Solved: Problems to reach some websites

kristian gillardeau · ‎02-09-2015

Hi,
I'm asking for your help about a problem I have been struggling with for about a month.
Background information:
- 3 client computers (2 on Windows Seven, 1 on XP),
- 1 Windows 2012 server (AD service active)
- ASA 5505 router for the WAN connection (Orange as provider)
- PPPoe Authentication used with DSL provider box set in modem mode

Problem:
All clients except ONE (on Windows seven) have problems to reach some websites. Some work well, but for others, it keeps waiting for the connection until a timeout error message.
The clients affected are also unable to update the virus database.
Using an anonymizer service as anype.com, I can finally reach the websites that timed out...

The affected clients use the same DHCP as the one that works.
Sending a ping from the affected clients to the unusable websites gives the good ip adress.
Using an external laptop which works well on another network on this network gives the same symptoms.
I can see no configuration differences between clients and even reinstalled one of them from scratch without more success.

Did someone experienced this kind of problem? I'm running out of ideas!!!
Thanks in davance for your help

David_Che · ‎02-10-2015

PPPoE will add 8 bytes and IPsec VPN will add as much as 80 bytes to the original packet. So the packet will be larger than MTU down the path between client and server. but those packets maybe set df-bit, so ICMP type 3 code 4 (packet need fragment but df-bit set)will send back to the originator, but sometimes it can not reach the originator due to FW block or ACL or packet drop. so the connection will be timeout.

Workaround: configure 'ip tcp adjust-mss 1360' on WAN router (here FW), make sure all the WEB access can work, then you can increase 1360 to bigger number until you reach a balance.

Some WEB server did not honor MSS advertised by client side during TCP 3-way handshaking, it will result in packet from server side will need to be fragmented down the path to client, if DF-bit set, it also cause session timeout.

View solution in original post

Richard Burts · ‎02-09-2015

The symptom of having difficulty in reaching some web sites (but success in accessing other web sites) can sometimes be caused by the need to fragment as the request (or the response) goes across the Internet. Can you check and see if the host that does work has its maximum segment size set differently that the other hosts?

HTH

Rick

HTH

Rick

David_Che · ‎02-10-2015

PPPoE will add 8 bytes and IPsec VPN will add as much as 80 bytes to the original packet. So the packet will be larger than MTU down the path between client and server. but those packets maybe set df-bit, so ICMP type 3 code 4 (packet need fragment but df-bit set)will send back to the originator, but sometimes it can not reach the originator due to FW block or ACL or packet drop. so the connection will be timeout.

Workaround: configure 'ip tcp adjust-mss 1360' on WAN router (here FW), make sure all the WEB access can work, then you can increase 1360 to bigger number until you reach a balance.

Some WEB server did not honor MSS advertised by client side during TCP 3-way handshaking, it will result in packet from server side will need to be fragmented down the path to client, if DF-bit set, it also cause session timeout.