Results 1 to 4 of 4

Thread: CISCO smart office tunnel slow speed issue?

  1. #1
    Advanced Member ISKOTB's Avatar
    Join Date
    Apr 2000
    Location
    U.S.A
    Posts
    681

    Lightbulb CISCO smart office tunnel slow speed issue?

    Hi there, here is my scenario…
    CISCO 819/LTE “carrier provide just the LTE data then—>tunneling to our ISP—>tunneling to our company. We currently have 5 LTE routers test same models. People are all reporting slow internet speed, browser lags and poor youtube videos…etc attached our config sample.
    I have had an opinion earlier, that slowness speed maybe coming from the two tunneling? I dropped our tunnel and connected the router directly to the ISP, the speed was much faster.
    Can someone take a look and advice me please
    Thanks!!!


    =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.06.24 18:10:38
    =~=~=~=~=~=~=~=~=~=~=~=
    login as: xxxx
    Using keyboard-interactive authentication.
    password:
    Qnet-Test-LET#h sh run
    Building configuration...
    WLAN_AP_SM: Config command is not supported
    Current configuration : 7481 bytes
    !
    ! Last configuration change at 18:00:02 GMT Tue Jun 24 2014 by i.kotb
    version 15.2
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec
    service password-encryption
    service sequence-numbers
    !
    hostname Qnet-Test-LET
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no logging console
    no logging monitor
    enable secret 4 Sy9tJNqttxV8w
    !
    aaa new-model
    !
    !
    aaa authentication fail-message ^CC"Wrong Username or Password Try
    again"^C
    aaa authentication login ACS group tacacs+ local
    aaa authorization console
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    !
    !
    !
    !
    !
    --More--
    aaa session-id common
    memory-size iomem 10
    clock timezone GMT 3 0
    !
    !
    no ip source-route
    ip arp proxy disable
    no ip gratuitous-arps
    ip cef
    !
    !
    !
    !
    !
    ip dhcp excluded-address 172.16.210.1
    ip dhcp excluded-address 172.16.210.2
    ip dhcp excluded-address 172.16.210.3
    ip dhcp excluded-address 172.16.210.4
    !
    ip dhcp pool HOME
    network 172.16.210.0 255.255.255.0
    domain-name ddd.gov.kw
    default-router 172.16.210.1
    dns-server 8.8.8.8 8.8.4.4 4.2.2.2
    lease 15
    !
    !
    !
    no ip bootp server
    no ip domain lookup
    ip domain name ddd.gov.kw
    login block-for 60 attempts 3 within 30
    no ipv6 cef
    !
    !
    multilink bundle-name authenticated
    chat-script lte "" "AT!CALL1" TIMEOUT 20 "OK"
    --More-- password encryption aes
    license udi pid C819G-4G-G-K9 sn FCZ1724C2P6
    !
    !
    archive
    log config
    logging enable
    logging size 500
    notify syslog contenttype plaintext
    hidekeys
    !
    spanning-tree portfast bpduguard
    spanning-tree uplinkfast
    spanning-tree backbonefast
    username admin privilege 15 secret 4 /O9KVo9gCjfTKdjT5P6b/
    bPwcHl2VK1pNRydWUCXu0E
    username qnet privilege 15 secret 4
    IbiXgxxvREaceGDQWtzewW3VD3dS3.pu28srqY7qN9Y
    username support privilege 15 view support secret 4
    cMM104tPrtrsXAmTKUUzvEYyUNZqu5FKhoqjmxQ/2FE
    !
    !
    !
    !
    !
    controller Cellular 0
    !
    ip tcp synwait-time 10
    ip ssh time-out 60
    ip ssh version 2
    csdb session max-session 65
    !
    !
    crypto isakmp policy 1
    encr aes 256
    authentication pre-share
    group 14
    lifetime 60
    !
    crypto isakmp policy 10
    encr aes 256
    hash md5
    --More-- authentication pre-share
    group 5
    lifetime 3600
    crypto isakmp key ddd@Qnet address 10.94.86.85
    crypto isakmp key dddDMVPN address 0.0.0.0
    crypto isakmp invalid-spi-recovery
    crypto isakmp keepalive 60
    crypto isakmp nat keepalive 30
    !
    !
    crypto ipsec transform-set 50 esp-des esp-md5-hmac
    mode tunnel
    crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac
    mode tunnel !
    crypto ipsec profile DMVPN-PROFILE
    set transform-set DMVPN
    ! ! !
    crypto map QNETVPN 10 ipsec-isakmp
    set peer 10.94.86.85
    set security-association lifetime seconds 900
    set transform-set 50
    set pfs group5
    match address 101
    !
    !
    !
    !
    !
    interface Loopback1
    ip address 172.16.1.210 255.255.255.255
    !
    interface Tunnel0
    description *** DMVPN Tunnel ***
    ip address 172.30.6.210 255.255.255.0
    no ip redirects
    no ip unreachables
    --More-- no ip proxy-arp
    ip mtu 1416
    ip nat outside
    ip nhrp authentication DMVPN
    ip nhrp map 172.30.6.1 172.16.1.2
    ip nhrp map multicast 172.16.1.2
    ip nhrp network-id 1
    ip nhrp holdtime 60
    ip nhrp nhs 172.30.6.1
    ip virtual-reassembly in
    tunnel source Loopback1
    tunnel mode gre multipoint
    tunnel key 1000
    tunnel protection ipsec profile DMVPN-PROFILE
    !
    interface Cellular0
    description ***LTE-97235666***
    ip address negotiated
    ip mtu 1460
    encapsulation slip
    dialer in-band
    dialer pool-member 1
    dialer-group 1
    async mode interactive
    routing dynamic
    !
    interface FastEthernet0
    description *** LAN ***
    no ip address
    no logging event link-status
    !
    interface FastEthernet1
    description *** LAN ***
    no ip address
    no logging event link-status
    spanning-tree portfast
    !
    interface FastEthernet2
    description *** LAN ***
    --More-- no ip address
    no logging event link-status
    !
    interface FastEthernet3
    description *** LAN ***
    no ip address
    no logging event link-status
    spanning-tree portfast
    !
    interface GigabitEthernet0
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface Serial0
    no ip address
    shutdown
    clock rate 2000000
    !
    interface Vlan1
    ip address 172.16.210.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly in
    ip tcp adjust-mss 1436
    no autostate
    !
    interface Dialer1
    mtu 1460
    ip address negotiated
    ip virtual-reassembly in
    encapsulation slip
    dialer pool 1
    dialer idle-timeout 0
    dialer string lte
    dialer persistent delay initial 5
    --More-- dialer-group 1
    no peer default ip address
    crypto map QNETVPN
    !
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    !
    !
    ip nat inside source list 1 interface Tunnel0 overload
    ip route 0.0.0.0 0.0.0.0 172.30.6.1 name Internet-CSC
    ip route 10.94.86.0 255.255.255.128 Dialer1
    ip route 172.16.1.0 255.255.255.252 Dialer1
    ip tacacs source-interface Tunnel0
    !
    !
    logging source-interface Tunnel0
    logging host 172.30.150.245
    access-list 1 permit 172.16.210.0 0.0.0.255
    access-list 10 permit 172.30.150.245
    access-list 10 remark Used To Allow SNMP Server Access
    access-list 10 permit 172.30.150.248
    access-list 10 permit 172.30.150.200
    access-list 101 permit ip any any
    no cdp run
    !
    snmp-server community CsC!BS& RO 10
    snmp-server ifindex persist
    snmp-server trap-source Tunnel0
    snmp-server source-interface informs Tunnel0
    snmp-server location HOME DSL
    snmp-server contact Network Support Team
    snmp mib persist circuit
    tacacs-server host 172.30.150.108
    tacacs-server host 172.30.150.109
    tacacs-server timeout 10
    tacacs-server directed-request
    tacacs-server key 7 1531382F490B081765001001263533
    !
    --More-- ! !
    control-plane
    !
    !
    banner login ^CC
    **********************************************************************
    *******
    **********************************************************************
    *******
    ** Authorised Access Only
    **
    ** This system is the property of DDD
    **
    **
    **
    **
    **
    **
    **
    **********************************************************************
    *******
    **********************************************************************
    *******
    ^C
    parser view support
    secret 5 $1$PF93$IHcUcj21ul46Mpv6oyqmp1
    commands exec include all ssh
    commands exec include all telnet
    commands exec include all traceroute
    commands exec include all ping
    commands exec include all show
    !
    !
    line con 0
    exec-timeout 0 0
    privilege level 15
    login authentication ACS
    no modem enable
    stopbits 1
    line aux 0
    login authentication ACS
    line 2
    no activation-character
    no exec
    transport preferred none
    transport input all
    stopbits 1
    --More--
    script dialer lte
    no exec
    rxspeed 100000000
    txspeed 50000000
    line vty 0 4
    exec-timeout 0 0
    privilege level 15
    login authentication ACS
    transport input ssh
    line vty 5 15
    exec-timeout 0 0
    privilege level 15
    login authentication ACS
    transport input ssh
    !
    All activity on this system is logged.
    Disconnect IMMEDIATELY if you are not an authorised user!
    line 3
    "Any Violation Will be Prosecuted"
    scheduler allocate 20000 1000
    ntp source Tunnel0
    ntp update-calendar
    ntp server 172.30.205.204 prefer
    ntp server 172.30.205.205
    ! end
    Qnet-Test-LET#

  2. #2
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,965
    With site to site VPN tunnels, you have to consider a few things.
    *Upstread speed of each end of the tunnel. Say you have HQ on a 10 meg symmetrical fiber pipe, and you have a satellite office on a cable connection at 15/2. The upstream of the satellite office is 2 megs. So the HQ side of the tunnel can only pull from the satellite at a max of <2 megs (minus overhead for the tunnel and other things). The satellite office can pull from HQ at <10 megs.

    Or say you have both sites on a 10/2 connection...you look at the upload of each, you have a <2 meg VPN tunnel.

    NOW....you have to find the balance of QoS for your VPN tunnel, versus the load of the local office users. Many VPN devices allow you to place a high QoS on the VPN tunnel, even dedicate minimal bandwidth to it...so that a local user streaming Pandora radio doesn' suck the life out of the connection and gag the VPN tunnel.

    Other things to consider, you mention browsing, is this for local users or remote users? Do you have split tunneling? Where is DNS being used? Afar on the tunnel or local?

    What is the side of the pipes at each end?

    Is the central VPN host perhaps oversubscribed for bandwidth? Say it has 2 megs of upload, and you mention 5x VPN tunnels. How much bandwidth per VPN tunnel? 2 megs won't go far supporting 5x VPN tunnels.
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

  3. #3
    Advanced Member ISKOTB's Avatar
    Join Date
    Apr 2000
    Location
    U.S.A
    Posts
    681
    I was told i have to play with MTU strings in the conf above? Here is the answer of your questions...Local "office" users are fine, the issue with the remote users and mostly on this particular router model above. Once the tunnel kicks in they user the DNS in office nothing from the remote site. Our contract with the ISP is 4mb down for each user and 1mb upload and at the officer the ISP router is terminated by a fiber connection.

  4. #4
    Moderator YeOldeStonecat's Avatar
    Join Date
    Jan 2001
    Location
    Somewhere along the shoreline in New England
    Posts
    50,965
    How many users (workstations) at this remote location? I'm assuming this is an active directory environment and the workstations at the remote offices are joined to the domain of the central office?
    MORNING WOOD Lumber Company
    Guinness for Strength!!!

Similar Threads

  1. Fast modem, but slow wireless....network card issue or router issue
    By Jrambo507 in forum Wireless Networks & Routers
    Replies: 1
    Last Post: 08-14-13, 04:12 PM
  2. Smart bro download speed suddenly got slow help
    By Harold James Ortiz in forum General Broadband Forum
    Replies: 0
    Last Post: 08-06-11, 09:37 AM
  3. Use of Tunnel ip address while creating Gre tunnel
    By ynrao in forum Networking Forum
    Replies: 0
    Last Post: 12-21-04, 12:21 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •