CISCO smart office tunnel slow speed issue?

[ISKOTB]

Hi there, here is my scenario…
CISCO 819/LTE “carrier provide just the LTE data then—>tunneling to our ISP—>tunneling to our company. We currently have 5 LTE routers test same models. People are all reporting slow internet speed, browser lags and poor youtube videos…etc attached our config sample.
I have had an opinion earlier, that slowness speed maybe coming from the two tunneling? I dropped our tunnel and connected the router directly to the ISP, the speed was much faster.
Can someone take a look and advice me please
Thanks!!!


=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.06.24 18:10:38
=~=~=~=~=~=~=~=~=~=~=~=
login as: xxxx
Using keyboard-interactive authentication.
password:
Qnet-Test-LET#h sh run
Building configuration...
WLAN_AP_SM: Config command is not supported
Current configuration : 7481 bytes
!
! Last configuration change at 18:00:02 GMT Tue Jun 24 2014 by i.kotb
version 15.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname Qnet-Test-LET
!
boot-start-marker
boot-end-marker
!
!
no logging console
no logging monitor
enable secret 4 Sy9tJNqttxV8w
!
aaa new-model
!
!
aaa authentication fail-message ^CC"Wrong Username or Password Try
again"^C
aaa authentication login ACS group tacacs+ local
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
!
!
!
--More--
aaa session-id common
memory-size iomem 10
clock timezone GMT 3 0
!
!
no ip source-route
ip arp proxy disable
no ip gratuitous-arps
ip cef
!
!
!
!
!
ip dhcp excluded-address 172.16.210.1
ip dhcp excluded-address 172.16.210.2
ip dhcp excluded-address 172.16.210.3
ip dhcp excluded-address 172.16.210.4
!
ip dhcp pool HOME
network 172.16.210.0 255.255.255.0
domain-name ddd.gov.kw
default-router 172.16.210.1
dns-server 8.8.8.8 8.8.4.4 4.2.2.2
lease 15
!
!
!
no ip bootp server
no ip domain lookup
ip domain name ddd.gov.kw
login block-for 60 attempts 3 within 30
no ipv6 cef
!
!
multilink bundle-name authenticated
chat-script lte "" "AT!CALL1" TIMEOUT 20 "OK"
--More-- password encryption aes
license udi pid C819G-4G-G-K9 sn FCZ1724C2P6
!
!
archive
log config
logging enable
logging size 500
notify syslog contenttype plaintext
hidekeys
!
spanning-tree portfast bpduguard
spanning-tree uplinkfast
spanning-tree backbonefast
username admin privilege 15 secret 4 /O9KVo9gCjfTKdjT5P6b/
bPwcHl2VK1pNRydWUCXu0E
username qnet privilege 15 secret 4
IbiXgxxvREaceGDQWtzewW3VD3dS3.pu28srqY7qN9Y
username support privilege 15 view support secret 4
cMM104tPrtrsXAmTKUUzvEYyUNZqu5FKhoqjmxQ/2FE
!
!
!
!
!
controller Cellular 0
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh version 2
csdb session max-session 65
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 14
lifetime 60
!
crypto isakmp policy 10
encr aes 256
hash md5
--More-- authentication pre-share
group 5
lifetime 3600
crypto isakmp key ddd@Qnet address 10.94.86.85
crypto isakmp key dddDMVPN address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60
crypto isakmp nat keepalive 30
!
!
crypto ipsec transform-set 50 esp-des esp-md5-hmac
mode tunnel
crypto ipsec transform-set DMVPN esp-aes esp-sha-hmac
mode tunnel !
crypto ipsec profile DMVPN-PROFILE
set transform-set DMVPN
! ! !
crypto map QNETVPN 10 ipsec-isakmp
set peer 10.94.86.85
set security-association lifetime seconds 900
set transform-set 50
set pfs group5
match address 101
!
!
!
!
!
interface Loopback1
ip address 172.16.1.210 255.255.255.255
!
interface Tunnel0
description *** DMVPN Tunnel ***
ip address 172.30.6.210 255.255.255.0
no ip redirects
no ip unreachables
--More-- no ip proxy-arp
ip mtu 1416
ip nat outside
ip nhrp authentication DMVPN
ip nhrp map 172.30.6.1 172.16.1.2
ip nhrp map multicast 172.16.1.2
ip nhrp network-id 1
ip nhrp holdtime 60
ip nhrp nhs 172.30.6.1
ip virtual-reassembly in
tunnel source Loopback1
tunnel mode gre multipoint
tunnel key 1000
tunnel protection ipsec profile DMVPN-PROFILE
!
interface Cellular0
description ***LTE-97235666***
ip address negotiated
ip mtu 1460
encapsulation slip
dialer in-band
dialer pool-member 1
dialer-group 1
async mode interactive
routing dynamic
!
interface FastEthernet0
description *** LAN ***
no ip address
no logging event link-status
!
interface FastEthernet1
description *** LAN ***
no ip address
no logging event link-status
spanning-tree portfast
!
interface FastEthernet2
description *** LAN ***
--More-- no ip address
no logging event link-status
!
interface FastEthernet3
description *** LAN ***
no ip address
no logging event link-status
spanning-tree portfast
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
ip address 172.16.210.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1436
no autostate
!
interface Dialer1
mtu 1460
ip address negotiated
ip virtual-reassembly in
encapsulation slip
dialer pool 1
dialer idle-timeout 0
dialer string lte
dialer persistent delay initial 5
--More-- dialer-group 1
no peer default ip address
crypto map QNETVPN
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Tunnel0 overload
ip route 0.0.0.0 0.0.0.0 172.30.6.1 name Internet-CSC
ip route 10.94.86.0 255.255.255.128 Dialer1
ip route 172.16.1.0 255.255.255.252 Dialer1
ip tacacs source-interface Tunnel0
!
!
logging source-interface Tunnel0
logging host 172.30.150.245
access-list 1 permit 172.16.210.0 0.0.0.255
access-list 10 permit 172.30.150.245
access-list 10 remark Used To Allow SNMP Server Access
access-list 10 permit 172.30.150.248
access-list 10 permit 172.30.150.200
access-list 101 permit ip any any
no cdp run
!
snmp-server community CsC!BS& RO 10
snmp-server ifindex persist
snmp-server trap-source Tunnel0
snmp-server source-interface informs Tunnel0
snmp-server location HOME DSL
snmp-server contact Network Support Team
snmp mib persist circuit
tacacs-server host 172.30.150.108
tacacs-server host 172.30.150.109
tacacs-server timeout 10
tacacs-server directed-request
tacacs-server key 7 1531382F490B081765001001263533
!
--More-- ! !
control-plane
!
!
banner login ^CC
**********************************************************************
*******
**********************************************************************
*******
** Authorised Access Only
**
** This system is the property of DDD
**
**
**
**
**
**
**
**********************************************************************
*******
**********************************************************************
*******
^C
parser view support
secret 5 $1$PF93$IHcUcj21ul46Mpv6oyqmp1
commands exec include all ssh
commands exec include all telnet
commands exec include all traceroute
commands exec include all ping
commands exec include all show
!
!
line con 0
exec-timeout 0 0
privilege level 15
login authentication ACS
no modem enable
stopbits 1
line aux 0
login authentication ACS
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
--More--
script dialer lte
no exec
rxspeed 100000000
txspeed 50000000
line vty 0 4
exec-timeout 0 0
privilege level 15
login authentication ACS
transport input ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
login authentication ACS
transport input ssh
!
All activity on this system is logged.
Disconnect IMMEDIATELY if you are not an authorised user!
line 3
"Any Violation Will be Prosecuted"
scheduler allocate 20000 1000
ntp source Tunnel0
ntp update-calendar
ntp server 172.30.205.204 prefer
ntp server 172.30.205.205
! end
Qnet-Test-LET#

[YeOldeStonecat]

With site to site VPN tunnels, you have to consider a few things.
*Upstread speed of each end of the tunnel. Say you have HQ on a 10 meg symmetrical fiber pipe, and you have a satellite office on a cable connection at 15/2. The upstream of the satellite office is 2 megs. So the HQ side of the tunnel can only pull from the satellite at a max of <2 megs (minus overhead for the tunnel and other things). The satellite office can pull from HQ at <10 megs.

Or say you have both sites on a 10/2 connection...you look at the upload of each, you have a <2 meg VPN tunnel.

NOW....you have to find the balance of QoS for your VPN tunnel, versus the load of the local office users. Many VPN devices allow you to place a high QoS on the VPN tunnel, even dedicate minimal bandwidth to it...so that a local user streaming Pandora radio doesn' suck the life out of the connection and gag the VPN tunnel.

Other things to consider, you mention browsing, is this for local users or remote users? Do you have split tunneling? Where is DNS being used? Afar on the tunnel or local?

What is the side of the pipes at each end?

Is the central VPN host perhaps oversubscribed for bandwidth? Say it has 2 megs of upload, and you mention 5x VPN tunnels. How much bandwidth per VPN tunnel? 2 megs won't go far supporting 5x VPN tunnels.

[ISKOTB]

I was told i have to play with MTU strings in the conf above? Here is the answer of your questions...Local "office" users are fine, the issue with the remote users and mostly on this particular router model above. Once the tunnel kicks in they user the DNS in office nothing from the remote site. Our contract with the ISP is 4mb down for each user and 1mb upload and at the officer the ISP router is terminated by a fiber connection.

[YeOldeStonecat]

How many users (workstations) at this remote location? I'm assuming this is an active directory environment and the workstations at the remote offices are joined to the domain of the central office?