cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1319
Views
1
Helpful
2
Replies

Problems to reach some websites

Hi,
I'm asking for your help about a problem I have been struggling with for about a month.
Background information:
- 3 client computers (2 on Windows Seven, 1 on XP), 
- 1 Windows 2012 server (AD service active)
- ASA 5505 router for the WAN connection (Orange as provider)
- PPPoe Authentication used with DSL provider box set in modem mode

Problem:
All clients except ONE (on Windows seven) have problems to reach some websites. Some work well, but for others, it keeps waiting for the connection until a timeout error message.
The clients affected are also unable to update the virus database.
Using an anonymizer service as anype.com, I can finally reach the websites that timed out...

The affected clients use the same DHCP as the one that works.
Sending a ping from the affected clients to the unusable websites gives the good ip adress.
Using an external laptop which works well on another network on this network gives the same symptoms.
I can see no configuration differences between clients and even reinstalled one of them from scratch without more success.

Did someone experienced this kind of problem? I'm running out of ideas!!!
Thanks in davance for your help

1 Accepted Solution

Accepted Solutions

David_Che
Level 1
Level 1

PPPoE will add 8 bytes and IPsec VPN will add as much as 80 bytes to the original packet. So the packet will be larger than MTU down the path between client and server. but those packets maybe set df-bit, so ICMP type 3 code 4 (packet need fragment but df-bit set)will send back to the originator, but sometimes it can not reach the originator due to FW block or ACL or packet drop. so the connection will be timeout.

Workaround: configure 'ip tcp adjust-mss 1360' on WAN router (here FW), make sure all the WEB access can work, then you can increase 1360 to bigger number until you reach a balance.

 

Some WEB server did not honor MSS advertised by client side during TCP 3-way handshaking, it will result in packet from server side will need to be fragmented down the path to client, if DF-bit set, it also cause session timeout.

View solution in original post

2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

The symptom of having difficulty in reaching some web sites (but success in accessing other web sites) can sometimes be caused by the need to fragment as the request (or the response) goes across the Internet. Can you check and see if the host that does work has its maximum segment size set differently that the other hosts?

 

HTH

 

Rick

HTH

Rick

David_Che
Level 1
Level 1

PPPoE will add 8 bytes and IPsec VPN will add as much as 80 bytes to the original packet. So the packet will be larger than MTU down the path between client and server. but those packets maybe set df-bit, so ICMP type 3 code 4 (packet need fragment but df-bit set)will send back to the originator, but sometimes it can not reach the originator due to FW block or ACL or packet drop. so the connection will be timeout.

Workaround: configure 'ip tcp adjust-mss 1360' on WAN router (here FW), make sure all the WEB access can work, then you can increase 1360 to bigger number until you reach a balance.

 

Some WEB server did not honor MSS advertised by client side during TCP 3-way handshaking, it will result in packet from server side will need to be fragmented down the path to client, if DF-bit set, it also cause session timeout.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card