Solved: Cetain [Internet] Sites can not connect, TCP MSS?

TheGoob · ‎01-15-2024

Morning

So I have vDSL with an FPR1010 [FDM]. The DSL Router is set to Bridge mode and the FPR is doing the PPPoE. Now back when I first set this up, several pages would not load. Back then I can ping them [ip] as well as hostname; So I can ping yahoo.com and 74.6.143.25 just fine, but connecting to them would just time out. After some research and what not, it came to be that under Flexconfig I do the command 'sysopt connection tcpmss 1380' and then all worked just fine. It has worked fine for 2 or so years.. This past 2 days I noticed I could not connect to my yahoo email via WiFi but ignored it until my gf said she can not either.. So then I plugged my PC directly into GE 1/1 [simple default NAT 'inside to outside' and then trust acl inside to out] Very standard... Bypassing wifi etc, and I can not connect to Yahoo. I verified sysopt connection tcpmss 1380 was still there, it is. I removed it, re did it. Nothing I do can allow me to connect..

TheGoob · ‎01-17-2024

Factory-reset, reconfigured everything..works fine now.

View solution in original post

TheGoob · ‎01-15-2024

Oh, here is current running-config; I find it weird though that ON the FDM, I have the flexconfig set, but here I do not see it mentioned, unless it would not show that.

:
: Serial Number: JAD2537040H
: Hardware:   FPR-1010, 2587 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 cores)
:
NGFW Version 7.4.1
!
hostname FPR1010
enable password ***** encrypted
strong-encryption-disable
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
no mac-address auto



!
interface Vlan1
 nameif inside
 security-level 0
 ip address 192.168.5.1 255.255.255.0
!
interface Vlan2
 shutdown
 nameif fbeye
 security-level 0
 ip address 192.168.1.2 255.255.255.0
!
interface Vlan3
 shutdown
 nameif fhc
 security-level 0
 ip address 192.168.2.2 255.255.255.0
!
interface Vlan4
 shutdown
 nameif ceyea
 security-level 0
 ip address 192.168.3.2 255.255.255.0
!
interface Vlan5
 shutdown
 nameif proxmox
 security-level 0
 ip address 192.168.4.2 255.255.255.0
!
interface Vlan6
 shutdown
 nameif 177
 security-level 0
 ip address 192.168.6.2 255.255.255.0
!
interface Vlan7
 nameif throughput
 security-level 0
 ip address 192.168.7.2 255.255.255.0
!
interface Ethernet1/1
 no switchport
 nameif outside
 cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
 security-level 0
 pppoe client vpdn group HomeDSL
 ip address pppoe setroute
!
interface Ethernet1/2
 switchport
 no security-level
!
interface Ethernet1/3
 switchport
 switchport access vlan 2
 no security-level
!
interface Ethernet1/4
 switchport
 switchport access vlan 3
 no security-level
!
interface Ethernet1/5
 switchport
 switchport access vlan 4
 no security-level
!
interface Ethernet1/6
 switchport
 switchport access vlan 5
 no security-level
!
interface Ethernet1/7
 switchport
 switchport access vlan 7
 power inline never
 no security-level
!
interface Ethernet1/8
 no switchport
 power inline never
 nameif nexus
 security-level 0
 ip address 192.168.8.1 255.255.255.0
!
interface Management1/1
 management-only
 nameif management
 cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
 security-level 0
!
ftp mode passive
ngips conn-match vlan-id
dns domain-lookup any
dns server-group CiscoUmbrellaDNSServerGroup
 name-server 208.67.222.222
 name-server 208.67.220.220
 name-server 2620:119:35::35
dns server-group Google
 name-server 8.8.8.8
 name-server 1.1.1.1
 name-server 8.8.4.4
dns-group Google
no object-group-search access-control
object network fhc_lan
 subnet 192.168.2.0 255.255.255.0
object network 177_lan
 subnet 192.168.6.0 255.255.255.0
object network OMV
 host 192.168.2.181
object network any-ipv6
 subnet ::/0
object network IPv4-Private-10.0.0.0-8
 subnet 10.0.0.0 255.0.0.0
object network IPv4-Private-172.16.0.0-12
 subnet 172.16.0.0 255.240.0.0
object network IPv4-Private-192.168.0.0-16
 subnet 192.168.0.0 255.255.0.0
object network any-ipv4
 subnet 0.0.0.0 0.0.0.0
object network fbeye_lan
 subnet 192.168.1.0 255.255.255.0
object network fbeye_wan
 host X.X.X.180
object network 177_wan
 host X.X.X.177
object network ceyea_wan
 host X.X.X.179
object network proxmox_lan
 subnet 192.168.4.0 255.255.255.0
object network fbeye_mail
 host 192.168.1.180
object network fhc_wan
 host X.X.X.181
object network ceyea_lan
 subnet 192.168.3.0 255.255.255.0
object network proxmox_wan
 host X.X.X.178
object network pihole
 host 192.168.4.115
object network OMV-177
 host 192.168.6.177
object network Proxmox-178
 host 192.168.4.178
object network proxmox-omv7
 host 192.168.4.117
object network fpr_wan
 host X.X.X.182
object network inside_lan
 subnet 192.168.5.0 255.255.255.0
object network Proxmox_CML
 host 192.168.4.121
object network ceyea
 host 192.168.3.1
object network nexus-fpr
 host 192.168.8.2
object service _|NatOrigSvc_550f3e67-a1ec-11ee-b89e-21591b09710f
 service tcp source eq 993
object service _|NatMappedSvc_550f3e67-a1ec-11ee-b89e-21591b09710f
 service tcp source eq 993
object service _|NatOrigSvc_08422684-a1f0-11ee-b89e-c9851e1fd84b
 service tcp source eq smtp
object service _|NatMappedSvc_08422684-a1f0-11ee-b89e-c9851e1fd84b
 service tcp source eq smtp
object service _|NatOrigSvc_e9eaaec3-a1e8-11ee-b89e-f7caaf1a62d8
 service tcp source eq https
object service _|NatMappedSvc_e9eaaec3-a1e8-11ee-b89e-f7caaf1a62d8
 service tcp source eq https
object service _|NatOrigSvc_3b15a110-a2d9-11ee-b89e-7776e4a8dfa5
 service tcp source eq www
object service _|NatMappedSvc_3b15a110-a2d9-11ee-b89e-7776e4a8dfa5
 service tcp source eq www
object-group network IPv4-Private-All-RFC1918
 network-object object IPv4-Private-10.0.0.0-8
 network-object object IPv4-Private-172.16.0.0-12
 network-object object IPv4-Private-192.168.0.0-16
object-group service |acSvcg-268435457
 service-object ip
object-group service |acSvcg-268435477
 service-object icmp unreachable 0
 service-object icmp time-exceeded 0
object-group service |acSvcg-268435460
 service-object tcp destination eq www
 service-object tcp destination eq https
 service-object udp destination eq www
 service-object udp destination eq 443
object-group service |acSvcg-268435469
 service-object tcp destination eq smtp
 service-object tcp destination eq 993
object-group service |acSvcg-268435461
 service-object tcp destination eq 32400
object-group service |acSvcg-268435462
 service-object udp destination eq 51820
object-group service |acSvcg-268435463
 service-object tcp destination eq ssh
object-group service |acSvcg-268435475
 service-object tcp destination eq www
object-group service |acSvcg-268435473
 service-object tcp destination eq ssh
 service-object tcp destination eq sunrpc
 service-object tcp destination eq 445
 service-object tcp destination eq nfs
 service-object tcp destination eq 8080
 service-object tcp destination eq 8083
 service-object tcp destination eq 8787
 service-object tcp destination eq 8810
 service-object tcp destination eq 8888
 service-object tcp destination eq 8989
 service-object tcp destination eq 9000
 service-object tcp destination eq 9443
 service-object tcp destination eq 9696
 service-object udp destination eq sunrpc
 service-object udp destination eq 445
 service-object udp destination eq nfs
object-group service |acSvcg-268435471
 service-object tcp destination eq ssh
 service-object tcp destination eq 81
 service-object tcp destination eq https
 service-object tcp destination eq 445
 service-object tcp destination eq 2999
 service-object tcp destination eq 4443
 service-object tcp destination eq 5656
 service-object tcp destination eq 7878
 service-object tcp destination eq 8080
 service-object tcp destination eq 8185
 service-object tcp destination eq 8443
 service-object tcp destination eq 8870
 service-object tcp destination eq 9000
 service-object tcp destination eq 9020
 service-object tcp destination eq 9090
 service-object tcp destination eq 9443
 service-object tcp destination eq 25600
 service-object tcp destination eq 32400
 service-object tcp destination eq 61208
 service-object udp destination eq 445
object-group service |acSvcg-268435472
 service-object tcp destination eq domain
 service-object udp destination eq domain
object-group service |acSvcg-268435476
 service-object tcp destination eq ssh
 service-object tcp destination eq 8006
object-group service |acSvcg-268435478
 service-object tcp destination eq https
 service-object tcp destination eq 9090
object-group service |acSvcg-268435479
 service-object tcp destination eq 2280
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc nexus any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435477: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435477: L5 RULE: ICMP11-3
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435477 ifc outside any ifc inside any rule-id 268435477
access-list NGFW_ONBOX_ACL remark rule-id 268435460: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435460: L5 RULE: 181_NGINX_Access_In
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435460 ifc outside any ifc nexus object OMV rule-id 268435460
access-list NGFW_ONBOX_ACL remark rule-id 268435469: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435469: L5 RULE: fbeye_mail_in
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435469 ifc outside any ifc nexus object fbeye_mail rule-id 268435469
access-list NGFW_ONBOX_ACL remark rule-id 268435461: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435461: L5 RULE: 181_Plex_Access_In
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435461 ifc outside any ifc nexus object OMV rule-id 268435461
access-list NGFW_ONBOX_ACL remark rule-id 268435462: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435462: L5 RULE: 181_Wireguard_Access_In
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435462 ifc outside any ifc nexus object OMV rule-id 268435462
access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: 181_SSH_Access_In
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435463 ifc outside any ifc nexus object OMV rule-id 268435463
access-list NGFW_ONBOX_ACL remark rule-id 268435475: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435475: L5 RULE: PiHole_In
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435475 ifc inside any ifc nexus object pihole rule-id 268435475
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435475 ifc nexus any ifc nexus object pihole rule-id 268435475
access-list NGFW_ONBOX_ACL remark rule-id 268435473: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435473: L5 RULE: OMV-177_IN
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435473 ifc inside any ifc nexus object OMV-177 rule-id 268435473
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435473 ifc nexus any ifc nexus object OMV-177 rule-id 268435473
access-list NGFW_ONBOX_ACL remark rule-id 268435471: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435471: L5 RULE: OMV-181_IN
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435471 ifc inside any ifc nexus object OMV rule-id 268435471
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435471 ifc nexus any ifc nexus object OMV rule-id 268435471
access-list NGFW_ONBOX_ACL remark rule-id 268435472: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435472: L5 RULE: DNS_LAN
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435472 ifc inside any ifc nexus object pihole rule-id 268435472
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435472 ifc nexus any ifc nexus object pihole rule-id 268435472
access-list NGFW_ONBOX_ACL remark rule-id 268435476: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435476: L5 RULE: Proxmox_178_In
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435476 ifc inside any ifc nexus object Proxmox-178 rule-id 268435476
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435476 ifc nexus any ifc nexus object Proxmox-178 rule-id 268435476
access-list NGFW_ONBOX_ACL remark rule-id 268435478: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435478: L5 RULE: Proxmox_CML
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435478 ifc inside any ifc nexus object Proxmox_CML rule-id 268435478
access-list NGFW_ONBOX_ACL remark rule-id 268435479: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435479: L5 RULE: fbeye_ssh_lan
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435479 ifc inside any ifc nexus object fbeye_mail rule-id 268435479
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
pager lines 24
logging enable
logging timestamp
logging permit-hostdown
mtu inside 1500
mtu fbeye 1500
mtu fhc 1500
mtu ceyea 1500
mtu proxmox 1500
mtu 177 1500
mtu throughput 1500
mtu outside 1500
mtu nexus 1500
mtu management 1500
no failover
failover replication http
no monitor-interface inside
no monitor-interface fbeye
no monitor-interface fhc
no monitor-interface ceyea
no monitor-interface proxmox
no monitor-interface 177
no monitor-interface throughput
no monitor-interface nexus
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
management-interface convergence
nat (nexus,outside) source static fbeye_mail fbeye_wan service _|NatOrigSvc_550f3e67-a1ec-11ee-b89e-21591b09710f _|NatMappedSvc_550f3e67-a1ec-11ee-b89e-21591b09710f
nat (nexus,outside) source static fbeye_mail fbeye_wan service _|NatOrigSvc_08422684-a1f0-11ee-b89e-c9851e1fd84b _|NatMappedSvc_08422684-a1f0-11ee-b89e-c9851e1fd84b
nat (nexus,outside) source dynamic ceyea_lan ceyea_wan
nat (nexus,outside) source dynamic fbeye_lan fbeye_wan
nat (nexus,outside) source static OMV fhc_wan service _|NatOrigSvc_e9eaaec3-a1e8-11ee-b89e-f7caaf1a62d8 _|NatMappedSvc_e9eaaec3-a1e8-11ee-b89e-f7caaf1a62d8
nat (nexus,outside) source static OMV fhc_wan service _|NatOrigSvc_3b15a110-a2d9-11ee-b89e-7776e4a8dfa5 _|NatMappedSvc_3b15a110-a2d9-11ee-b89e-7776e4a8dfa5
nat (nexus,outside) source dynamic fhc_lan fhc_wan
nat (nexus,outside) source dynamic proxmox_lan proxmox_wan
nat (nexus,outside) source dynamic 177_lan 177_wan
!
nat (inside,outside) after-auto source dynamic any-ipv4 interface

route nexus 192.168.1.0 255.255.255.0 192.168.8.2 1
route nexus 192.168.2.0 255.255.255.0 192.168.8.2 1
route nexus 192.168.3.0 255.255.255.0 192.168.8.2 1
route nexus 192.168.4.0 255.255.255.0 192.168.8.2 1
route nexus 192.168.6.0 255.255.255.0 192.168.8.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 inside
ip-client outside
ip-client outside ipv6
ip-client management
ip-client management ipv6
ip-client fbeye
ip-client fbeye ipv6
ip-client fhc
ip-client fhc ipv6
ip-client ceyea
ip-client ceyea ipv6
ip-client proxmox
ip-client proxmox ipv6
ip-client 177
ip-client 177 ipv6
ip-client throughput
ip-client throughput ipv6
ip-client nexus
ip-client nexus ipv6
ip-client inside
ip-client inside ipv6
snmp-server group AUTH v3 auth
snmp-server group PRIV v3 priv
snmp-server group NOAUTH v3 noauth
snmp-server location null
snmp-server contact null
snmp-server community *****
no sysopt connection permit-vpn
crypto ipsec security-association pmtu-aging infinite
crypto ca permit-weak-crypto
crypto ca trustpool policy
telnet timeout 10
ssh 0.0.0.0 0.0.0.0 inside
console timeout 0
vpdn group HomeDSL request dialout pppoe
vpdn group HomeDSL localname X.X.X.X
vpdn group HomeDSL ppp authentication chap
vpdn username X.X.X.X
dhcpd dns 205.171.3.65 205.171.2.65
!
dhcpd address 192.168.1.101-192.168.1.254 fbeye
!
dhcpd address 192.168.2.101-192.168.2.254 fhc
!
dhcpd address 192.168.4.116-192.168.4.254 proxmox
!
dhcpd address 192.168.6.101-192.168.6.254 177
!
dhcpd address 192.168.5.3-192.168.5.254 inside
dhcpd enable inside
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ssl-client
 webvpn
  anyconnect ssl dtls none
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
class-map class_snmp
 match port udp eq 4161
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
  inspect xdmcp
 class class_snmp
  inspect snmp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
snort preserve-connection
snort multichannel-lb enable
no dp-tcp-proxy
Cryptochecksum:ef93df71a0bc639c7d86b73067335dab
: end

TheGoob · ‎01-15-2024

What is strange is, I can ping -l 1380, 1460 and 1500 yahoo.com and they all come back perfect. I ping the domain and the ip related and all is fine. I just can not go to the site, or even msn.com (in testing).
I do a tracert and see a * * but it definitely appears in the other side of ISP Network, or at least not local to me. I also tried 8.8.8.8, 1.1.1.1, default ISP DNS. It is not just physical lan, the wifi does the same as well. But this forum for example, loads fine. Oh but speedtest.net does not. Hulu and Netflix won’t load, but Microsoft online gaming does. I have no blocking acls or off mats. This all worked for over a year til 2 days ago

MHM Cisco World · ‎01-15-2024

acSvcg-268435460

this service object apply with ACL from OUTside to INside
you need same service object apply with ACL from INside to OUTside
MHM

TheGoob · ‎01-15-2024

Any idea as to how out of the blue this service object was removed? I have never heard of it, so I had never even applied it in the first place. Being I have never heard of I will have to do some research and figure out to to even re-apply it to the Inside_to_outside.

MHM Cisco World · ‎01-15-2024

wait you mention that you never add this object ?
if yes the it default to allow http to FPR

check
show asp drop

to check why http traffic drop
MHM

TheGoob · ‎01-15-2024

When I get home in a little I will… That object specifically, no? By default the FPR has inside_to_outside Trust ACL and I never added/removed or modified that. Also the NAT was the default auto NAT inside network to outside interface… All the defaults (in case I’m stating them wrong). That’s what threw me off. But I’ll get you that information in a bit. Thank you

TheGoob · ‎01-15-2024

Not sure what this means, but,

[Note, when it did work, I had ZERO [0] static routes, now I input 1 from FPR to Nexus, could this creating a route from FPR to NEXUS done some sort of cancellation for the FPR to Internet?

show asp drop

Frame drop:
  Invalid TCP Length (invalid-tcp-hdr-length)                                  3
  No valid adjacency (no-adjacency)                                           68
  No route to host (no-route)                                               6365
  Reverse-path verify failed (rpf-violated)                                    8
  Flow is denied by configured rule (acl-drop)                             61896
  First TCP packet not SYN (tcp-not-syn)                                    2096
  TCP failed 3 way handshake (tcp-3whs-failed)                               197
  TCP RST/FIN out of order (tcp-rstfin-ooo)                                 1144
  TCP packet SEQ past window (tcp-seq-past-win)                                6
  TCP RST/SYN in window (tcp-rst-syn-in-win)                                  20
  TCP packet failed PAWS test (tcp-paws-fail)                                  1
  Slowpath security checks failed (sp-security-failed)                      1935
  Expired flow (flow-expired)                                                 27
  FP L2 rule drop (l2_acl)                                                 94931
  Interface is down (interface-down)                                      188096
  Connection to PAT address without pre-existing xlate (nat-no-xlate-to-pat-pool)                           34224
  Egress fragmentation needed (df-bit-set)                                    44
  Packet is blocked as requested by snort (snort-block)                        7

Last clearing: Never

Flow drop:
  Inspection failure (inspect-fail)                                          624

Last clearing: Never

MHM Cisco World · ‎01-15-2024

you need one default route toward ISP
and static route for each vlan toward NSK
you cannot use default route toward NSK, if that is your Q
NOW
take screeshot pf show asp drop and then try access and take again and see which count is increase
MHM

TheGoob · ‎01-15-2024

This is absolutely interesting…. Prior to messing with the Nexus I never needed a FPR to INTERNET Route (probably because in its [then] simplicity it created its own. When I created the (5 vlan on FPR to Nexus) Route, I assumed the FPR took that as its “only” route. In testing when I deleted the newly created vlan to Nexus route, being the original route was changed, I now have now working (fragmented (some things work some down) Route)) connectivity. Until I learn technical terms, this is how I will justify it.
created route from for to nexus deleted default route. Deleting nexus route left me with no route.
Let me check here in a few minutes.

TheGoob · ‎01-15-2024

Darn I just confused myself!!!

I made,

Nexus route with 6 vlan Interfaces all towards Nexus on 192.168.8.2 IP, so all vlans have route to Nexus. As far as the FPR to Internet, On outside Interface, 0.0.0.0/0 x.x.x.182 (FPR WAN Address). This seem legit? Or do I need to do a static NAT for all 6 of my STATIC WAN ips? Like each vlan network to its WAN IP as its gateway on outside interface?

TheGoob · ‎01-15-2024

Well I am stuck on making one default route from FPR to Internet.. My WAN/FPR IP is x.x.x.182, but I use it, it does not let me as it says;

ERROR: Invalid next hop address x.x.x.182, it matches our IP address
Config Error -- route outside 0.0.0.0 0.0.0.0 x.x.x.182 1

How the heck to I make a default route then?

I “forced” it to use the WAN IP. My setup is PPPoE and it [FBR] grabs the gateway WAN IP and assigns it to the GE1/1. In my Block of IPS it is the Gateway IP too.. So I forced it , still no work. I did notice both of my 2 static routes have metric 2, that anything to do with it?
honestly this all happened when I started incorporating the Nexus into my setup.. but now when I just plug into FPR still doesn’t work. Something somewhere got messed up. I’m just gonna factory restore this stupid thing

Georg Pauwen · ‎01-15-2024

Hello, stupid question maybe, and I am not sure if that is mentioned already somewhere in this thread, but did you reboot the FPR ?

TheGoob · ‎01-15-2024

My friend definitely not stupid but actually refreshing. But yes I did.. This has been 1-2 days weird. This morning when I left I rebooted the FPR and Nexus.. I even bypassed Nexus and connect 1 PC directly to vlan 1 [GE 1/2] on FPR and it grabbed and IP and I let it sit all day. Came home and still, google works, this site works, but so many don't. What is crazy is I can ping the sites I can NOT go to, both ip and host domain, and come back perfect.

TheGoob · ‎01-15-2024

I had mentioned this earlier.. A few years ago I had the [exact] problem.. It was apparently due to my using PPPoE and having to change the MSS to 1380. And instantly it worked. Being that this is a FlexConfig configuration, will I see that? 'sysopt connection tcpmss 1380' because my 'show running-config' does NOT show it, and I am wondering if Flexconfig is glitching?

I wonder if 'sysopt connection tcpmss 1380' is antiquated and /or not correct usage in Version 7.4.1