Solved: Re: Help pleas!!! Trouble connecting to the internet using PPPoE

AndresBecker · ‎01-06-2012

I bought a 2811 cisco router to replace the modem (2wire) that my ISP gave me. To do this i put my ISP's modem in bridge mode and set a point to point link through the interface Fe0/0 (PPPoE). I successfully achieved the link, however, I can only access to a few web sites like Google or YouTube, however, I can do pings to any page without any problems.

I leave a "show run" belong. If anyone can help me will appreciate it very much!!! Greetings!

Current configuration : 1811 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Clabeck

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable password -------

!

no aaa new-model

!

dot11 syslog

ip source-route

!

ip cef

ip dhcp excluded-address 192.168.1.1 192.168.1.50

!

ip dhcp pool CLABECK

network 192.168.1.0 255.255.255.0

default-router 192.168.1.254

dns-server 200.33.146.193 200.33.146.201

!

ip name-server 200.33.146.193

no ipv6 cef

multilink bundle-name authenticated

!

voice-card 0

!

archive

log config

hidekeys

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface FastEthernet0/1

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

shutdown

no fair-queue

clock rate 2000000

!

interface Dialer1

mtu 1492

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname exampe@example.com

ppp chap password 0 ---------

ppp pap sent-username example@example password 0 --------

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

no ip http secure-server

!

ip nat inside source list 1 interface Dialer1 overload

!

access-list 1 permit 192.168.1.0 0.0.0.255

!

control-plane

!

voice-port 0/1/0

!

voice-port 0/1/1

!

mgcp fax t38 ecm

mgcp behavior g729-variants static-pt

!

line con 0

password ------

login

line aux 0

line vty 0 4

password ------

login

!

scheduler allocate 20000 1000

end

phil.davenport · ‎01-08-2012

Hi,

'ip tcp adjust-mss 1452' under the dialer interface should hopefully solve it, if not just try dropping to 800 and retest. You should set your MTU back to 1492 first. This will rewrite the MSS value sent by the client on your side when it goes out toward the Internet.

There is an overhead of 8 bytes for the PPP header and if the packet being returned from the webserver is over 1492 it may be being dropped rather than fragmented. You mention some sites as working, this is likley because the MSS used in the communication is set low enough by the webserver in the SYN-ACK ( lowest value exchanged between client and server is used) for those sites so you don't run into packet being over 1492 bytes.

Break out wireshark on the local machine and you can see what is being sent in the SYN and what is received back in the SYN-ACK. You could also use 'debug ip packet' if there's not to much going through the router.

please rate if it solves the problem.

--Phil

View solution in original post

sleepyshark · ‎01-06-2012

Sounds like a DNS issue. When you say you can reach "some sites" on the internet, can you please expand on that and answer these questions.

Can you ping google.com from your computer?

Can you ping 74.125.159.103 from your computer?

Can you ping both of those from the CLI of your router?

Also run NSLOOKUP from your computer and tr yto resolve other sites like msn.com, cnn.com, bbc.co.uk, etc (see if it works)

If you CAN ping from your computer and not router, you need to check your DNS settings.

Sean

http://www.sleepyshark.com

AndresBecker · ‎01-07-2012

Hi Sean Brown and tanks for your quick response and your time, but I think that the problem is not the DNS, because i changed both by those of google (8.8.8.8 / 8.8.4.4) and I have the same problem. I can ping any web site, whit the name or the IP of the web site, from the computer and the CLI of my router. I also note that I can enter to youtube.com but the video dose not load.

I leave to you a "show run" belong with the new configuration. Thanks for all and have a nice weekend.

Current configuration : 1793 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Clabeck

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable password ---------

!

no aaa new-model

!

dot11 syslog

ip source-route

!

ip cef

ip dhcp excluded-address 192.168.1.1 192.168.1.50

!

ip dhcp pool CLABECK

network 192.168.1.0 255.255.255.0

default-router 192.168.1.254

dns-server 8.8.8.8 8.8.4.4

!

ip name-server 8.8.8.8

no ipv6 cef

multilink bundle-name authenticated

!

voice-card 0

!

archive

log config

hidekeys

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface FastEthernet0/1

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

shutdown

no fair-queue

clock rate 2000000

!

interface Dialer1

mtu 1492

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname e xample@example.com

ppp chap password 0 -------

ppp pap sent-username e xample@example.com password 0 -----------

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

!

ip nat inside source list 1 interface Dialer1 overload

!

access-list 1 permit 192.168.1.0 0.0.0.255

!

control-plane

!

voice-port 0/1/0

!

voice-port 0/1/1

!

mgcp fax t38 ecm

mgcp behavior g729-variants static-pt

!

line con 0

password -------

login

line aux 0

line vty 0 4

password --------

login

!

scheduler allocate 20000 1000

end

jefsims · ‎01-07-2012

Hi Andres,

I can see you have specified in your DHCP config 2 external DNS servers. I take it these are for your ISP? Can you ping those?

In most computers (any OS) you should be able to run a command "nslookup" which when you use it looks a little something like this.

C:\Users>nslookup

Default Server: google-public-dns-a.google.com

Address: 8.8.8.8

> www.hotmail.com

Server: google-public-dns-a.google.com

Address: 8.8.8.8

Non-authoritative answer:

Name: dispatch.kahuna.glbdns.microsoft.com

Addresses: 64.4.56.215

64.4.2.103

Aliases: www.hotmail.com

If you get a response like that, your DNS is working fine and so is your data flow. It could be the sites your trying to access. Like Sean said if you can ping from your PC but not get to websites, then your DNS is broken, the above command like Sean said should help you confirm if DNS is your trouble. The other way you can test it is to set your DNS to commonly used public DNS servers (like I have for example, I use 8.8.8.8 for testing against my ISP's one given it's run by Google it's fairly well known to be reliable and up to date.),

Your config looks fine and I don't see any flaws with the exception of a couple of points for future reference:

- When posting to a public forum, strip your passwords, right now your PPPoE password is exposed to the internet. I would suggest changing it.

- You have ip http server enabled. If you don't need HTTP, turn it off or at least block it from the outside world with an ACL.

Cheers

Jeff

AndresBecker · ‎01-07-2012

Hi Jeffrey Sims and tanks for your quick response, your time and for the recommendation about security, as you can in my other answer I changed the DNS, and also the security :s I think that the problem is in the link, but I don’t have any idea of where… Also I wonder if the problem could be in the hardware? But I hope that no. Do you have another idea???

Thanks for all and have a nice weekend.

Jeff Van Houten · ‎01-07-2012

you've hard set the mtu on the dialer interface. Set it to 1350 and test again.

Sent from Cisco Technical Support iPad App

jefsims · ‎01-07-2012

Hi Andres,

As Jeff Van Houten suggested, the MTU can be a factor with some protocols. When you changed the DNS what happened? Can you paste the results when you try doing things so we get some idea about what is occuring?

What happens when you try to browse the internet?

- Do you get specific HTTP errors?

- What pages don't work?

Can you confirm the packets are being "nat" correctly?

- Verify this with 'show access-lists' and see if you see 'hits' against your ACL for NAT.

- Confirm NAT even works 'show ip nat statistics'

Can the router reach the DNS server?

- Verify with 'ping x.x.x.x size 1000 re 1000' (which will send 1000 packets of 1000 bytes to the DNS server).

Can your PC reach the DNS server?

- 'nslookup' command will tell you this.

- 'ping x.x.x.x -n 1000' will send 1000 packets. This should also confirm if the ACL is working correctly.

Have you contacted your ISP / Provider to verify the way you are authenticating and the settings you have in place are correct?

I would also try completely removing the MTU command with 'no MTU xxxx' to see if the dialler will negotiate the MTU with the far end otherwise like Jeff van Houten suggested slowly start reducing it down until your issues subside.

When you do these tests, can you paste the output into your reply so those who are replying to help you can see what the responses are. This will help us in trying to diagnose the fault for you.

Kind Regards,

Jeff

phil.davenport · ‎01-08-2012

Hi,

'ip tcp adjust-mss 1452' under the dialer interface should hopefully solve it, if not just try dropping to 800 and retest. You should set your MTU back to 1492 first. This will rewrite the MSS value sent by the client on your side when it goes out toward the Internet.

There is an overhead of 8 bytes for the PPP header and if the packet being returned from the webserver is over 1492 it may be being dropped rather than fragmented. You mention some sites as working, this is likley because the MSS used in the communication is set low enough by the webserver in the SYN-ACK ( lowest value exchanged between client and server is used) for those sites so you don't run into packet being over 1492 bytes.

Break out wireshark on the local machine and you can see what is being sent in the SYN and what is received back in the SYN-ACK. You could also use 'debug ip packet' if there's not to much going through the router.

please rate if it solves the problem.

--Phil

AndresBecker · ‎01-09-2012

Tanks everyone(especially phil.davenport, Jeffrey Sims, Jeff Van Houten, Sean Brown) for your help, time and attention, at the end the problem was that phil.davenport describe, I just had to return the MTU to 1492 an ad the command “ip tcp adjust-mss 1452” under the interface Dialer1.

I leave a "show run" belong with the correct configuration if someone more need it. Again thanks a lot to everyone!!! And have a very nice day. Greetings!!!!

Current configuration : 1878 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Clabeck

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable password 7 11391815161E0418017B7B

!

no aaa new-model

!

dot11 syslog

ip source-route

!

ip cef

ip dhcp excluded-address 192.168.1.1 192.168.1.50

!

ip dhcp pool CLABECK

network 192.168.1.0 255.255.255.0

default-router 192.168.1.254

dns-server 8.8.8.8 8.8.4.4

!

ip name-server 8.8.8.8

no ipv6 cef

multilink bundle-name authenticated

!

voice-card 0

!

Help pleas!!! Trouble connecting to the internet using PPPoE with cisco 2811