Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
971
Views
0
Helpful
2
Replies

HTTPS Traffic Flow across cisco routers being blocked/failed

zposton59
Level 1
Level 1

‎10-05-2015 06:43 AM - edited ‎03-08-2019 02:03 AM

We have a new monitor software that we are trying to deploy in our environment. It uses an agent that is installed on windows. The agent is having trouble communicating across a T1 tunnel from one of our remote sites and out the firewall at our HQ. To better explain the flow I'll give you a flow diagram.

 

Remote Site (C1900) > T1 Tunnel > HQ (C1900) > HQ Switch (C3560) > HQ Router (C2600) > HQ Firewall (ASA5510) > Internet

 

The agent communicates via HTTPS. I've even noticed that some HTTPS websites won't load from this site, but some do. I have confirmed that HTTPS traffic is going to one of the IP's for the monitoring software and coming back in on the firewall via capture commands. My biggest issue is I don't know how to troubleshoot this on the C1900 or the C2600 because they don't have the capture or packet-tracer tools.

If someone could provide some assistance that would be awesome.

I don't know what all information you guys need so feel free to ask and I'll do the best to provide the info you need to assist.


Thanks,
Zach

Labels:
0 Helpful
2 Replies 2

Boris Uskov
Level 4
Level 4

‎10-05-2015 07:51 AM

Hello, 

Yes, it is realy not very easy to find, where the trafic is stuck. I can suggest two things for cisco Routers. The firtst and easiest way is to use Access-lists and their counters. For examle, you can create an access-list

ip access-list extended acl-test-https

 permit tcp any eq 443 any log

 permit ip any any

ip access-list log-update threshold 1

 

And after that you can add this ACL to inside interfaces of all cisco Routers in output direction. You can use 

show ip access-list acl-test-https

and

show logging 

to find out, if the return traffic appears on inside interfaces of Routers. 

 

 

The second thing, is to use packet capture for 1900 Routers. The Cisco ISR G2 routers mostly support packet capture (similar to cisco ASA), but I'm not sure about an old one 2600 Router. Here is a brief example of the configuration and usage of EMBEDDED PACKET CAPTURE for IOS Routers:

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/1089-cisco-router-embedded-packet-capture-configuration-usage-troubleshooting-exporting.html

 

0 Helpful

ahmede_2
Level 1
Level 1

‎10-05-2015 08:36 AM

How about HTTP, does it work?

 

You might have a problem with your MTU size.

The simple way to check is to change the DF to 0 (create route map that matches all traffic and then set ip df 0)  and test.

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card