Extremely Slow Download Speed

[MulLa]

Hi All,

Have this very weird situation which started about 2 months ago, download speed on the ADSL line started dropping to around 2KB/s where as it should roughly be around 50KB/s. Before that I would get days of 2KB/s and then days with full speed, I assumed it was congestion with a bad ISP but apparently not!!

Weirdness #1
If I open up enough connection to the net say downloading 10 files at the same time via flashget with 10 concurrent connections in each file I CAN reach 50KB/s.

Weirdness #2
I tried connecting to the ftp site of my ISP and a single file download there is at the maximum speed of 50KB/s

Weirdness #3
Downloading a file from the ISP's speedtesting site (HTTP) is down to 2KB/s again.

I've tried various sites such as Cisco / Microsoft / Symantec and download speed are all extremely slow.

Tried using a dlink router and that achieved full speed on downloads :S

Have a Cisco 1841 with an ADSL HWIC card as the modem / router. Using ISA as a proxy service.

I did "sh int" and there's no error packet detected.

Anyone has any pointers as to where I should look to fix this weird problem?! :S


Thanks heaps in advance.

 

[p0lar]

Can you sanitize your show run and post it? Also, without the ISA proxy service, what does it pull?

 

[MulLa]

Hi p0lar, shutted down the ISA and speed remains the same.

Here's my config with what I think is not related snipped. Let me know if you need full config which is fairly long.

Sorry for the long post & thanks in advance for any tips & hints.
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Border
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 ***
!
aaa new-model
!
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
ip cef
!
ip inspect log drop-pkt
ip inspect name fwall cuseeme
ip inspect name fwall dns
ip inspect name fwall ftp
ip inspect name fwall h323
ip inspect name fwall https
ip inspect name fwall http
ip inspect name fwall icmp
ip inspect name fwall imap
ip inspect name fwall pop3
ip inspect name fwall netshow
ip inspect name fwall rcmd
ip inspect name fwall realaudio
ip inspect name fwall rtsp
ip inspect name fwall smtp
ip inspect name fwall sqlnet
ip inspect name fwall streamworks
ip inspect name fwall tftp
ip inspect name fwall tcp
ip inspect name fwall udp
ip inspect name fwall vdolive
ip ips sdf location flash://256MB.sdf
ip ips notify SDEE
ip ips name myips
ip domain name domain.local
ip name-server 172.16.30.1
ip name-server "ISP DNS1"
ip name-server "ISP DNS2"
vpdn enable
!
*vpn crypto information snipped*
!
interface FastEthernet0/0
description Trunk to switch
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.110
description Wired LAN
encapsulation dot1Q 110 native
ip address 172.16.30.2 255.255.255.0
ip access-group 120 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no snmp trap link-status
!
interface FastEthernet0/0.120
description Wireless LAN
encapsulation dot1Q 120
ip address 172.16.40.1 255.255.255.0
ip access-group 130 in
ip helper-address 172.16.30.1
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no snmp trap link-status
!
interface FastEthernet0/0.130
description Shared Wireless LAN
encapsulation dot1Q 130
ip address 172.16.70.1 255.255.255.0
ip access-group 135 in
ip helper-address 172.16.30.1
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no snmp trap link-status
!
interface FastEthernet0/1
description DMZ
ip address 172.16.60.1 255.255.255.0
ip access-group 133 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
no snmp trap link-status
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
no snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Dialer1
mtu 1492
ip address negotiated
ip access-group 140 in
ip inspect fwall out
ip ips myips in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ***
ppp chap password 7 ***
crypto map clientmap
!
ip local pool ippool 172.16.50.1 172.16.50.3
no ip forward-protocol udp
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http access-class 50
ip http secure-server
ip nat inside source route-map rmap1 interface Dialer1 overload
ip nat inside source static tcp 172.16.30.1 25 interface Dialer1 25
ip nat inside source static tcp 172.16.30.1 443 interface Dialer1 443
ip nat inside source static tcp 172.16.60.2 21 interface Dialer1 21
!
access-list 1 permit 172.16.30.0 0.0.0.255
access-list 1 permit 172.16.40.0 0.0.0.255
access-list 50 permit 172.16.30.0 0.0.0.255
access-list 105 remark RMAP1_ACL
access-list 105 deny ip 172.16.30.0 0.0.0.255 172.16.50.0 0.0.0.3
access-list 105 deny ip 172.16.40.0 0.0.0.255 172.16.50.0 0.0.0.3
access-list 105 permit ip 172.16.0.0 0.0.255.255 any
access-list 110 remark VPN_ACL
access-list 110 permit ip 172.16.30.0 0.0.0.255 any
access-list 110 permit ip 172.16.40.0 0.0.0.255 any
access-list 120 remark VLAN110_ACL
access-list 120 permit tcp 172.16.30.0 0.0.0.255 any
access-list 120 permit udp 172.16.30.0 0.0.0.255 any
access-list 120 permit icmp 172.16.30.0 0.0.0.255 any
access-list 120 deny ip any any log
access-list 130 remark VLAN120_ACL
access-list 130 permit tcp 172.16.40.0 0.0.0.255 any
access-list 130 permit udp any any
access-list 130 permit icmp 172.16.40.0 0.0.0.255 any
access-list 130 deny ip any any log
access-list 133 remark DMZ_ACL
access-list 133 permit ip 172.16.60.0 0.0.0.255 host 172.16.30.2
access-list 133 deny ip 172.16.60.0 0.0.0.255 172.16.30.0 0.0.0.255
access-list 133 deny ip 172.16.60.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 133 deny ip 172.16.60.0 0.0.0.255 172.16.50.0 0.0.0.255
access-list 133 deny ip 172.16.60.0 0.0.0.255 172.16.70.0 0.0.0.255
access-list 133 permit ip 172.16.60.0 0.0.0.255 any
access-list 133 deny ip any any log
access-list 135 remark VLAN130_ACL
access-list 135 permit tcp 172.16.70.0 0.0.0.255 any
access-list 135 permit udp any any
access-list 135 permit icmp 172.16.70.0 0.0.0.255 any
access-list 135 deny ip any any log
access-list 140 remark FWALL_ACL
access-list 140 permit tcp any any eq smtp
access-list 140 permit tcp any any eq 443
access-list 140 permit tcp any any eq 21
access-list 140 permit ip 172.16.50.0 0.0.0.3 172.16.30.0 0.0.0.255
access-list 140 permit ip 172.16.50.0 0.0.0.3 172.16.40.0 0.0.0.255
access-list 140 permit udp any any eq non500-isakmp
access-list 140 permit udp any any eq isakmp
access-list 140 permit esp any any
access-list 140 permit ahp any any
access-list 140 permit udp host 210.15.254.241 eq domain any
access-list 140 permit udp host 210.15.254.240 eq domain any
access-list 140 deny ip 172.16.30.0 0.0.0.255 any
access-list 140 deny ip 172.16.40.0 0.0.0.255 any
access-list 140 permit icmp any any echo-reply
access-list 140 permit icmp any any time-exceeded
access-list 140 permit icmp any any unreachable
access-list 140 deny ip 172.16.0.0 0.15.255.255 any
access-list 140 deny ip 192.168.0.0 0.0.255.255 any
access-list 140 deny ip 127.0.0.0 0.255.255.255 any
access-list 140 deny ip host 255.255.255.255 any
access-list 140 deny ip host 0.0.0.0 any
access-list 140 deny ip any any log
snmp-server community paselar RO 1
snmp-server host 172.16.30.1 public
!
route-map rmap1 permit 1
match ip address 105
!
*radius & line information snipped*
!
end

 

[nightowl]

I would check the DSL interface information. I do not have a router in front of me with a DSL interface but I think it is something like "show dsl ..." or "show controllers atm". Under one of those commands it should show you the rates that the DSL interface negotiated with the DSLAM as well as the SNR.

 

[p0lar]

I don't see anything that really grabs me as to why it would slow down. An 1841 can easily handle the ACL requirements you have given it (though I don't care entirely for how you have it structured but I suspect you have reasons for what you've done), won't have any problems with dot1q encap, and aren't running tunnel interfaces of any sort (or not that's listed).

Have you tried removing the ips from the dialer interface? Also, under load, what does a sh proc cpu show? What switch are you trunked to on fa0/0? No negotiation/duplex issues, right? Where is that ISA server located in the network topology?

Can you get the stats from that DSL interface to see what it shows as well? (re: nightowl)

 

[MulLa]

Thanks heaps everyone for the assistance.

Well the ACL's are in a mess coz I've started building this router when I was just starting out on Cisco experimentation and building overtime has created a mess :s

There are no tunnel interfaces, I do have VPN setup over it but there were no VPN clients connected. In the past even with VPN clients connected it was still downloading at a good speed.

CPU utilisation is extremely low, it's not under load but I don't see it going much higher than that.
CPU utilization for five seconds: 2%/0%; one minute: 1%; five minutes: 1%

It's trunking to a 2950 switch, no negotiation/duplex issues. ISA server is purely running as a proxy only, behind the 1841 router.

Below are the requested sh commands, let me know if you need any further information.

Sh controllers atm0/0/0
Interface: ATM0/0/0, Hardware: HWIC-DSLSAR (with Alcatel ADSL Module), State: up
IDB: 64281A48 Instance: 64282BC0 reg_dslsar:50520000 adsl_regs: 50560000
fpgaRegs:50408000 alcRegs: 50580000
PHY Inst:642B1998 us_bwidth:512
Slot: 0 Unit: 0 Subunit: 0 pkt Size: 4528
VCperVP: 256 max_vp: 256 max_vc: 65536 total vc: 1
rct_size:65536 vpivcibit:16 connTblVCI:8 vpi_bits: 8
vpvc_sel:3 enabled: 0 throttled: 0 cell drops: 0
Last Peridic Timer 02:41:49.936(9709936)

FPGA Register Value Notes
--------------- ---------- ----------
FPGA Rev 0x00040022

ADSL Register Value Notes
--------------- ---------- ----------
ADSL Config Reg 0x000D8C80 CD LED on;
LT-TE Mode = TE;
NTR Pass Thru = 0;
NTR Enable = 1;
OK LED on;
LOOPBACK LED off;
Gen ADSL over POTS error int on bad ADSL over POTS
access

ADSL Int Enable 0x00000003 ADSL over POTS normal interrupt enabled
ADSL over POTS error interrupt enabled

DSLSAR Register Value Notes
--------------- ---------- ----------
config: 0x600D0A20 RXEN.RegulateXmit.RMCell.TXEN.
Rx Buffer size: 1024. RCT: Large, VPI Bits: 8.
status: 0x00000000
rpq_base: 0x0E9C6000
rpq_head: 0x0E9C68C0
rpq_tail: 0x0E9C68C0
clkPerCell: 5300265 (line rate: 512 Kbps)
Tx Error: 0x00000000
Lookup Error cnt: 0x00000000
Invalid Cell cnt: 0x00000000
Timer: 0x00000000
tstBase1: 0x00013C28 TST boot jump.
Pre-timer Count: 333
rcid_tableBase: 0x00000000
rct_base: 0x00010000
fbq_base: 0x00017800
fbq_head: 0x00017E30
fbq_tail: 0x00017E54
rawCellBase: 0x0E9C4000
rcq_head: 0x0E9C4000
rcq_tail: 0x0E9C4000
Last Addr: 0x00000000
tbq_base: 0x0E9C7000
tbq_head: 0x0E9C75F8
tbq_tail: 0x0E9C75F8

Host Memory Qs Value Notes
--------------- ---------- ----------
rxCellQ: 0x0E9C4000
rxPacketQ: 0x0E9C6000
txBufQ: 0x0E9C7000


txPakInfo Array
Index vcd pak Ptr particle Ptr
----- --- ------- ------------


rx_particleArray:
Index ParticlePointer
----- ---------------
396. 0x642A0800
397. 0x642A0A40
398. 0x642A0940
399. 0x642A0840
400. 0x642A09C0
401. 0x642A0900
402. 0x642A0980
403. 0x642A08C0
404. 0x642A0A80

VC QoS Summary
--------------
Active Configured Scheduled
Connections
VCD VPI/VCI COS PCR SCR/MCR COS PCR SCR/MCR
--- --------- -------- ------ ------- -------- ------- --------
1 8 /35 UBR 0 n/a UBR 512 n/a


Connections RX RX RX RX RX TX TX TX TX TX TX
VCD VPI/ VCI AAL5 AAL2 RAW Chain Drop AAL5 AAL2 RAW TSI Drop MI
SS
--- --- ----- ----- ----- ----- ----- ----- ----- ----- ----- ----- -----
0 0 /0 0 0 0 0 0 0 0 0 0 0 0

1 8 /35 27020 0 0 0 0 57791 0 0 0 0 0


TX Queues: |<-rcte->|<--TCD Contents->|<----- tcqTail TBD Contents ----->|
VCD VPI/ VCI CtrlStat tcqTail tcqHead control bufAddr aal5Ctrl cellHdr
--- --- ----- -------- -------- -------- -------- -------- -------- --------
1 8 /35 318A0000 C0(19C00) C0 8000060 E84328E 48 800232

Oam pak statistics:
Oam paks waiting for tx for each vcd(vcd/count/drop)
1/0/0 2/0/0 3/0/0 4/0/0 5/0/0 6/0/0 7/0/0 8/0/0
9/0/0 10/0/0 11/0/0 12/0/0 13/0/0 14/0/0 15/0/0 16/0/0
17/0/0 18/0/0 19/0/0 20/0/0 21/0/0 22/0/0 23/0/0
Misc Oam Drops: 0

Sh int dialer1
Dialer1 is up, line protocol is up (spoofing)
Hardware is Unknown
Internet address is *.*.*.*/32
MTU 1492 bytes, BW 56 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
Keepalive set (10 sec)
DTR is pulsed for 1 seconds on reset
Interface is bound to Vi1
Last input never, output never, output hang never
Last clearing of "show interface" counters 02:42:53
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/16 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 42 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
92576 packets input, 122614536 bytes
57810 packets output, 3459539 bytes
Bound to:
Virtual-Access1 is up, line protocol is up
Hardware is Virtual Access interface
MTU 1492 bytes, BW 512 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Open
Listen: CDPCP
Open: IPCP
PPPoE vaccess, cloned from Dialer1
Vaccess status 0x44, loopback not set
Keepalive set (10 sec)
DTR is pulsed for 5 seconds on reset
Interface is bound to Di1 (Encapsulation PPP)
Last input 00:01:47, output never, output hang never
Last clearing of "show interface" counters 02:37:38
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
92586 packets input, 122614686 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
57818 packets output, 3459675 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions

 

[MulLa]

Anyone has any ideas? Rebuilding from scratch is going to be painful, especially I've forgotten what half the stuff does but sounds like the only option.

Thanks in advance.