CISCO smart office tunnel slow speed issue?
Posted: Tue Jun 24, 2014 11:50 am
Hi there, here is my scenario…
CISCO 819/LTE “carrier provide just the LTE data then—>tunneling to our ISP—>tunneling to our company. We currently have 5 LTE routers test same models. People are all reporting slow internet speed, browser lags and poor youtube videos…etc attached our config sample.
I have had an opinion earlier, that slowness speed maybe coming from the two tunneling? I dropped our tunnel and connected the router directly to the ISP, the speed was much faster.
Can someone take a look and advice me please
Thanks!!!
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.06.24 18:10:38
=~=~=~=~=~=~=~=~=~=~=~=
login as: xxxx
Using keyboard-interactive authentication.
password:
Qnet-Test-LET#h sh run
Building configuration...
WLAN_AP_SM: Config command is not supported
Current configuration : 7481 bytes
!
! Last configuration change at 18:00:02 GMT Tue Jun 24 2014 by i.kotb
version 15.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname Qnet-Test-LET
!
boot-start-marker
boot-end-marker
!
!
no logging console
no logging monitor
enable secret 4 Sy9tJNqttxV8w
!
aaa new-model
!
!
aaa authentication fail-message ^CC"Wrong Username or Password Try
again"^C
aaa authentication login ACS group tacacs+ local
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
!
!
!
--More--
aaa session-id common
memory-size iomem 10
clock timezone GMT 3 0
!
!
no ip source-route
ip arp proxy disable
no ip gratuitous-arps
ip cef
!
!
!
!
!
ip dhcp excluded-address 172.16.210.1
ip dhcp excluded-address 172.16.210.2
ip dhcp excluded-address 172.16.210.3
ip dhcp excluded-address 172.16.210.4
!
ip dhcp pool HOME
network 172.16.210.0 255.255.255.0
domain-name ddd.gov.kw
default-router 172.16.210.1
dns-server 8.8.8.8 8.8.4.4 4.2.2.2
lease 15
!
!
!
no ip bootp server
no ip domain lookup
ip domain name ddd.gov.kw
login block-for 60 attempts 3 within 30
no ipv6 cef
!
!
multilink bundle-name authenticated
chat-script lte "" "AT!CALL1" TIMEOUT 20 "OK"
--More-- password encryption aes
license udi pid C819G-4G-G-K9 sn FCZ1724C2P6
!
!
archive
log config
logging enable
logging size 500
notify syslog contenttype plaintext
hidekeys
!
spanning-tree portfast bpduguard
spanning-tree uplinkfast
spanning-tree backbonefast
username admin privilege 15 secret 4 /O9KVo9gCjfTKdjT5P6b/
bPwcHl2VK1pNRydWUCXu0E
username qnet privilege 15 secret 4
IbiXgxxvREaceGDQWtzewW3VD3dS3.pu28srqY7qN9Y
username support privilege 15 view support secret 4
cMM104tPrtrsXAmTKUUzvEYyUNZqu5FKhoqjmxQ/2FE
!
!
!
!
!
controller Cellular 0
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh version 2
csdb session max-session 65
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 14
lifetime 60
!
crypto isakmp policy 10
encr aes 256
hash md5
--More-- authentication pre-share
group 5
lifetime 3600
crypto isakmp key ddd@Qnet address 10.94.86.85
crypto isakmp key dddDMVPN address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60
crypto isakmp nat keepalive 30
!
!
crypto ipsec transform-set 50 esp-des esp-md5-hmac
mode tunnel
crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac
mode tunnel !
crypto ipsec profile DMVPN-PROFILE
set transform-set DMVPN
! ! !
crypto map QNETVPN 10 ipsec-isakmp
set peer 10.94.86.85
set security-association lifetime seconds 900
set transform-set 50
set pfs group5
match address 101
!
!
!
!
!
interface Loopback1
ip address 172.16.1.210 255.255.255.255
!
interface Tunnel0
description *** DMVPN Tunnel ***
ip address 172.30.6.210 255.255.255.0
no ip redirects
no ip unreachables
--More-- no ip proxy-arp
ip mtu 1416
ip nat outside
ip nhrp authentication DMVPN
ip nhrp map 172.30.6.1 172.16.1.2
ip nhrp map multicast 172.16.1.2
ip nhrp network-id 1
ip nhrp holdtime 60
ip nhrp nhs 172.30.6.1
ip virtual-reassembly in
tunnel source Loopback1
tunnel mode gre multipoint
tunnel key 1000
tunnel protection ipsec profile DMVPN-PROFILE
!
interface Cellular0
description ***LTE-97235666***
ip address negotiated
ip mtu 1460
encapsulation slip
dialer in-band
dialer pool-member 1
dialer-group 1
async mode interactive
routing dynamic
!
interface FastEthernet0
description *** LAN ***
no ip address
no logging event link-status
!
interface FastEthernet1
description *** LAN ***
no ip address
no logging event link-status
spanning-tree portfast
!
interface FastEthernet2
description *** LAN ***
--More-- no ip address
no logging event link-status
!
interface FastEthernet3
description *** LAN ***
no ip address
no logging event link-status
spanning-tree portfast
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
ip address 172.16.210.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1436
no autostate
!
interface Dialer1
mtu 1460
ip address negotiated
ip virtual-reassembly in
encapsulation slip
dialer pool 1
dialer idle-timeout 0
dialer string lte
dialer persistent delay initial 5
--More-- dialer-group 1
no peer default ip address
crypto map QNETVPN
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Tunnel0 overload
ip route 0.0.0.0 0.0.0.0 172.30.6.1 name Internet-CSC
ip route 10.94.86.0 255.255.255.128 Dialer1
ip route 172.16.1.0 255.255.255.252 Dialer1
ip tacacs source-interface Tunnel0
!
!
logging source-interface Tunnel0
logging host 172.30.150.245
access-list 1 permit 172.16.210.0 0.0.0.255
access-list 10 permit 172.30.150.245
access-list 10 remark Used To Allow SNMP Server Access
access-list 10 permit 172.30.150.248
access-list 10 permit 172.30.150.200
access-list 101 permit ip any any
no cdp run
!
snmp-server community CsC!BS& RO 10
snmp-server ifindex persist
snmp-server trap-source Tunnel0
snmp-server source-interface informs Tunnel0
snmp-server location HOME DSL
snmp-server contact Network Support Team
snmp mib persist circuit
tacacs-server host 172.30.150.108
tacacs-server host 172.30.150.109
tacacs-server timeout 10
tacacs-server directed-request
tacacs-server key 7 1531382F490B081765001001263533
!
--More-- ! !
control-plane
!
!
banner login ^CC
**********************************************************************
*******
**********************************************************************
*******
** Authorised Access Only
**
** This system is the property of DDD
**
**
**
**
**
**
**
**********************************************************************
*******
**********************************************************************
*******
^C
parser view support
secret 5 $1$PF93$IHcUcj21ul46Mpv6oyqmp1
commands exec include all ssh
commands exec include all telnet
commands exec include all traceroute
commands exec include all ping
commands exec include all show
!
!
line con 0
exec-timeout 0 0
privilege level 15
login authentication ACS
no modem enable
stopbits 1
line aux 0
login authentication ACS
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
--More--
script dialer lte
no exec
rxspeed 100000000
txspeed 50000000
line vty 0 4
exec-timeout 0 0
privilege level 15
login authentication ACS
transport input ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
login authentication ACS
transport input ssh
!
All activity on this system is logged.
Disconnect IMMEDIATELY if you are not an authorised user!
line 3
"Any Violation Will be Prosecuted"
scheduler allocate 20000 1000
ntp source Tunnel0
ntp update-calendar
ntp server 172.30.205.204 prefer
ntp server 172.30.205.205
! end
Qnet-Test-LET#
CISCO 819/LTE “carrier provide just the LTE data then—>tunneling to our ISP—>tunneling to our company. We currently have 5 LTE routers test same models. People are all reporting slow internet speed, browser lags and poor youtube videos…etc attached our config sample.
I have had an opinion earlier, that slowness speed maybe coming from the two tunneling? I dropped our tunnel and connected the router directly to the ISP, the speed was much faster.
Can someone take a look and advice me please
Thanks!!!
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.06.24 18:10:38
=~=~=~=~=~=~=~=~=~=~=~=
login as: xxxx
Using keyboard-interactive authentication.
password:
Qnet-Test-LET#h sh run
Building configuration...
WLAN_AP_SM: Config command is not supported
Current configuration : 7481 bytes
!
! Last configuration change at 18:00:02 GMT Tue Jun 24 2014 by i.kotb
version 15.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname Qnet-Test-LET
!
boot-start-marker
boot-end-marker
!
!
no logging console
no logging monitor
enable secret 4 Sy9tJNqttxV8w
!
aaa new-model
!
!
aaa authentication fail-message ^CC"Wrong Username or Password Try
again"^C
aaa authentication login ACS group tacacs+ local
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
!
!
!
--More--
aaa session-id common
memory-size iomem 10
clock timezone GMT 3 0
!
!
no ip source-route
ip arp proxy disable
no ip gratuitous-arps
ip cef
!
!
!
!
!
ip dhcp excluded-address 172.16.210.1
ip dhcp excluded-address 172.16.210.2
ip dhcp excluded-address 172.16.210.3
ip dhcp excluded-address 172.16.210.4
!
ip dhcp pool HOME
network 172.16.210.0 255.255.255.0
domain-name ddd.gov.kw
default-router 172.16.210.1
dns-server 8.8.8.8 8.8.4.4 4.2.2.2
lease 15
!
!
!
no ip bootp server
no ip domain lookup
ip domain name ddd.gov.kw
login block-for 60 attempts 3 within 30
no ipv6 cef
!
!
multilink bundle-name authenticated
chat-script lte "" "AT!CALL1" TIMEOUT 20 "OK"
--More-- password encryption aes
license udi pid C819G-4G-G-K9 sn FCZ1724C2P6
!
!
archive
log config
logging enable
logging size 500
notify syslog contenttype plaintext
hidekeys
!
spanning-tree portfast bpduguard
spanning-tree uplinkfast
spanning-tree backbonefast
username admin privilege 15 secret 4 /O9KVo9gCjfTKdjT5P6b/
bPwcHl2VK1pNRydWUCXu0E
username qnet privilege 15 secret 4
IbiXgxxvREaceGDQWtzewW3VD3dS3.pu28srqY7qN9Y
username support privilege 15 view support secret 4
cMM104tPrtrsXAmTKUUzvEYyUNZqu5FKhoqjmxQ/2FE
!
!
!
!
!
controller Cellular 0
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh version 2
csdb session max-session 65
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 14
lifetime 60
!
crypto isakmp policy 10
encr aes 256
hash md5
--More-- authentication pre-share
group 5
lifetime 3600
crypto isakmp key ddd@Qnet address 10.94.86.85
crypto isakmp key dddDMVPN address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60
crypto isakmp nat keepalive 30
!
!
crypto ipsec transform-set 50 esp-des esp-md5-hmac
mode tunnel
crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac
mode tunnel !
crypto ipsec profile DMVPN-PROFILE
set transform-set DMVPN
! ! !
crypto map QNETVPN 10 ipsec-isakmp
set peer 10.94.86.85
set security-association lifetime seconds 900
set transform-set 50
set pfs group5
match address 101
!
!
!
!
!
interface Loopback1
ip address 172.16.1.210 255.255.255.255
!
interface Tunnel0
description *** DMVPN Tunnel ***
ip address 172.30.6.210 255.255.255.0
no ip redirects
no ip unreachables
--More-- no ip proxy-arp
ip mtu 1416
ip nat outside
ip nhrp authentication DMVPN
ip nhrp map 172.30.6.1 172.16.1.2
ip nhrp map multicast 172.16.1.2
ip nhrp network-id 1
ip nhrp holdtime 60
ip nhrp nhs 172.30.6.1
ip virtual-reassembly in
tunnel source Loopback1
tunnel mode gre multipoint
tunnel key 1000
tunnel protection ipsec profile DMVPN-PROFILE
!
interface Cellular0
description ***LTE-97235666***
ip address negotiated
ip mtu 1460
encapsulation slip
dialer in-band
dialer pool-member 1
dialer-group 1
async mode interactive
routing dynamic
!
interface FastEthernet0
description *** LAN ***
no ip address
no logging event link-status
!
interface FastEthernet1
description *** LAN ***
no ip address
no logging event link-status
spanning-tree portfast
!
interface FastEthernet2
description *** LAN ***
--More-- no ip address
no logging event link-status
!
interface FastEthernet3
description *** LAN ***
no ip address
no logging event link-status
spanning-tree portfast
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
ip address 172.16.210.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1436
no autostate
!
interface Dialer1
mtu 1460
ip address negotiated
ip virtual-reassembly in
encapsulation slip
dialer pool 1
dialer idle-timeout 0
dialer string lte
dialer persistent delay initial 5
--More-- dialer-group 1
no peer default ip address
crypto map QNETVPN
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Tunnel0 overload
ip route 0.0.0.0 0.0.0.0 172.30.6.1 name Internet-CSC
ip route 10.94.86.0 255.255.255.128 Dialer1
ip route 172.16.1.0 255.255.255.252 Dialer1
ip tacacs source-interface Tunnel0
!
!
logging source-interface Tunnel0
logging host 172.30.150.245
access-list 1 permit 172.16.210.0 0.0.0.255
access-list 10 permit 172.30.150.245
access-list 10 remark Used To Allow SNMP Server Access
access-list 10 permit 172.30.150.248
access-list 10 permit 172.30.150.200
access-list 101 permit ip any any
no cdp run
!
snmp-server community CsC!BS& RO 10
snmp-server ifindex persist
snmp-server trap-source Tunnel0
snmp-server source-interface informs Tunnel0
snmp-server location HOME DSL
snmp-server contact Network Support Team
snmp mib persist circuit
tacacs-server host 172.30.150.108
tacacs-server host 172.30.150.109
tacacs-server timeout 10
tacacs-server directed-request
tacacs-server key 7 1531382F490B081765001001263533
!
--More-- ! !
control-plane
!
!
banner login ^CC
**********************************************************************
*******
**********************************************************************
*******
** Authorised Access Only
**
** This system is the property of DDD
**
**
**
**
**
**
**
**********************************************************************
*******
**********************************************************************
*******
^C
parser view support
secret 5 $1$PF93$IHcUcj21ul46Mpv6oyqmp1
commands exec include all ssh
commands exec include all telnet
commands exec include all traceroute
commands exec include all ping
commands exec include all show
!
!
line con 0
exec-timeout 0 0
privilege level 15
login authentication ACS
no modem enable
stopbits 1
line aux 0
login authentication ACS
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
--More--
script dialer lte
no exec
rxspeed 100000000
txspeed 50000000
line vty 0 4
exec-timeout 0 0
privilege level 15
login authentication ACS
transport input ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
login authentication ACS
transport input ssh
!
All activity on this system is logged.
Disconnect IMMEDIATELY if you are not an authorised user!
line 3
"Any Violation Will be Prosecuted"
scheduler allocate 20000 1000
ntp source Tunnel0
ntp update-calendar
ntp server 172.30.205.204 prefer
ntp server 172.30.205.205
! end
Qnet-Test-LET#