02-02-2007 01:04 AM - edited 03-03-2019 03:36 PM
Dear,
I've recently installed a new 2821 router to replace an SMC ADSL modem. Since then, the lan cannot browse some websites, e.g. http://www.isabel.be, http://www.msn.com, http://www.sapo.pt.
Other websites work fine. There are no restrictions yet on the router - below the config. Any idea how to solve this issue? Thanks!!
---
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname roupt01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 51200 debugging
logging console critical
enable password 7
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
ip cef
!
no ip bootp server
ip name-server 195.x.129.126
ip name-server 194.x.69.222
ip ssh time-out 60
ip ssh authentication-retries 2
!
voice-card 0
no dspfarm
!
username admin privilege 15 password 7
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp key address 193.x.93.27
!
crypto ipsec transform-set sonicwall esp-aes esp-sha-hmac
!
crypto map sonicwallmap 10 ipsec-isakmp
set peer 193.x.93.27
set security-association lifetime seconds 28800
set transform-set sonicwall
match address 120
!
interface GigabitEthernet0/0
description UPT_Lan
no ip address
no ip proxy-arp
ip mtu 1452
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.10
description Logistics
encapsulation dot1Q 10
ip address 172.x.x.200 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.11
description Upstairs
encapsulation dot1Q 11
ip address 10.35.1.161 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface GigabitEthernet0/0.99
description Linux_Server
encapsulation dot1Q 99
ip address 10.35.3.161 255.255.255.0
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface ATM0/2/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/2/0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 7
ppp pap sent-username password 7
crypto map sonicwallmap
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.137.205.84 255.255.255.255 172.27.0.2
!
ip dns server
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 110 interface Dialer0 overload
!
no logging trap
access-list 110 deny ip 172.27.0.0 0.0.0.255 192.168.205.0 0.0.0.255
access-list 110 deny ip 10.35.0.0 0.0.3.255 192.168.205.0 0.0.0.255
access-list 110 permit ip 172.27.0.0 0.0.0.255 any
access-list 110 permit ip 10.35.0.0 0.0.3.255 any
access-list 120 permit ip 10.35.0.0 0.0.3.255 192.168.205.0 0.0.0.255
access-list 120 permit ip 172.27.0.0 0.0.0.255 192.168.205.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
line con 0
password 7
login
transport output telnet
line aux 0
transport output none
line vty 0 4
password 7
login
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Solved! Go to Solution.
02-02-2007 01:22 AM
Hello,
you might run into MTU related issues. Some - and not all - servers will set the DF bit and thus the IP packet will not reach you, if the packet size is above the interface MTU.
Can you try "ip tcp mss-adjust 1400" on the dialer interface? Detailed description of the command and the feature can be found in "TCP MSS Adjustment"
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00804247fc.html
Basically the router intercepts the TCP session setup to enforce a maximum session size low enough to avoid packets larger than the interface MTU.
Hope this helps! Please rate all posts.
Regards, Martin
02-02-2007 01:22 AM
Hello,
you might run into MTU related issues. Some - and not all - servers will set the DF bit and thus the IP packet will not reach you, if the packet size is above the interface MTU.
Can you try "ip tcp mss-adjust 1400" on the dialer interface? Detailed description of the command and the feature can be found in "TCP MSS Adjustment"
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00804247fc.html
Basically the router intercepts the TCP session setup to enforce a maximum session size low enough to avoid packets larger than the interface MTU.
Hope this helps! Please rate all posts.
Regards, Martin
02-15-2007 05:01 PM
Hi
Try using ip tcp adjust-mss 1360 on the LAN interfaces. There are a lot of MTU issues over DSL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide