05-08-2012 06:08 AM - edited 03-11-2019 04:03 PM
i have sie to site vpn say between delhi to mumbai and delhi to hyderabad . delhi is corporate office, branch offices are pinging fine to corporate office ,response is fine. there are applications server in delhi corporate office some local url say http://172.26.5.180/ opening from mumbai but it is not opening in hyderabad but i am able to ping 172.26.5.180 from hyderabd but not able to telnet over port 80, ip address 172.26.5.180 there is no proxy or any thing else.tunnel is established fine any idea over this kind of problem . it is looking something strange
regards
rajat
05-08-2012 06:53 AM
Please post your config.
thanks
05-08-2012 07:24 AM
05-08-2012 08:51 AM
I see no problem on your tunnel config, they are fine.
Please check with hyderabad users whether they have correct mask has been assigned on their PC and likewise with the Server in question.
This is more of a Windows problem than FW or Switch/Routing problem.
thanks
05-08-2012 10:31 PM
i have taken the remote of hyderabad server . mask is correct , switching and routing is ok. same url is opening from mumbai but not by hyderabad user. my concern is i am not able to telnet aplication over port 80 , ip add 172.26.5.180
. i check in netstat -n there is source 10.120.1.10 port 45986 and destination 172.26.5.180 port 80 and in established connection there is syn_sent and nothing else .
to mymind when packet travel over wan in site to site vpn is there any kind of decryption or blocking can be done by isp
to stop my url to get open in web browser.
regards
rajat
05-09-2012 07:08 AM
"to mymind when packet travel over wan in site to site vpn is there any kind of decryption or blocking can be done by isp to stop my url to get open in web browser."
ISP has better things to do, than peeking on customer's traffic, beside breaking a IPSec traffic isn't that easy or impossible, beside when your private-IP traffic is encaptulated.
Try this on your hyderabad ASA on the not outside but rather inside interface first, please try it off business hours, I sense it is packet fragmentation problem.
The ASA does not support tcp adjust-mss but rather it is mtu size.
ip tcp adjust-mss 1452
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml
ESP 56, AH 24, IPSec 20 = 100 bytes
1500 - 100 = 1400 MTU size
Therefore set you inside interface mtu 1400
Look forward to hear from you.
Message was edited by: Rizwan Mohamed
05-10-2012 04:47 AM
i have tested mtu inside 1400 first in firewall did not work and again mtu outside 1400 but remove on inside no mtu inside 1400. but still did not work . any other clue
regards
rajat
05-10-2012 05:35 AM
You didn't try on the outside interface?
05-10-2012 09:05 PM
hi,
when i tried on outside interface, remote session of pc disconnected and again reconnected . i tried to open url but not any achievement still any othe clue which can help to resolve issue
regards
rajat
05-13-2012 09:23 PM
can any body suggest over this ?
regards
rajat
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide