Re: Internet Activity limited/Selective [reaching destinations] FPR101

TheGoob · ‎12-31-2023

Hello

So, I have to believe this is pure coincidence but I am having wacky issues. The Internet works, when it wants to. I can load Google, MSN.Com, ebay.com but, NOT Yahoo.com! I play WORLD OF WARCRAFT Game, and they do not load. They will sit endlessly.

This is the Warcraft IP that needs to be connected to, and here is my tracert feedback;

Tracing route to 137.221.105.2 over a maximum of 30 hops

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10    38 ms    39 ms    39 ms  137.221.105.2 

Trace complete.

Here is my Yahoo.com tracert feedback;

Tracing route to media-router-fp73.prod.media.vip.gq1.yahoo.com [98.137.11.164]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11    61 ms    59 ms    59 ms  media-router-fp73.prod.media.vip.gq1.yahoo.com [98.137.11.164] 

Trace complete.

balaji.bandi · ‎12-31-2023

what is the outcome if you bypass firepower and connect directly with ISP is that works ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TheGoob · ‎12-31-2023

Let me grab another DSL Router, current one is in Bridge mode and do not wanna reset it, so let me do that, meantime, here is my ACL screen;

Rob Ingram · ‎12-31-2023

@TheGoob allow ICMP time-execeeded (type 11) and unreachables (type 3) are allowed from Outside to Inside in in your ACP.

TheGoob · ‎12-31-2023

Plugging directly into my DSL Router via PPPoE [Bypassing everything else] Yahoo.com and WOW works... I will have to look up what you said because that is greek to me. Also, I wonder why all of a sudden?!

Rob Ingram · ‎12-31-2023

@TheGoob the DSL router probably doesn't have a stateful firewall enabled.

FDM example:

NOTE - you will need to create service objects for ICMP time-exceeded and unreachable, you will need the ICMP codes I previously provided.

TheGoob · ‎12-31-2023

Alright, getting closer. Never even knew there was an ICMP with those sub-classes [id love to see how other people google cause when i do it shows stuff NOT EVEN relative to this].

Now, naturally, under 3 and 11, there are more sub-categories, but I left them default cause you did not mention them.

Hmmm, did so, but still not work. Now, under 11 and 3, there are "codes" that I did not select as I am unsure..

Rob Ingram · ‎12-31-2023

@TheGoob time-exceeded = ICMP Type 11 Code 0 and unreachable = Type 3 Code 0. Though you will mainly require to permit time-exceeded for those routes to appear in traceroute.

https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Time_exceeded

TheGoob · ‎12-31-2023

ese are the CODE3 Types... I wonder if maybe default one is not correct?

TheGoob · ‎12-31-2023

Ohhh, this was not to make it "work" but to get the results of tracert to see where it is not working. With results in mind, going through Cisco FPR, I could indeed connect just using DSL Router.

New Yahoo Tracert;

Tracing route to yahoo.com [74.6.231.21]
over a maximum of 30 hops:

  1    22 ms    22 ms    22 ms  tcso-dsl-gw27.tcso.qwest.net [75.160.240.27]
  2    22 ms    22 ms    24 ms  tcso-agw1.inet.qwest.net [75.160.241.209]
  3    25 ms    25 ms    24 ms  4.68.73.122
  4     *        *        *     Request timed out.
  5    51 ms    48 ms    49 ms  YAHOO-INC.ear3.Dallas1.Level3.net [4.14.130.30]
  6    68 ms    69 ms    69 ms  ae-11.pat1.dnx.yahoo.com [209.191.64.117]
  7    78 ms    79 ms    79 ms  ae-0.pat1.nez.yahoo.com [209.191.64.220]
  8    76 ms    82 ms    75 ms  et-17-0-1.msr1.ne1.yahoo.com [216.115.105.179]
  9    76 ms    78 ms    77 ms  et-0-0-0.clr1-a-gdc.ne1.yahoo.com [98.138.97.63]
 10    76 ms    76 ms    76 ms  lo0.fab2-2-gdc.ne1.yahoo.com [98.138.51.1]
 11    71 ms    71 ms    73 ms  usw2-1-lbd.ne1.yahoo.com [98.138.97.157]
 12    72 ms    73 ms    73 ms  media-router-fp74.prod.media.vip.ne1.yahoo.com [74.6.231.21]

New Warcraft Tracert;

Tracing route to 137.221.105.2 over a maximum of 30 hops

  1    21 ms    21 ms    22 ms  tcso-dsl-gw27.tcso.qwest.net [75.160.240.27]
  2    22 ms    21 ms    21 ms  tcso-agw1.inet.qwest.net [75.160.241.209]
  3    24 ms    25 ms    27 ms  4.68.73.122
  4     *        *       31 ms  ae4.4.ear4.LosAngeles1.level3.net [4.69.215.133]
  5    33 ms    43 ms    33 ms  4.7.26.166
  6    39 ms    38 ms    39 ms  ae1-br02-csla1.as57976.net [137.221.89.35]
  7    79 ms    56 ms    57 ms  137.221.65.235
  8    40 ms    39 ms    38 ms  et-0-0-1-pe02-swlv10.as57976.net [137.221.83.91]
  9    39 ms    38 ms    40 ms  las-swlv10-ia-bons-02.as57976.net [137.221.66.19]
 10    39 ms    44 ms    38 ms  137.221.105.2

TheGoob · ‎12-31-2023

Does my NAT look ok?

I am just so confused over this. Can ping IP and domain related to it, but it is being blocked. But on FPR side, but I never touched anything ACL or NAT since it [did] work.

TheGoob · ‎12-31-2023

Well, got it working. Had to create a FlexConfig object and use

sysopt connection tcpmss 1380

Apparently PPPoE needs this, sometimes?, to allow correct throughput.

Internet Activity limited/Selective [reaching destinations] FPR1010