TCP Retransmissions and Resets over Wireless and NAT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2017 10:38 AM - edited 03-08-2019 01:06 PM
I am having an issue with TCP resets occuring at a company site that recently had new equipment deployed. It seems TLS enabled apps on Android devices are being odd. They appear to timeout and not load content but a Windows 10 PC accesses the actual websites without issue. I did some digging and pulled a packet capture which shows transmissions and at the end TCP resets.... I attached the packet capture for review in hopes someone may have seen this before.... Updated config of the router is shown below:
Current configuration : 4137 bytes
!
! Last configuration change at 09:35:10 PDT Wed Dec 13 2017 by admin
! NVRAM config last updated at 13:54:15 PDT Tue Dec 12 2017 by admin
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
!
hostname RTR01
!
boot-start-marker
boot-end-marker
!
!
logging buffered 409600
enable password 7 secret
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
clock timezone PDT -8 0
clock summer-time PDT recurring
!
dot11 syslog
no ip source-route
!
!
ip cef
!
!
!
no ip domain lookup
ip domain name comp.corp
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
username admin secret 5 secret
!
redundancy
!
!
ip tftp source-interface FastEthernet0/0
ip ssh version 2
!
crypto keyring VPN-KEYRING
pre-shared-key address 0.0.0.0 0.0.0.0 key PSKSTRING
!
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp profile VPN-CPROFILE
keyring VPN-KEYRING
match identity address 0.0.0.0
!
!
crypto ipsec transform-set VPN-TSET esp-aes esp-sha-hmac
!
crypto ipsec profile VPN-PROFILE
set transform-set VPN-TSET
set pfs group2
set isakmp-profile VPN-CPROFILE
!
!
!
!
!
!
!
interface Loopback0
description *OSPF Loopback
ip address 10.2.254.1 255.255.255.255
!
interface Tunnel0
description To DTA
ip address 172.20.0.5 255.255.255.252
load-interval 30
keepalive 10 3
tunnel source Dialer0
tunnel mode ipsec ipv4
tunnel destination DSTIPADDR
tunnel protection ipsec profile VPN-PROFILE
!
interface Tunnel1
description To EPA
ip address 172.20.0.2 255.255.255.252
load-interval 30
shutdown
keepalive 10 3
tunnel source Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-PROFILE
!
interface FastEthernet0/0
description *To MLS Fa0/48
ip address 10.2.0.1 255.255.255.252
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
load-interval 30
duplex full
speed 100
!
interface FastEthernet0/1
mtu 1492
bandwidth 500
bandwidth receive 3000
no ip address
ip tcp adjust-mss 1452
load-interval 30
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Dialer0
description Dialer to CenturyLink
mtu 1492
bandwidth 500
bandwidth receive 3000
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
load-interval 30
dialer pool 1
ppp chap hostname PPPUSER
ppp chap password 7 PPPPASSWORD
ppp pap sent-username PPPUSER password 7 PPPPASSWORD
no cdp enable
!
router ospf 1
router-id 10.2.254.1
passive-interface FastEthernet0/1
passive-interface Dialer0
passive-interface Loopback0
network 10.2.0.1 0.0.0.0 area 0
network 10.2.254.1 0.0.0.0 area 0
network 172.20.0.1 0.0.0.0 area 0
network 172.20.0.5 0.0.0.0 area 0
default-information originate
distribute-list prefix DENY-DEFAULT in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.2.10.25 8000 interface Dialer0 8000
ip nat inside source static tcp 10.2.10.25 8554 interface Dialer0 8554
ip nat inside source static tcp 10.2.10.25 8994 interface Dialer0 8994
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip prefix-list DENY-DEFAULT seq 5 deny 0.0.0.0/0
ip prefix-list DENY-DEFAULT seq 10 permit 0.0.0.0/0 le 32
logging esm config
access-list 1 permit 10.2.0.0 0.0.255.255
access-list 100 permit ip host 10.2.10.122 any
access-list 100 permit ip any host 10.2.10.122
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
exec-timeout 5 0
line aux 0
line vty 0 4
exec-timeout 5 0
transport input ssh
line vty 5 15
exec-timeout 5 0
transport input ssh
!
scheduler allocate 20000 1000
ntp source FastEthernet0/0
ntp server 97.127.84.241
end
There was a previous issue due to using "ip mtu 1492" vs "mtu 1492" on the dialer interface. This was corrected and all TLS enabled sites on the desktop began working properly.
Another detail regarding the environment for the sake of troubleshooting context, all devices are connected to a Cisco WAP1142 whuch then connects to a CAT3560.
|WAP|----|CAT3560|-----|C2811|----|Zyxel Modem(Bridge)|----|CenturyLink|
||
||---------|
|Android| |Win10|
- Labels:
-
Other Switching
