Hi there,

This sounds very much like a fragmentation issue. What is the output of:

sh ip traffic

..what ip tcp mss-adjust settings did you try?

cheers,

Seb.

Following are the settings i tried for MSS

LAN

IP TCP adjuste-mss 1452

WAN

IP TCP adjust-mss 1460 

( <500-1460> Maximum segment size in bytes is allowed in ISR4331)

Following is the output of Sh IP traffic

Router#sh ip traffic
IP statistics:
Rcvd: 3955287667 total, 20739775 local destination
15 format errors, 0 checksum errors, 135 bad hop count
199 unknown protocol, 0 not a gateway
0 security failures, 0 bad options, 199 with options
Opts: 0 end, 0 nop, 0 basic security, 0 loose source route
0 timestamp, 0 extended security, 0 record route
0 stream ID, 0 strict source route, 199 alert, 0 cipso, 0 ump
0 other, 0 ignored
Frags: 285285 reassembled, 1241 timeouts, 4 couldn't reassemble
1640 fragmented, 3802 fragments, 11 couldn't fragment
0 invalid hole
Bcast: 11151913 received, 4 sent
Mcast: 11353358 received, 0 sent
Sent: 3909016 generated, 3885589055 forwarded
Drop: 0 encapsulation failed, 0 unresolved, 21905 no adjacency
36881 no route, 0 unicast RPF, 0 forced drop, 0 unsupported-addr
0 options denied, 1 source IP address zero

ICMP statistics:
Rcvd: 27691 format errors, 1638 checksum errors, 31 redirects, 78932 unreachab le
55486 echo, 165301 echo reply, 0 mask requests, 0 mask replies, 1 quench
1 parameter, 1 timestamp, 0 timestamp replies, 0 info request, 0 other
0 irdp solicitations, 0 irdp advertisements
6624 time exceeded, 0 info replies
Sent: 32 redirects, 211394 unreachable, 165711 echo, 55486 echo reply
0 mask requests, 0 mask replies, 0 quench, 0 timestamp, 1 timestamp replies
0 info reply, 135 time exceeded, 0 parameter problem
0 irdp solicitations, 0 irdp advertisements

UDP statistics:
Rcvd: 17404017 total, 15364 checksum errors, 17363534 no port 0 finput
Sent: 25839 total, 0 forwarded broadcasts

TCP statistics:
Rcvd: 3055800 total, 1154 checksum errors, 52752 no port
Sent: 3508783 total

EIGRP-IPv4 statistics:
Rcvd: 0 total
Sent: 0 total

OSPF statistics:
Last clearing of OSPF traffic counters never
Rcvd: 0 total, 0 checksum errors
0 hello, 0 database desc, 0 link state req
0 link state updates, 0 link state acks
Sent: 0 total
0 hello, 0 database desc, 0 link state req
0 link state updates, 0 link state acks

BGP statistics:
Rcvd: 0 total, 0 opens, 0 notifications, 0 updates
0 keepalives, 0 route-refresh, 0 unrecognized
Sent: 0 total, 0 opens, 0 notifications, 0 updates
0 keepalives, 0 route-refresh

PIMv2 statistics: Sent/Received
Total: 0/0, 0 checksum errors, 0 format errors
Registers: 0/0 (0 non-rp, 0 non-sm-group), Register Stops: 0/0, Hellos: 0/0
Join/Prunes: 0/0, Asserts: 0/0, grafts: 0/0
Bootstraps: 0/0, Candidate_RP_Advertisements: 0/0
Queue drops: 0
State-Refresh: 0/0

IGMP statistics: Sent/Received
Total: 0/0, Format errors: 0/0, Checksum errors: 0/0
Host Queries: 0/0, Host Reports: 0/0, Host Leaves: 0/0
DVMRP: 0/0, PIM: 0/0
Queue drops: 0

ARP statistics:
Rcvd: 12636959 requests, 27078 replies, 40 reverse, 0 other
Sent: 51205 requests, 1633467 replies (62382 proxy), 0 reverse
Drop due to input queue full: 0
Router#

What is the transport used to access the internet? DSL, PPPOE?

If so, the MTU should be set to 1492 bytes, less the 40 bytes for the IP and TCP headers you should set the MSS value to 1452 bytes.

I would set this on all interfaces.

cheers,

Seb.

i have DSL Connection with Modem configured in bridge mode

I have configured following on LAN and WAN port but no luck

Router# Int Gi 0/0/0

Router# ip tcp adjust-mss 1452

Router# Int Gi 0/0/1

Router# ip tcp adjust-mss 1452

Still getting following message while opening URL https://www.obconline.co.in/corporate/AuthenticationController?FORMSGROUP_ID__=AuthenticationFG&__START_TRAN_FLAG__=Y&__FG_BUTTONS__=LOAD&ACTION.LOAD=Y&AuthenticationFG.LOGIN_FLAG=1&BANK_ID=022&AuthenticationFG.USER_TYPE=2

This site can’t be reached

www.obconline.co.in took too long to respond.

Try using ping with the DF flag set to determine the maximum MTU permitted. The command on linux is:

ping -M do -s <MTU_size_in_bytes> 8.8.8.8

Start with an MTU size of 1460 and keep lowering it until you find a value which gives you a ping reply. Once you have found a MTU value, subtract 40 and use that as your MSS value on the ISR.

i do not have any linux machine to test this command.

I tried this command on Windows machines as well as on Cisco router but not working on both devices.

Please advise alternative command to run on Windows machine or on Cisco router

ping -f -l <MTU_size_in_bytes> 8.8.8.8

Still no luck

Following are the steps 

STEPS DONE ON WINDOWS MACHINE TO FIND CORRECT MSS VALUE
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Users\Manish Sharma>ping -f -l 1460 8.8.8.8

Pinging 8.8.8.8 with 1460 bytes of data:
Reply from 8.8.8.8: bytes=68 (sent 1460) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1460) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1460) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1460) time=11ms TTL=55

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 11ms, Average = 11ms

C:\Users\Manish Sharma>ping -f -l 1460 8.8.8.8

Pinging 8.8.8.8 with 1460 bytes of data:
Reply from 8.8.8.8: bytes=68 (sent 1460) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1460) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1460) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1460) time=11ms TTL=55

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 11ms, Average = 11ms

C:\Users\Manish Sharma>ping -f -l 1460 8.8.8.8

Pinging 8.8.8.8 with 1460 bytes of data:
Reply from 8.8.8.8: bytes=68 (sent 1460) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1460) time=12ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1460) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1460) time=11ms TTL=55

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 12ms, Average = 11ms

C:\Users\Manish Sharma>ping -f -l 1490 8.8.8.8

Pinging 8.8.8.8 with 1490 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 8.8.8.8:
Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),
Control-C
^C
C:\Users\Manish Sharma>ping -f -l 1459 8.8.8.8

Pinging 8.8.8.8 with 1459 bytes of data:
Reply from 8.8.8.8: bytes=68 (sent 1459) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1459) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1459) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1459) time=11ms TTL=55

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 11ms, Average = 11ms

C:\Users\Manish Sharma>ping -f -l 1461 8.8.8.8

Pinging 8.8.8.8 with 1461 bytes of data:
Reply from 8.8.8.8: bytes=68 (sent 1461) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1461) time=15ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1461) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1461) time=11ms TTL=55

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 15ms, Average = 12ms

C:\Users\Manish Sharma>ping -f -l 1462
IP address must be specified.

C:\Users\Manish Sharma>ping -f -l 1462 8.8.8.9

Pinging 8.8.8.9 with 1462 bytes of data:
Control-C
^C
C:\Users\Manish Sharma>ping -f -l 1462 8.8.8.8

Pinging 8.8.8.8 with 1462 bytes of data:
Reply from 8.8.8.8: bytes=68 (sent 1462) time=12ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1462) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1462) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1462) time=11ms TTL=55

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 12ms, Average = 11ms

C:\Users\Manish Sharma>ping -f -l 1463 8.8.8.8

Pinging 8.8.8.8 with 1463 bytes of data:
Reply from 8.8.8.8: bytes=68 (sent 1463) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1463) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1463) time=16ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1463) time=11ms TTL=55

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 16ms, Average = 12ms

C:\Users\Manish Sharma>ping -f -l 1480 8.8.8.8

Pinging 8.8.8.8 with 1480 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\Manish Sharma>ping -f -l 1470 8.8.8.8

Pinging 8.8.8.8 with 1470 bytes of data:
Reply from 8.8.8.8: bytes=68 (sent 1470) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1470) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1470) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1470) time=11ms TTL=55

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 11ms, Average = 11ms

C:\Users\Manish Sharma>ping -f -l 1475 8.8.8.8

Pinging 8.8.8.8 with 1475 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\Manish Sharma>ping -f -l 1472 8.8.8.8

Pinging 8.8.8.8 with 1472 bytes of data:
Reply from 8.8.8.8: bytes=68 (sent 1472) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1472) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1472) time=12ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1472) time=11ms TTL=55

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 12ms, Average = 11ms

C:\Users\Manish Sharma>ping -f -l 1473 8.8.8.8

Pinging 8.8.8.8 with 1473 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\Manish Sharma>ping -f -l 1472 8.8.8.8

Pinging 8.8.8.8 with 1472 bytes of data:
Reply from 8.8.8.8: bytes=68 (sent 1472) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1472) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1472) time=11ms TTL=55
Reply from 8.8.8.8: bytes=68 (sent 1472) time=12ms TTL=55

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 12ms, Average = 11ms

C:\Users\Manish Sharma>

Configuration done on Router

Router(config)#interface gigabitEthernet 0/0/1 (WAN Interface)
Router(config-if)#ip tcp adjust-mss 1420
Router(config-if)#exit
Router(config)#interface gigabitEthernet 0/0/0 (Local LAN Interface)
Router(config-if)#ip tcp adjust-mss 1420
Router(config-if)#exit

Router#sh ip traffic
IP statistics:
Rcvd: 4011379783 total, 21346600 local destination
15 format errors, 0 checksum errors, 138 bad hop count
208 unknown protocol, 0 not a gateway
0 security failures, 0 bad options, 209 with options
Opts: 0 end, 0 nop, 0 basic security, 0 loose source route
2 timestamp, 0 extended security, 0 record route
0 stream ID, 0 strict source route, 207 alert, 0 cipso, 0 ump
0 other, 0 ignored
Frags: 285327 reassembled, 1241 timeouts, 4 couldn't reassemble
1650 fragmented, 3822 fragments, 13 couldn't fragment
0 invalid hole
Bcast: 11413022 received, 4 sent
Mcast: 11581052 received, 0 sent
Sent: 4180860 generated, 3940779097 forwarded
Drop: 0 encapsulation failed, 0 unresolved, 45029 no adjacency
36881 no route, 0 unicast RPF, 0 forced drop, 0 unsupported-addr
0 options denied, 4 source IP address zero

ICMP statistics:
Rcvd: 27691 format errors, 1714 checksum errors, 36 redirects, 79330 unreachable
57279 echo, 173681 echo reply, 0 mask requests, 0 mask replies, 1 quench
1 parameter, 3 timestamp, 0 timestamp replies, 0 info request, 0 other
0 irdp solicitations, 0 irdp advertisements
6836 time exceeded, 0 info replies
Sent: 32 redirects, 238654 unreachable, 174099 echo, 57279 echo reply
0 mask requests, 0 mask replies, 0 quench, 0 timestamp, 3 timestamp replies
0 info reply, 138 time exceeded, 0 parameter problem
0 irdp solicitations, 0 irdp advertisements

UDP statistics:
Rcvd: 17828585 total, 15576 checksum errors, 17781539 no port 0 finput
Sent: 32199 total, 0 forwarded broadcasts

TCP statistics:
Rcvd: 3228952 total, 1253 checksum errors, 55782 no port
Sent: 3738688 total

EIGRP-IPv4 statistics:
Rcvd: 0 total
Sent: 0 total

OSPF statistics:
Last clearing of OSPF traffic counters never
Rcvd: 0 total, 0 checksum errors
0 hello, 0 database desc, 0 link state req
0 link state updates, 0 link state acks
Sent: 0 total
0 hello, 0 database desc, 0 link state req
0 link state updates, 0 link state acks

BGP statistics:
Rcvd: 0 total, 0 opens, 0 notifications, 0 updates
0 keepalives, 0 route-refresh, 0 unrecognized
Sent: 0 total, 0 opens, 0 notifications, 0 updates
0 keepalives, 0 route-refresh

PIMv2 statistics: Sent/Received
Total: 0/0, 0 checksum errors, 0 format errors
Registers: 0/0 (0 non-rp, 0 non-sm-group), Register Stops: 0/0, Hellos: 0/0
Join/Prunes: 0/0, Asserts: 0/0, grafts: 0/0
Bootstraps: 0/0, Candidate_RP_Advertisements: 0/0
Queue drops: 0
State-Refresh: 0/0

IGMP statistics: Sent/Received
Total: 0/0, Format errors: 0/0, Checksum errors: 0/0
Host Queries: 0/0, Host Reports: 0/0, Host Leaves: 0/0
DVMRP: 0/0, PIM: 0/0
Queue drops: 0

ARP statistics:
Rcvd: 13362410 requests, 27119 replies, 600 reverse, 0 other
Sent: 72525 requests, 1672468 replies (63135 proxy), 0 reverse
Drop due to input queue full: 0

Hello,

not sure if it helps much, but try and enable 'ip virtual-reassembly in' on bothe the NAT inside and outside interfaces:

interface GigabitEthernet0/0/0
ip flow monitor NFAmonitor input
ip address 10.0.0.1 255.255.255.0
ip nat inside

--> ip virtual-reassembly in
negotiation auto
!
interface GigabitEthernet0/0/1
ip flow monitor NFAmonitor input
ip address XX.XX.XX.XX 255.255.255.0
ip nat outside

--> ip virtual-reassembly in
negotiation auto
crypto map IPSEC-SITE-TO-SITE-VPN

still no luck

not able to access only this website. However, same is working after bypassing Cisco Router and connecting directly to DSL modem

https://www.obconline.co.in/corporate/AuthenticationController?FORMSGROUP_ID__=AuthenticationFG&__START_TRAN_FLAG__=Y&__FG_BUTTONS__=LOAD&ACTION.LOAD=Y&AuthenticationFG.LOGIN_FLAG=1&BANK_ID=022&AuthenticationFG.USER_TYPE=2

Thanks & Regards

Manish Sharma