Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
930
Views
0
Helpful
4
Replies

Certain Websites timeout when trying to access

shaw.chris
Level 1
Level 1

‎01-13-2009 12:02 PM - edited ‎03-11-2019 07:36 AM

Can anyone help with this issue, since a couple of days ago we are having trouble accessing certain websites.

When attempting to access the site the PC will hang and eventually display "Request Timeout". On other pages certain parts of the site will not display.

We have an ASA 5510 Firewall and a 1841 Router which is maintained by our ISP.

One example is www.matrox.com (138.11.2.65), I cannot ping from the Inside or Outside Interface of the ASA nor PC's on our network.

I have contacted our ISP who say they can ping this address from their Router.

Below is an example of the end of a trace route, firstly from network-tools.com (and anywhere else I've tried)

9 55 69 60 66.46.89.150 -

10 55 53 71 138.11.1.101 -

11 72 61 86 138.11.2.65 www.matrox.com

and from our Firewall

12 137 ms 137 ms 135 ms 66.46.89.150

13 131 ms 132 ms 134 ms 138.11.1.101

14 * * * Request timed out.

15 * * * Request timed out.

16 * * * Request timed out.

17 * * * Request timed out.

As you can see it doesn't make the last hop.

Does anyone have an idea how to resolve this or how to debug this issue.

Thanks,

Chris

Labels:
0 Helpful
4 Replies 4

shaw.chris
Level 1
Level 1

‎01-13-2009 01:00 PM

To add to the confusion:

All our PC are NAT'd to go out as the ASA interface address x.x.231.82,

On the ASA I've just configured an individual PC to NAT as a different address x.x.231.84 and I can access and ping the problematic websites from this PC.

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to shaw.chris

‎01-13-2009 01:43 PM

Hi Chris,

If you do not have ICMP inspection enabled on your ASA ping will never reply back from your internal network, that's one thing to check. Go to your ASA and from it ping the ip address for this Matrox site and see if you got an answer.

As for the webpages timing up, go ahead and check with the "show run policy-map" if the inspect http is enabled, if it is try to disable it and test again your webpage connections.

It would also be useful to check any logs from the asa to see if those packets (web traffic) is being dropped by any reason.

0 Helpful

shaw.chris
Level 1
Level 1
In response to Ivan Martinon

‎01-13-2009 02:27 PM

Hi,

I do have ICMP inspection enabled, so I do receive replies. Inspect http is not enabled and nothing shows up in the logs at all when I try and access these sites. Most websites are fine

As I mentioned if I change the outgoing address to a different IP from our external IP range it works OK

Does anyone have any idea how to resolve this?

Thanks, Chris

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to shaw.chris

‎01-13-2009 02:30 PM

OK, thanks for clearing up, so what you are stating is that if you use a different address for the nat that those users behind are using all works fine? This my friend has to do with how that ip address is assigned or router by your ISP.

0 Helpful
Review Cisco Networking for a $25 gift card
Top