One complaint our helpdesk hears quite often from clients is that "our Internet access seems really slow today", which is a particularly vague and subjective problem. Once the technician has established that this condition is affecting all users and isnt just a temporary period of high demand what can he do to establish the cause of the problem?

Usually the lack of Internet bandwidth becomes apparent when the technician opens a remote session on the server or user's PC as it is painfully slow to use. The requirement now is to establish which computer and program is using up all the bandwidth so it can be stopped and preferably prevented from happening again. Fortunately we install Cisco routers and firewalls at the majority of our client sites, as these provide several helpful diagnostic tools. Should you encounter this problem yourself and also have a Cisco on your Internet connection follow these steps:

Monitor the Cisco bandwidth usage

If you have a PIX or ASA firewall then open the PDM (ASDM for ASAs) gui and login. The opening screen has several graphs including "Outside Interface Traffic Usage", and also there should be an "Interface Status" table showing the current bandwidth usage on each port:

The outside traffic usage graph is particularly useful here as it will show you whether the traffic is outbound (uploading) or inbound (downloading) to your network. You should know the maximum bandwidth capacity of your Internet connection so simply comparing that to this graph will give you a good idea of whether you have a problem. An average capacity utilisation of more than 90% in either direction will cause slow web browsing.

If for whatever reason you do not have the PDM available you can still get a good idea of your bandwidth utilisation via the telnet (or SSH) terminal console. Login and then type enable to get into admin mode, then enter clear traffic, wait for a minute and enter show traffic. This will give you a reading of the inbound and outbound bandwidth in this period.

Locate the culprit

Usually when the bandwidth is consistently high over an extended period the cause is down to one or two computers on the network monopolising the Internet connection. This could be for a variety of reasons, from somebody running an unauthorised file sharing client to a large email being sent or received by many users. Cisco firewalls aren't particularly helpful for monitoring historical Internet usage unless you have a syslog server setup and suitable tools to analyse those logs. However in this situation you should be fine looking at the live data as the connections will be ongoing.

You need to run another terminal command to obtain the necessary output, but you can do this from the PDM/ASDM - from the "Tools" menu select "command line interface". Now you need to enter show conn to get a list of the current connections established through the device:

Now for the boring part, you need to go through the connections line by line looking for anomalous or high traffic connections. Fortunately in this example there are only eight connections so it won't take long, here is the first line:

TCP out 82.24.210.25:56414 in SBSserver:3389 idle 0:00:00 Bytes 1292465 flags UIOB

The first thing to look for is the "Bytes", this shows how much data has been transferred through this particular connection, so you need to look for the lines with the highest figures. Unfortunately you can't see how long the connection has been live for, so its possible you may get one with a very high figure but which has been running for several days (e.g. a site to site VPN) so the average bandwidth use would be quite low. These are relatively uncommon though so you shouldn't see too many, but if necessary the quickest option is to reboot your device and then check the connections again in ten minutes - then you know what the maximum possible time period will be.

Once you have isolated the highest data transfer connections you can obtain some more information, the most useful being the IP address (or name if defined in the config, as we have here with "SBSserver") and the port number. The port number will give you a good idea of what the application using the connection is, in the example above we have a connection to SBSserver port 3389 -  a quick Google will tell you that this is the Microsoft Remote Desktop Protocol default port.

Remove or prevent the problem

Now you will hopefully have narrowed down your list of potential culprits to a few computers and protocols so you are in a position to eliminate them one by one. If practical you can just shut down each PC one by one and then check the bandwidth usage each time, if it suddenly drops then you know you have found the source of your troubles. Alternatively you can add a temporary block rule to the firewall to deny each PC access to the Internet, which will achieve the same result. Fully eliminating the problem will depend on its source, if the port information for the connection doesn't indicate what the application is then you will have to investigate the PC itself. One of the best tools for this on Windows PCs is the netstat command , open a command prompt and enter netstat -a -b . This will output a full list of all the open connections on that PC, along with the name of the application which launched each one.

Once you have established what application is hogging your bandwidth the solution should be fairly obvious. Unfortunately if the application is a necessary one then you are more limited, if you can't reduce its bandwidth usage then possibly look at scheduling it to run outside of business hours. Alternatively you may want to investigate the QoS (Quality of Service) support on your firewall/router device, which will allow you to throttle or prioritise certain protocols.