Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
773
Views
0
Helpful
0
Replies

TCP Retransmissions and Resets over Wireless and NAT

MaetrixCIO
Level 1
Level 1

‎12-13-2017 10:38 AM - edited ‎03-08-2019 01:06 PM

I am having an issue with TCP resets occuring at a company site that recently had new equipment deployed. It seems TLS enabled apps on Android devices are being odd. They appear to timeout and not load content but a Windows 10 PC accesses the actual websites without issue. I did some digging and pulled a packet capture which shows transmissions and at the end TCP resets.... I attached the packet capture for review in hopes someone may have seen this before.... Updated config of the router is shown below:

 

Current configuration : 4137 bytes
!
! Last configuration change at 09:35:10 PDT Wed Dec 13 2017 by admin
! NVRAM config last updated at 13:54:15 PDT Tue Dec 12 2017 by admin
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname RTR01
!
boot-start-marker
boot-end-marker
!
!
logging buffered 409600
enable password 7 secret
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
clock timezone PDT -8 0
clock summer-time PDT recurring
!
dot11 syslog
no ip source-route
!
!
ip cef
!
!
!
no ip domain lookup
ip domain name comp.corp
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
username admin secret 5 secret
!
redundancy
!
!
ip tftp source-interface FastEthernet0/0
ip ssh version 2
!
crypto keyring VPN-KEYRING
  pre-shared-key address 0.0.0.0 0.0.0.0 key PSKSTRING
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
crypto isakmp profile VPN-CPROFILE
   keyring VPN-KEYRING
   match identity address 0.0.0.0
!
!
crypto ipsec transform-set VPN-TSET esp-aes esp-sha-hmac
!
crypto ipsec profile VPN-PROFILE
 set transform-set VPN-TSET
 set pfs group2
 set isakmp-profile VPN-CPROFILE
!
!
!
!
!
!
!
interface Loopback0
 description *OSPF Loopback
 ip address 10.2.254.1 255.255.255.255
!
interface Tunnel0
 description To DTA
 ip address 172.20.0.5 255.255.255.252
 load-interval 30
 keepalive 10 3
 tunnel source Dialer0
 tunnel mode ipsec ipv4
 tunnel destination DSTIPADDR
 tunnel protection ipsec profile VPN-PROFILE
!
interface Tunnel1
 description To EPA
 ip address 172.20.0.2 255.255.255.252
 load-interval 30
 shutdown
 keepalive 10 3
 tunnel source Dialer0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-PROFILE
!
interface FastEthernet0/0
 description *To MLS Fa0/48
 ip address 10.2.0.1 255.255.255.252
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 load-interval 30
 duplex full
 speed 100
!
interface FastEthernet0/1
 mtu 1492
 bandwidth 500
 bandwidth receive 3000
 no ip address
 ip tcp adjust-mss 1452
 load-interval 30
 duplex auto
 speed auto
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface ATM0/0/0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Dialer0
 description Dialer to CenturyLink
 mtu 1492
 bandwidth 500
 bandwidth receive 3000
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 load-interval 30
 dialer pool 1
 ppp chap hostname PPPUSER
 ppp chap password 7 PPPPASSWORD
 ppp pap sent-username PPPUSER password 7 PPPPASSWORD
 no cdp enable
!
router ospf 1
 router-id 10.2.254.1
 passive-interface FastEthernet0/1
 passive-interface Dialer0
 passive-interface Loopback0
 network 10.2.0.1 0.0.0.0 area 0
 network 10.2.254.1 0.0.0.0 area 0
 network 172.20.0.1 0.0.0.0 area 0
 network 172.20.0.5 0.0.0.0 area 0
 default-information originate
 distribute-list prefix DENY-DEFAULT in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.2.10.25 8000 interface Dialer0 8000
ip nat inside source static tcp 10.2.10.25 8554 interface Dialer0 8554
ip nat inside source static tcp 10.2.10.25 8994 interface Dialer0 8994
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip prefix-list DENY-DEFAULT seq 5 deny 0.0.0.0/0
ip prefix-list DENY-DEFAULT seq 10 permit 0.0.0.0/0 le 32
logging esm config
access-list 1 permit 10.2.0.0 0.0.255.255
access-list 100 permit ip host 10.2.10.122 any
access-list 100 permit ip any host 10.2.10.122
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
 exec-timeout 5 0
line aux 0
line vty 0 4
 exec-timeout 5 0
 transport input ssh
line vty 5 15
 exec-timeout 5 0
 transport input ssh
!
scheduler allocate 20000 1000
ntp source FastEthernet0/0
ntp server 97.127.84.241
end

 

There was a previous issue  due to using "ip mtu 1492" vs "mtu 1492" on the dialer interface. This was corrected and all TLS enabled sites on the desktop began working properly.

 

Another detail regarding the environment for the sake of troubleshooting context, all devices are connected to a Cisco WAP1142 whuch then connects to a CAT3560.

 

|WAP|----|CAT3560|-----|C2811|----|Zyxel Modem(Bridge)|----|CenturyLink|

    ||

    ||---------|

|Android|   |Win10|

Labels:
Preview file
274 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents