cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2814
Views
2
Helpful
5
Replies

FPR1010 can't access *SOME* web sites

dataIP
Level 1
Level 1

Hi all,

 

I have run in to a weird issue with the FPR1010.

 

When connecting a client machine to the inside network, I can browse some but not all web sites. The particular problem is my 'test' site of www.bbc.co.uk.

 

However, rather unbelievably, it will work when using WiFi, but not when cabled.

To clarify;

Laptop -> SF200 switch -> FPR1010 -> OpenReach modem to FTTP, result: doesn't work to www.bbc.co.uk nor royalmail.com but does to other https sites

Laptop -> CBW240 access point -> SF200 switch -> FPR1010 -> OpenReach modem to FTTP, result: works fine with apparently all sites.

 

To further clarify - not talking about WiFi on the firewall here - just an AP elsewhere on the network.

 

There are no restrictive rules on the FPR, everything is open/allowed. In fact it only has a base licence so shouldn't be URL filtering.

Latest s/w with latest patch.

 

Replacing the FPR with a Cisco RW134 router (that I happen to have in my toolbox).... all works fine via cable or WiFi.

 

I have the FPR back here for more tests - but before I deployed it, I am 100% it worked via a cabled connection. The only difference I can see is that my previous tests were with a 'WAN' being our office network whereas the real WAN on site is an FTTP connection. My test will be with DHCP on the FPR, on site, it is PPPoE for the WAN side.

 

Any clues?

 

1 Accepted Solution

Accepted Solutions

I have done more testing, for clarity we are talking about uk based, using OpenReach's FTTC and FTTP connections on the WAN side.

Wide open rules on the FPR for testing.

 

Changing the MTU on the WAN side to 1508 - which is the 1500 plus the 8 byte PPPoE overhead - has fixed this issue.

I *think* this is a bug in the FDM. PPPoE was added recently to FDM... when configuring an outside interface, you now have the options of static, DHCP or PPPoE. On a second screen, you can configure the MTU.

I looks like an MTU of 1500 which is the default isn't taking account of the PPPoE overhead.

 

Adjusting the inside or outside interface MTU downwards did not have any (positive) efect.

 

View solution in original post

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

we are not sure how your ACP rule base, check any URL filter enabled - check also logs what is the reason it failed

 

some good document here to diagnosis :

 

https://finkotek.com/firepower-why-this-website-is-blocked/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi BB,

 

Thanks for your quick reply.

The odd thing here is that there are no rules blocking any sites - that feature isn't even enabled.

The traffic generated by the laptop should be identical when it arrives at the firewall. The firewall has only two connections, ge1 to the WAN and ge3 to the inside switch.

 

It appears that there is some difference when connecting via WiFi. All I can think is this in some way alters the MTU. I did try to experiment with changing from 1500 but it didn't give me a solution.

 

I was on a customer's site with limited time to debug.

 

 

I have done more testing, for clarity we are talking about uk based, using OpenReach's FTTC and FTTP connections on the WAN side.

Wide open rules on the FPR for testing.

 

Changing the MTU on the WAN side to 1508 - which is the 1500 plus the 8 byte PPPoE overhead - has fixed this issue.

I *think* this is a bug in the FDM. PPPoE was added recently to FDM... when configuring an outside interface, you now have the options of static, DHCP or PPPoE. On a second screen, you can configure the MTU.

I looks like an MTU of 1500 which is the default isn't taking account of the PPPoE overhead.

 

Adjusting the inside or outside interface MTU downwards did not have any (positive) efect.

 

Hi,

I face exactly the same problems with FPR 1010 and PPPoE, and the solution of changing the MTU to 1508 (for me it works for any value greater than 1500) works, but when i do a restart it stops working (although the MTU value remains as i changed it).

@dataIP does your solution works after the restart?

 

We experienced some more issues with the PPPoE connection on the FPR1010 after our initial 'success' reply.

In the end, we front ended the FPR1010 with a RVxxx router... the router doing the PPPoE - that did resolve our issues.

 

So, I can't really comment on it 'surviving' a reboot - but all I can say I was disappointed in the FPR device. It has since been swapped out entirely.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: