01-14-2021 03:38 AM
Hello,
We have two Cisco 800 router connected via 4G between two sites, the issue is we cannot access some tcp ports like (https, SIP) from site1 to site2, there is any configuration should I check to allow these ports?
Appreciate your support
Thanks
01-14-2021 03:45 AM
Hello,
post the configs of both routers. Do you have any static NAT configured for any of these ports you cannot access ?
01-14-2021 04:00 AM - edited 01-14-2021 04:01 AM
01-14-2021 05:02 AM
Hello,
you have a simple GRE tunnel configured. Try and change the MTU size on the tunnel interfaces on both routers:
Router_Site_1
interface Tunnel1
--> ip mtu 1400
Router_Site_2
interface Tunnel1
--> ip mtu 1400
01-14-2021 05:22 AM
Hello,
Thank you for your reply
Is the MTU make some tcp ports not allowed, as I can reach the site with (ping, tracers, Remote Desktop) but cannot reach it by (http, SIP).
Thanks
01-14-2021 06:26 AM
Hello,
a tunnel mtu is lower by default than the 1500 used on Ethernet. That could lead to websites not being reachable. I don't know about SIP...in what context are SIP packets not going through ?
Either way, try the MTU change and check the results...
01-18-2021 12:51 AM - edited 01-18-2021 02:06 AM
Hello,
Here is the interface tunnel 1 configuration:
Tunnel1 is up, line protocol is up
Internet address is 172.20.218.202/30
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1476 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is disabled
BGP Policy Mapping is disabled
Input features: MCI Check
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
01-14-2021 04:00 AM
Hello
Possibility filtering issue - (access-list-fw..etc) as suggested would be beneficial if you can elaborate on your configuration between those two sites.
01-14-2021 09:51 PM
policy from SP I think.
01-15-2021 02:42 PM
With ip tcp adjust-mss configured on both vlan 1 interfaces I would think that mtu has been addressed. It might be interesting to lower the value used for adjust-mss and see if it makes any difference.
The configuration of these routers is pretty simple and straight forward. There are a few things that seem a bit odd, such as an IP SLA configured but I do not see where it is used. But I do not see anything in these configs that would prevent certain ports (http and sip) from working. Both routers have a number of subnets connected through vlan 1. I wonder if the issue might be on whatever is the next hop from the routers that we see?
Would the http and/or sip need any resource that is not at site 1 or at site 2? I note that site 1 has a default static route that says for any unknown destination go through the tunnel to reach the unknown destination. Similarly site 2 has a static default route that says to reach any unknown destination go through the tunnel. So resources at site 1 and site 2 should be reachable. But any resource not at these 2 sites would be unreachable.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide