Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1194
Views
0
Helpful
5
Replies

891 IS Router - Hardly any HTTP traffic accessible, NAT?

Go to solution
benhutchings
Level 1
Level 1

‎05-05-2011 03:55 PM - edited ‎03-06-2019 04:55 PM

Hi, I have an 891 router setup to support 4 VLANS with 4 DHCP pools. I'm having great difficulty getting full internet access on the 3 VLANS that users will be connected to.

I have attached the full config.

Currently, anyone connected to VLAN 2 to 4 can ping external IPs, resolve names using DIG/NSLOOKUP. But when they try to browse to a website, it times out. After days and days of testing and rewriting configs and even resorting to using the CCP program, it seems that often, sites that are served over HTTPS are accessible. Very very few sites are viewable over HTTP.

Thoughts:

- Is the FW policy inspecing HTTP traffic incorrectly?

- Is the NAT setup correct? I have tried various methods all with the same result.

- Can I debug something that might help? If so can you tell me what to debug.

Any thoughts, or possible sollutions will be welcomed, even if it's a bit crazy. I've utterly exhausted my knowledge of Cisco now and need help

Thanks a lot,

Ben

Labels:
85868-110505_RunningConfig_ZFW_NAT_halfWorking_v10_clean.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎05-05-2011 06:56 PM

Hi Ben,

Under dialer0 interface can you add

ip tcp adjust-mss 1412

and test again?

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎05-05-2011 06:56 PM

Hi Ben,

Under dialer0 interface can you add

ip tcp adjust-mss 1412

and test again?

0 Helpful

Go to solution
benhutchings
Level 1
Level 1
In response to Reza Sharifi

‎05-06-2011 02:49 AM

Mate! That seems to have worked perfectly!!

Can you please quickly explain what that does and is it ok to use it in there with the MTU setting?

Thanks so much,

Ben

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame
In response to benhutchings

‎05-06-2011 05:42 AM

Ben,

Take a look at the usage guideline with explanation in this link:

When a host (usually a PC) initiates a TCP session with a server, it negotiates the IP segment size by using the MSS option field in the TCP SYN packet. The value of the MSS field is determined by the maximum transmission unit (MTU) configuration on the host. The default MSS value for a PC is 1500 bytes.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ft_admss.html

HTH

Reza

0 Helpful

Go to solution
sajid_m123
Level 1
Level 1
In response to Reza Sharifi

‎05-06-2011 05:47 AM

Reza,

It means configured MTU in the infrastructure is ignored while negotiating MSS between two hosts?

0 Helpful

Go to solution
benhutchings
Level 1
Level 1
In response to Reza Sharifi

‎05-06-2011 07:45 AM

Ok thanks, perfect!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card