windows 7 domain policy, but have not found it yet.

Again, thank you and I apologize for taking your time.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now