Solved: Re: Web Browsing issue on some websites

XavierSys · ‎04-29-2019

Hello,

Pretty new to cisco, i believe my problem is firewall related, i'm having some strange issue on a 2960 running c2900-universalk9-mz.SPA.153-3.M2.bin

The configuration is pretty basic.

I've got an ISP modem, the cisco 2960, another cisco 892 for our MPLS, and the computers/phones.

(The previous configuration, which was working, did not had the MPLS router, and was on different subnets for both DATA/Voice/guest vlans)

ISP connection is made by interface Dialer.

My issues is that i've got (so far) one website not accessible, and skype for business (on 365) not accessible.

The website also runs on Azure cloud.

I can ping/traceroute the IPs without issues, skype for business tools fails on certain IP range for https/443, but works for tcp/443 for the same ranges)

I've tried to remove ip inspect, change the settings of the cef and vrf, but to no avail.
I'm not sure what should be the course of actions to help understand where the issue come from and how to correct it.

Worst case i could contact my local contractor who did the set up, but i'd like to understand what's going on and how to solve it on my own.

Any help would be appreciated.

Thanks,

XavierSys · ‎05-22-2019

Hello,

After some tries and reading on the internet, i finally found the solution...

Somehow my vlan15 interface is down on the router, but there is some sort of virtual interface gigabitethernet1/0.15 that manage it.

and i also read here

that vlan needed 4 bits for encapsulation.

so the right configuration edit was

conf t

int GigabitEthernet1/0.15

ip tcp adjust-mss 1448

All worked fine after that.

Thanks for your help.

View solution in original post

Jaderson Pessoa · ‎04-29-2019

hello,

I understood your doubt, but if you input here your current configuration, we are able to suggest to you the better options that can solve your problem;

Regards,

Jaderson Pessoa
*** Rate All Helpful Responses ***

XavierSys · ‎04-29-2019

Hello, find configuration attached (stripped of potential password/username/phone numbers & such)

Jaderson Pessoa · ‎04-29-2019

@XavierSys hello,

Just to make a test, could you remove the command in bold below and test?

interface Dialer1
ip address negotiated
ip access-group wan in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip inspect fw out
ip virtual-reassembly in
no ip verify unicast reverse-path
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable

Jaderson Pessoa
*** Rate All Helpful Responses ***

XavierSys · ‎04-29-2019

I'm not onsite, as soon as i get my hand on a user there i will try, but i think i tried to disable it and it cut access to the web, at least to the computer i was remoting, and not to my ssh to the cisco.
will keep you up to date asap.

Thanks for your help.

XavierSys · ‎05-06-2019

Hello,
Sorry for the delay,
I've tested your proposal, but without any results.

XavierSys · ‎05-14-2019

So,quick update on the situation

My contractor has come to site, tested the configuration, updated the cisco router.

He can access the different websites.

On my users computers, it still does not work in the LAN (it works in 4G, so i ruled out some local firewall/av issues)

I just need to check wether the Wifi (meraki) might cause some issues, but i would find it rather strange, especially since i have the same settings as from my other offices.

Jaderson Pessoa · ‎05-14-2019

Hello,

What device are you using to allowing internet access to your LAN? What type of configuration has your device configured? Could you share it with us?

Does your problem is happening just for some sites?

Thanks in advance.

Jaderson Pessoa
*** Rate All Helpful Responses ***

XavierSys · ‎05-16-2019

Hello
I've done more investigation.

I was able to pinpoint a MTU issue.

My PPoE connection is using a 1492 MTU

However my Vlan/lan are configured with a 1500 MTU.

(I've tested with a computer where i enforced a 1492 MTU on the ethernet and all was working properly)

Working with my contractor, we tried several settings with the mtu (as i can't really configure manually MTU on the computers)
So far, here's what i tried,

Forcing the MTU on the Vlan15 on the router side
either (one at a time, or mixed)
mtu 1492
ip mtu 1492
ip tcp adjust-mss 1492

Tested the same configuration on the switch side of the 2960

Also tried to put dhcp option 26, but i was not sure how to write it down.

Also tried different settings for the MTU (1460/1452)

Thanks for your help.

XavierSys · ‎05-22-2019

Hello,

After some tries and reading on the internet, i finally found the solution...

Somehow my vlan15 interface is down on the router, but there is some sort of virtual interface gigabitethernet1/0.15 that manage it.

and i also read here

that vlan needed 4 bits for encapsulation.

so the right configuration edit was

conf t

int GigabitEthernet1/0.15

ip tcp adjust-mss 1448

All worked fine after that.

Thanks for your help.