Slow performance occurred in USG2230 when NAT service was Running

Publication Date:  2013-07-30 Views:  258 Downloads:  0
Issue Description
topology: PC client-S2700-S5700-USG2230-internet
version: V3R1

when access USG2230 to the network, the slow performance occurred when PC access to the internet. It's very slow to open website and send email of OUTLOOK.
Alarm Information
no alarm.
Handling Process
1. First check the routing-table and the topology ,  and confirm there are no loops.
2.And use "display cpu-usage" found that the CPU-usage is low as 17%.
3. Try to change the MTU of the up-link interface to the ISP as 1400. The problem didn't be solved.
4.Customer told us when access to the internet without our FW the performance was good , so it should not be the reason of bandwidth to internet is too small.
5.I found that the Public IP address which ISP gave customer was a private address like "192.168.254.2", and asked customer about that.  The customer told me ISP gave him "192.168.254.2 --192.168.254.254" as public address. But when checked the NAT configuration i found that just like this :
interface G0/0/0
ip address 192.168.254.2 24
nat enable

that means all the users will translate to this one address to access to the internet, and i doubted that the ISP did the rate-limiting to each address. So try to modify the NAT with a address pool "NAT address-group 1 192.168.254.2 192.168.254.200", so that the client will use these 198 IP address to translate to access to the internet.  and the problem solved.  So i can confirm that the ISP did rate-limiting for each address . And when use one IP to do  NAT, all users share the speed rete-limiting  as 2M so the problem occurred.

Root Cause
Probably Reason:
1.The MTU is too large. And the packets were dropped by devices of ISP.
2.The bandwidth is limited.
3.There are loop in the network.
4. The cpu-usage is too high.
5. Cause of the  rate-limiting.
Suggestions
When we found that the public address gaved by ISP is private address, we should take notice that whether the ISP do any rate-limiting .

END