由于网络带宽限制导致上网慢

发布时间:  2014-09-20 浏览次数:  364 下载次数:  0
问题描述
组网结构:


防火墙下挂的用户上网慢。
处理过程
1. 防火墙设备配置NAT转换,下面挂的PC上网慢,打开网页会停顿几秒才能打开。在防火墙上或者PC上ping外网3972字节报文能通,3973字节以上报文就不能通。
<USG> ping -s 3972 192.168.0.26 
13:48:27  2013/05/29
  PING 192.168.0.26: 3972  data bytes, press CTRL_C to break
    Reply from 192.168.0.26: bytes=3972 Sequence=1 ttl=64 time=10 ms
    Reply from 192.168.0.26: bytes=3972 Sequence=2 ttl=64 time=1 ms
    Reply from 192.168.0.26: bytes=3972 Sequence=3 ttl=64 time=1 ms
    Reply from 192.168.0.26: bytes=3972 Sequence=4 ttl=64 time=1 ms
    Reply from 192.168.0.26: bytes=3972 Sequence=5 ttl=64 time=1 ms

  --- 192.168.0.26 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 1/2/10 ms
<USG> ping -s 3973 192.168.0.26 
13:48:36  2013/05/29
  PING 192.168.0.26: 3973  data bytes, press CTRL_C to break
    Request time out

2. 先分析为什么ping 3973字节以上的报文就会不通,察看配置,是由于开启了firewall defend large-icmp enable导致,ICMP超大包默认值为4000,超过该阈值就丢包,去掉该配置后,,ping大包正常。
3. 修改防火墙的tcp-mss为1200,“firewall  tcp-mss  1200”,继续测试上网业务,访问依旧比较慢。
4. 察看出接口流量。
[USG] display interface Ethernet  0/0/0                                                                                              
14:04:44  2013/05/29                                                                                                                
Ethernet0/0/0 current state : UP                                                                                                    
Line protocol current state : UP                                                                                                    
Ethernet0/0/0 current firewall zone : untrust                                                                                       
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)                                                                      
Internet Address is 60.13.x.y/24                                                                                                  
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a103-b597                                                     
Media type is twisted pair, loopback not set, promiscuous mode not set                                                              
100Mb/s-speed mode, Full-duplex mode, link type is force link                                                                       
Output flow-control is unsupported, input flow-control is unsupported                                                               
QoS max-bandwidth : 100000 kbps                                                                                                     
Output queue : (Urgent queue : Size/Length/Discards)  0/50/0                                                                        
Output queue : (Frag queue : Size/Length/Discards)  0/1000/0                                                                        
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0                                                                     
Output queue : (FIFO queue : Size/Length/Discards)  0/256/0                                                                         
    Last 300 seconds input rate 1552832 bits/s, 268 packets/s          ----〉下行1.5M                                                             
    Last 300 seconds output rate 570448 bits/s, 226 packets/s        ------〉上行0.5M                                                                  
    Input: 3130297 packets, 2716622072 bytes                                                                                        
           0 broadcasts(0.00%), 0 multicasts(0.00%)                                                                                 
           0 runts, 0 giants,                                                                                                       
           0 errors, 0 CRC,                                                                                                         
           0 collisions, 0 late collisions, 0 overruns,                                                                             
           0 jabbers, 0 input no buffers, 0 Resource errors,                                                                        
           0 other errors                                                                                                           
    Output:2368780 packets, 719977662 bytes                                                                                         
           0 errors, 0 late collisions,                                                                                             
           0 underruns, 0 retransmit limits         

怀疑是不是带宽限制导致。
5. 咨询一线,确认客户的带宽只有2M,导致上网慢。让客户申请更高带宽解决。
根因
客户申请的网络带宽限制导致上网慢。
解决方案
让客户申请更高带宽解决。

END