I have an 1841 running Advanced Security IOS (12.4(25) I think, have to check when I get home) that I'm using to learn about CBAC and IOS' firewall functionality. Its external interface is connected to my Windstream DSL modem in bridge mode, and the router is doing the PPPoE authentication. It's also doing NAT for my internal network, and is acting as a firewall using CBAC inspect statements and ACLs.

Everything is working at at least a baseline level: the DSL authenticates and connects, and machines on the inside can browse the web. The problem is that browsing to some sites is slow or times out. Not all sites, just some. Latency seems to be okay when doing pings. The problem seems to happen with https connections, but again, not all of them. Gmail works fine (I have it set to always use https), while my bank and credit card sites either time out or take minutes to load.

I have an "inspect https" line in my config, and have allowed https through my outbound ACL.

I'm looking for next steps for troubleshooting this. I've check CPU utilization and it's very low; not sure what else it could be. I only have a few inspect statements, for the common stuff: tcp, udp, icmp, pop3, imap, dns, tftp, ftp, and ntp.

Stupidly I don't have a config handy to post; can post one in a couple hours but thought someone might have some hints without it.

MTU issue would be my first guess.

_________________
blog.brokennetwork.ca

Try removing the inspect for https and see if it gets faster.

_________________
http://blog.alwaysthenetwork.com

Damn it. MTU! I even knew you had to set that for PPPoE, still forgot to do it.

Will try that when I get home, will also report back on the effect of removing the HTTPS inspect (but will try them separately so I know which one fixes it if one does).

Mucho thanks for both responses.

Okay, I adjusted the MTU and MSS on my dialer interface and it seems to have made a huge improvement. I set MTU to 1492, MSS to 1452. Couple of questions:

-I've seen people on the web saying to set MSS on the inside interface, MTU on the dialer...is there a preferred way? I set both on my dialer, seems to work, but things might still be a tad slow;

-I've seen all kinds of advice for numbers to use. The MTU thing at 1492 seems pretty solid, but have seen at least one person recommending MTU and MSS to be equal. MSS can't be set as high as 1492, though. Anyone have recommendations?