cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
486
Views
0
Helpful
2
Replies
Highlighted
Beginner

HTTPS Traffic Flow across cisco routers being blocked/failed

We have a new monitor software that we are trying to deploy in our environment. It uses an agent that is installed on windows. The agent is having trouble communicating across a T1 tunnel from one of our remote sites and out the firewall at our HQ. To better explain the flow I'll give you a flow diagram.

 

Remote Site (C1900) > T1 Tunnel > HQ (C1900) > HQ Switch (C3560) > HQ Router (C2600) > HQ Firewall (ASA5510) > Internet

 

The agent communicates via HTTPS. I've even noticed that some HTTPS websites won't load from this site, but some do. I have confirmed that HTTPS traffic is going to one of the IP's for the monitoring software and coming back in on the firewall via capture commands. My biggest issue is I don't know how to troubleshoot this on the C1900 or the C2600 because they don't have the capture or packet-tracer tools.

If someone could provide some assistance that would be awesome.

I don't know what all information you guys need so feel free to ask and I'll do the best to provide the info you need to assist.


Thanks,
Zach

2 REPLIES 2
Highlighted
Enthusiast

Hello, 

Yes, it is realy not very easy to find, where the trafic is stuck. I can suggest two things for cisco Routers. The firtst and easiest way is to use Access-lists and their counters. For examle, you can create an access-list

ip access-list extended acl-test-https

 permit tcp any eq 443 any log

 permit ip any any

ip access-list log-update threshold 1

 

And after that you can add this ACL to inside interfaces of all cisco Routers in output direction. You can use 

show ip access-list acl-test-https

and

show logging 

to find out, if the return traffic appears on inside interfaces of Routers. 

 

 

The second thing, is to use packet capture for 1900 Routers. The Cisco ISR G2 routers mostly support packet capture (similar to cisco ASA), but I'm not sure about an old one 2600 Router. Here is a brief example of the configuration and usage of EMBEDDED PACKET CAPTURE for IOS Routers:

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/1089-cisco-router-embedded-packet-capture-configuration-usage-troubleshooting-exporting.html

 

Highlighted
Beginner

How about HTTP, does it work?

 

You might have a problem with your MTU size.

The simple way to check is to change the DF to 0 (create route map that matches all traffic and then set ip df 0)  and test.

 

 

Content for Community-Ad