Can't open certain websites - Cisco 2811

mrivera · ‎02-27-2017

I have a customer who is having trouble opening a few websites - three that they have noticed so far. They are each secure sites and I am completely at a loss as to what is going on here. The setup is AT&T fiber box into the 0/0 of the Cisco 2811 with a /30. Their is a 4ESW WIC card in the 2811 to act as a DMZ for the AT&T LAN /29 block.

I know this is not an AT&T routing issue or an issue with the IP's as I can put a laptop directly on the /30 into the fiber box and pull the websites up fine. I have also put a basic Linksys router in place of the 2811 and was able to browse fine off of any of the public IP's. Also, this seemed to have randomly started about two weeks ago. It has worked fine before that.

Config is as follows:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
card type t1 0 3
logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization exec default local
aaa authorization network groupauthor local
!
!
aaa session-id common
clock timezone PST -8
clock summer-time PST recurring
network-clock-participate wic 3
network-clock-select 1 T1 0/3/0
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip domain name cctonline.net
ip name-server 68.94.156.1
ip name-server 68.94.157.1
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
isdn switch-type primary-ni
!
!
voice rtp send-recv
!
voice service pots
!
voice service voip
allow-connections sip to sip
signaling forward unconditional
fax protocol cisco
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
dspfarm
dsp services dspfarm
!
!
!
!
!
username XXXXX
username XXXXX
username XXXXX
archive
log config
hidekeys
!
!
controller T1 0/3/0
cablelength short 110
pri-group timeslots 1-24
!
controller T1 0/3/1
cablelength long 0db
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
!
class-map match-any voip-control
match ip dscp cs3
class-map match-any voip-rtp
match ip dscp ef
class-map match-any vodex-voip-policy
match access-group name Vodex_VOIP_Control
match access-group name Vodex_VOIP_RTP
match access-group name DNS_Servers
!
!
policy-map voip-priority
class voip-rtp
priority percent 70
set dscp ef
class voip-control
priority percent 5
set dscp cs3
class class-default
fair-queue
random-detect
policy-map vodex-voip-policy
class vodex-voip-policy
priority percent 90
set dscp ef
class class-default
fair-queue
random-detect
!
!
!
!
!
interface FastEthernet0/0
ip address x.x.x.x 255.255.255.252
ip access-group Firewall_In in
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
max-reserved-bandwidth 90
service-policy output vodex-voip-policy
!
interface FastEthernet0/1
no ip address
ip virtual-reassembly
shutdown
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/2/0
!
interface FastEthernet0/2/1
!
interface FastEthernet0/2/2
!
interface FastEthernet0/2/3
!
interface Serial0/3/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn protocol-emulate network
isdn incoming-voice voice
isdn supp-service name calling
no cdp enable
!
interface Vlan1
ip address x.x.x.x 255.255.255.248
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
no ip http server
no ip http secure-server
!
!
ip access-list extended DNS_Servers
permit udp host 4.2.2.1 eq domain any
permit udp host 4.2.2.2 eq domain any
permit udp host 4.2.2.3 eq domain any
permit udp host 4.2.2.4 eq domain any
permit udp host 4.2.2.5 eq domain any
permit udp host 4.2.2.6 eq domain any
permit udp host 8.8.8.8 eq domain any
permit udp host 8.8.4.4 eq domain any
permit udp host 66.52.116.2 eq domain any
permit udp host 66.52.116.3 eq domain any
permit udp host 208.74.8.115 eq domain any
permit udp host 199.187.232.6 eq domain any
permit udp any host 4.2.2.1 eq domain
permit udp any host 4.2.2.2 eq domain
permit udp any host 4.2.2.3 eq domain
permit udp any host 4.2.2.4 eq domain
permit udp any host 4.2.2.5 eq domain
permit udp any host 4.2.2.6 eq domain
permit udp any host 8.8.8.8 eq domain
permit udp any host 8.8.4.4 eq domain
permit udp any host 66.52.116.2 eq domain
permit udp any host 66.52.116.3 eq domain
permit udp any host 208.74.8.115 eq domain
permit udp any host 199.187.232.6 eq domain
ip access-list extended Firewall_In
permit udp 8.14.139.0 0.0.0.255 any eq 1720
permit tcp 8.14.139.0 0.0.0.255 any eq 1720
permit udp 8.14.139.0 0.0.0.255 any eq 2517
permit tcp 8.14.139.0 0.0.0.255 any eq 2517
permit udp 8.14.139.0 0.0.0.255 any eq 5060
permit tcp 8.14.139.0 0.0.0.255 any eq 5060
permit udp 8.14.139.0 0.0.0.255 any eq 5061
permit tcp 8.14.139.0 0.0.0.255 any eq 5061
deny udp any any eq 1720
deny tcp any any eq 1720
deny udp any any eq 2517
deny tcp any any eq 2517
deny udp any any eq 5060
deny tcp any any eq 5060
deny udp any any eq 5061
deny tcp any any eq 5061
permit ip any any
ip access-list extended Vodex_VOIP_Control
permit udp host 8.14.139.68 eq 5060 any
permit udp host 8.14.139.8 eq 5060 any
permit udp any host 8.14.139.68 eq 5060
permit udp any host 8.14.139.8 eq 5060
permit udp 208.86.44.160 0.0.0.15 eq 5060 any
permit udp any 208.86.44.160 0.0.0.15 eq 5060
ip access-list extended Vodex_VOIP_RTP
permit udp host 8.14.139.68 range 40000 40301 any
permit udp any host 8.14.139.68 range 40000 40301
permit udp any host 8.14.139.11 range 3000 65535
permit udp any 8.14.139.12 0.0.0.3 range 3000 65535
permit udp any host 8.14.139.16 range 3000 65535
permit udp any host 8.14.139.20 range 3000 65535
!
no cdp run

!

So far I have tried entering the "ip tcp adjust-mss 1452" as well as "no ip source-route" commands

Thanks for the help in advance!

Philip D'Ath · ‎02-28-2017

On the vlan1 interface try adding:

ip tcp adjust-mss 1400