Solved: Re: Some websites noticed will not connect, progress only spins, what is my config missing?

Tony_MN · ‎10-09-2020

I have noticed some websites will not load on my network, i have validated that i can if i get off my network and use a different wifi or go through my cellular hotspot.

Sites that I wont load are https://forum.sierrawireless.com/ <cannot get into the forums on my network at all.

xfinity's own site gives me trouble at times.

Wifi calling from home seems to not work right.

Another site that is for work does same thing says cannot connect.

But the vast majority of internet works GREAT!

Is it port issue that i need to open?, looked at MTU but opening ports and changing that didnt seem to do anything...

I'm sure this is a quick easy fix but not for me yet. Please help.

config:

TIxxx#show run
Building configuration...

Current configuration : 5074 bytes
!
! Last configuration change at 13:31:46 UTC Fri Oct 9 2020 by TIxxx
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Bxxxx
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$2NZ/$uWDxxxxxxh4zggVdaDk.
!
no aaa new-model
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 172.xx.xx2.1 172.xx.xx2.99
!
ip dhcp pool TIxxx
network 172.xx.xx2.0 xx5.xx5.xx4.0
dns-server 1.0.0.1 1.1.1.1
default-router 172.xx.xx2.1
!
!
!
ip domain name waxxx.xoy
ip name-server 1.0.0.1
ip name-server 8.8.8.8
ip cef
login block-for 300 attempts 3 within 300
login delay 10
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-178xxx360
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-178xxx1360
revocation-check none
rsakeypair TP-self-signed-178xxx360
!
!
crypto pki certificate chain TP-self-signed-1787211360
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060xx5 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
9E 33DFB373 BA06A71A B8xx2E99 300D0609
2A864886 F70D0101 05050003 81810050 CB458831 C76159CC 43150654 4BD54ECD
B2BA1A5A B1ADA8B5 6E99B1BC E9B9858C E3A36628 31F5D1D8 2877xx1E 79B18FA8
E7E55A31 972DEF8A D86AEEC3 306E4ABB 926E5B90 5BD8E090 D78A8DFD 589DD4C0
BADxxD0D 3B13DE77 99B3FEBB E753E4E4 1314285D xxE9BFA7 0D10AB8C 8E4CB820
64AA378F 2D3B805E 4591FC1B DE7CF6
quit
license udi pid CISCO2921/K9 sn FTxxx4ALG0
license accept end user agreement
license boot module c2900 technology-package securityk9
!
!
username TIxxx privilege 15 secret 5 $1$kLH2$YJG/j8deUqEeF72uVBBaL0
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
crypto isakmp key Walxx3 address 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
crypto ipsec security-association lifetime seconds 600
!
crypto ipsec transform-set MY-SET esp-aes esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map IPSEC-SITE-TO-SITE-VPN 10
set transform-set MY-SET
match address VPN-TRAFFIC
!
!
crypto map MY-CRYPTO-MAP 10 ipsec-isakmp dynamic IPSEC-SITE-TO-SITE-VPN
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map MY-CRYPTO-MAP
!
interface GigabitEthernet0/1
ip address 172.xx.xx2.1 xx5.xx5.xx4.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip default-gateway 63.xx.xx.224
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 172.xx.xx2.99 4xx3 63.xx.xx.224 4xx3 extendable
ip default-network 63.xx.34.0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 63.xx.34.1
ip route 172.xx.xx2.0 xx5.xx5.xx4.0 GigabitEthernet0/1
ip route 192.163.10.0 xx5.xx5.xx5.0 GigabitEthernet0/1 172.xx.xx2.99
ip ssh port xx rotary 1
ip ssh version 2
ip ssh client algorithm encryption aesxx6-cbc
!
ip access-list extended NO22
deny tcp any any eq 22
permit ip any any
ip access-list extended VPN-TRAFFIC
permit ip 172.xx.xx2.0 0.0.1.xx5 10.0.10.0 0.0.0.xx5
permit ip 192.163.10.0 0.0.0.xx5 10.0.10.0 0.0.0.xx5
permit ip 172.xx.xx2.0 0.0.1.xx5 192.163.3.0 0.0.0.xx5
permit ip 192.163.10.0 0.0.0.xx5 192.163.3.0 0.0.0.xx5
!
!
!
access-list 101 deny ip 192.163.10.0 0.0.0.xx5 10.0.10.0 0.0.0.xx5
access-list 101 deny ip 192.163.10.0 0.0.0.xx5 192.163.3.0 0.0.0.xx5
access-list 101 permit ip 192.163.10.0 0.0.0.xx5 any
access-list 101 deny ip 172.xx.xx2.0 0.0.1.xx5 10.0.10.0 0.0.0.xx5
access-list 101 deny ip 172.xx.xx2.0 0.0.1.xx5 192.163.3.0 0.0.0.xx5
access-list 101 permit ip 172.xx.xx2.0 0.0.1.xx5 any
!
control-plane
!
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class NO22 in
login local
rotary 1
transport input ssh
!
scheduler allocate 20000 1000
!
end

Tony_MN · ‎10-09-2020

I found it, I had to do a

no ip default-network 63.xx.34.0

removing that let it all work.

Thank you guys for your help today, this has been a issue for month or two but wasnt important enough till i started working from home.

Tony

View solution in original post

Georg Pauwen · ‎10-09-2020

Hello,

which MTU settings did you change ? Try the below:

interface GigabitEthernet0/1
ip address 172.xx.xx2.1 xx5.xx5.xx4.0

--> ip mtu 1400

--> ip tcp adjust-mss 1360
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto

Tony_MN · ‎10-09-2020

Thank you for the Reply Georg,

I entered those commands. That didn't change problem..

I also did a shut, no shut. no change.

Still hoping i'm missing something simple.

Tony

Georg Pauwen · ‎10-09-2020

Hello,

can you give an example of a 'problem' website ?

Tony_MN · ‎10-09-2020

anything in forum sub on sierra...for example

https://forum.sierrawireless.com/c/airprime-embedded-wireless-modules/mc-em-series/34

that's best example i use regularly, once i move away from my network it works just fine.

also sierrawireless.com works fine, most of their site works except for forum, also downloads work fine after login...i dont get it.

Is it a port problem?

Also in looking into wifi calling the little + sign never shows up on my network, once i join another wifi network that is gast it does come up on my wifi image on phone....

One site for my work will not access from my network either, main page yes, but another section no.

Richard Burts · ‎10-09-2020

I worked with a customer who had similar issues. A router with IPSEC deployed and some web sites would load correctly and some web sites would not. It turned out to be an issue with MTU and fragmentation. I agree with the suggestion from @Georg Pauwen and would focus especially on the ip tcp adjust-mss command. If you have tried 1360 and it does not improve then I would suggest using a smaller value (as a test perhaps a very much smaller value) and see if things improve.

HTH

Rick

Georg Pauwen · ‎10-09-2020

Hello,

one thing you could try is assign another DNS server to your DHCP pool:

ip dhcp pool TIxxx
network 172.xx.xx2.0 xx5.xx5.xx4.0
--> dns-server 8.8.8.8 8.8.4.4
default-router 172.xx.xx2.1

Also, try and change the MTU on one of your workstations and check if that makes a difference (run 'cmd' as administrator and enter the commands below):

netsh interface ipv4 show subinterface

Press Enter.

You will see a list of network interfaces.

Type:

netsh interface ipv4 set subinterface “Local Area Connection” mtu=1400 store=persistent

Tony_MN · ‎10-09-2020

No Dice.

I changed the values here:

interface GigabitEthernet0/1
ip address 172.xx.xx2.1 xx5.xx5.xx4.0
ip mtu 1400
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1360
duplex auto
speed auto

**No change

I also changed dns > dns-server 8.8.8.8 8.8.4.4

No change, still spins. I even tried my office pc a city away running a cisco router i have there and it works to access that forum page fine. I cant see the problem.

Georg,

I tried the MTU change on my PC, still just spinning on the forum page same as before...I also just spin in Microsoft Edge, I'm using chrome.

Georg Pauwen · ‎10-09-2020

Hello,

odd. Did you try clearing the browser cache in Chrome ?

Tony_MN · ‎10-09-2020

Yes Sir.

What's the best way to see say, errors, for communication between that site and my router or pc? I bet i have tried but show errors for ip.. i'm actually going to go back to that now....

Tony_MN · ‎10-09-2020

I found it, I had to do a

no ip default-network 63.xx.34.0

removing that let it all work.

Thank you guys for your help today, this has been a issue for month or two but wasnt important enough till i started working from home.

Tony

Georg Pauwen · ‎10-09-2020

Odd, as that command, in theory, should not have any effect at all, since you have ip routing configured. But either way, good to know that it is resolved.