10-29-2008 03:23 AM - edited 03-04-2019 12:06 AM
Hello,
I've had some vpn problems earlier. This is now fixed, but at the same time, some new problems erupted.
I have two asa boxes set up with site to site vpn.
All traffic destined for the other private subnet is encrypted and sent over the vpn.
But, all traffic destined for everywhere else, is to be picked up by default route and sent to the internet.
My problem is about half of all the web pages I enter, is not working. Though only from one of the sites.
This trouble actually started when I set the modem as a bridge and the asa box to use PPPoE instead of dhcp. It recieves IP, netmask and gateway automatiacally.
Sh ip tells me this:
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.2.1 255.255.255.0 manual
Vlan2 outside 193.213.xx.xxx 255.255.255.255 manual
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.2.1 255.255.255.0 manual
Vlan2 outside 193.213.xx.xx 255.255.255.255 manual
A Sh route tells me this:
C 127.0.0.0 255.255.255.0 is directly connected, _internal_loopback
C 192.168.2.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 85.165.128.0, outside
A monitoring of a connection to one of the unreachable websites returns this in the log:
6 Oct 27 2008 14:01:43 106015 192.168.2.50 77.88.64.222 Deny TCP (no connection) from 192.168.2.50/3102 to 77.88.64.222/80 flags ACK on interface inside
6 Oct 27 2008 14:01:43 302014 77.88.64.222 192.168.2.50 Teardown TCP connection 459 for outside:77.88.64.222/80 to inside:192.168.2.50/3102 duration 0:02:08 bytes 1642 TCP Reset-O
I've tried a factory defaults, setting up ONLY lan, wan and nat. And the same problem occurs. Tried also to increase mtu size to 1518 without really knowing what I'm doing.
A Packet tracer shows that a tcp packet to port 80 from my computer to ip address rejected above, is allowed. I've set up pppoe on my laptop, and switched the cable, that makes everything work normal.
And yes, I can ping hosts that doesn't answer me on tcp:80 or mail as well, tcp:110. So echo is 'allowed' through. just not logical.
A Show nat:
NAT policies on Interface inside:
match ip inside 192.168.2.0 255.255.255.0 outside 192.168.1.0 255.255.255.0
NAT exempt
translate_hits = 44, untranslate_hits = 0
match ip inside 192.168.2.0 255.255.255.0 inside 192.168.1.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.2.0 255.255.255.0 _internal_loopback 192.168.1.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.2.0 255.255.255.0 outside any
dynamic translation to pool 1 (193.213.xx.xxx [Interface PAT])
translate_hits = 2241, untranslate_hits = 395
match ip inside 192.168.2.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 192.168.2.0 255.255.255.0 _internal_loopback any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside any outside any
dynamic translation to pool 1 (193.213.xx.xxx [Interface PAT])
translate_hits = 47, untranslate_hits = 87
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside any _internal_loopback any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
I've got NO idea what to look at next. Think I have tried everything but a software update.
Thanks for help,
\\mark
10-30-2008 08:48 PM
try changing your MSS value under your WAN interface via " ip tcp adjust-mss " try using 1452.
S Knockswell
CCIE:22131
10-31-2008 03:54 AM
There are two trains of thought on this problem, one is adjusting the MSS the other is to have path MTU discovery work as designed. Both methods are valid ones but carry some trade off decisions. Adjusting the TCP MSS ( maximum segment size ) is OK but that means burden on the router CPU to perfrom the task and having an IOS version that supports the feature. The other method I personally prefer is to adjust the MTU ( maximum transmission unit ) of the plain text or pre NAT interface of the PIX and allow "IP unreachables" from that interface ( I mention this because most folks use "no IP unreachables" which breaks path MTU discovery). If security is a concern then use an access-list that allows ICMP packet too big unreachables and blocks all other ICMP unreachable messages. The MTU on the pre nat interface can be set to 1400 bytes and that will ensure your internal systems lower their MTU appropriately and things will be good.
Why is this happening, some internet sites have bits and pieces of small data on their page and others have large chunks of data ( graphics usually ) so the web server responds with its largest allowable packet for efficiency. The problem is everything that exceeds ~1400 Bytes gets dropped at your site and the result is some sites are OK but others appear broken. You can confirm this by dropping the MTU on the workstation that is used for testing and try web browsing to all the sites again ( you will need to reboot the workstation for this to be effective).
Here are some links that give more detail
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
http://www.netcraftsmen.net/welcher/papers/pmtud.htm
Cheers,
Brian
10-31-2008 04:16 AM
An easy way to confirm that you have a MTU issue is to ping the websites which do not work with varying packet sizes, and see if it stops working from a certain packet zise onwards.
The "ping" command with option "-s" allows you to set the packet size of the ICMP packet.
HTH, Thomas
10-31-2008 08:34 AM
The correct syntax is
ping x.x.x.x size yyy (in bytes)
11-02-2008 05:32 AM
Hello chaps,
Sorryfor not responding, work is crazy. Last week I sat all day and pondered with my isp.
Didn't get me anywhere, but I discovered the mtu settings where a mismatch. So I tried setting the modem up to 1500. This though, didn't work. So, I reduced the mtu size on both interfaces to 1492, (same size as the modem), and that gents, worked perfectly well.
Thanks for help,
\\mark
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide