Trouble accessing some websites with cisco router.

[miraportuga]

Hi guys, just like the title says, im having some trouble accessing certain websites, some never open, and some open after like 20 attempts, and very slowly....
I've searched throughout the internet and i see more people with the same problem, people like this guy here.
To try and troubleshoot this problem, i've done pretty much what this guy did, plus, i took inspection , access-lists and ips from my vlan, and from outside interface, but still no go.
Some say its an MTU problem, i tried changing my mtu on my outside interface, im running a dsl pppoe connection with an MTU 1492 and my lan connections are running with 1500 mtu,
I really dont know what else i can do since i've done everything i can remember....

Solutions ?

Cheers

More info:
"Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version 12.4(6)T6, RELEASE SOFTWARE (fc2)"

My Vlan:
interface Vlan23
description Data Network Vlan
ip address 192.168.69.253 255.255.254.0 secondary
ip address 192.168.69.254 255.255.254.0
ip access-group 105 in
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
end

Outside Interface:
interface Dialer0
mtu 1492
bandwidth 1024
ip ddns update hostname xxxxxxxxxxxx
ip ddns update no-ip
ip address negotiated
ip access-group 111 in
no ip redirects
no ip unreachables
ip nbar protocol-discovery
ip nat outside
ip inspect INTERNET-IN in
ip inspect INTERNET-OUT out
ip ips IPS in
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxxx
max-reserved-bandwidth 98
service-policy output QoS
end

 

[Electrofreak]

Wow, that's a lot of stuff on your outside interface.

I'm still wet behind the ears with Cisco, but I use a Cisco 3725 as my edge router currently without any issues. My Outside Interface is pretty bare, simply

interface FastEthernet0/0
 description OUTSIDE INTERFACE
 ip address dhcp
 ip access-group 101 in
 ip nat outside
 ip inspect INSPECTION in
 ip inspect INSPECTION out
 ip virtual-reassembly
 no ip mroute-cache
 duplex auto
 speed auto
 no cdp enable
 crypto map MASTER_CRYPTO_MAP

No VLANs set up, though that's something I'll probably arrange tonight now that I've got a managed switch that supports VLAN tagging. The Crypto is for a tunnel I'll be getting set up for the PeerIX Project.

What do you have being checked by your CBAC (inspection)?

 

[miraportuga]

Ya, i got a few things more there, but all works great with the exception of being unable to access some sites...
Like i said i already disabled ACl, inspect, ips and qos from outside and vlan interface and still no go, but here's the inspection list:

ip inspect audit-trail
ip inspect max-incomplete low 20
ip inspect one-minute low 20
ip inspect udp idle-time 15
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 2
ip inspect tcp synwait-time 15
ip inspect name INTERNET-OUT tcp alert on audit-trail on
ip inspect name INTERNET-OUT udp alert on audit-trail on
ip inspect name INTERNET-OUT icmp alert on audit-trail on
ip inspect name INTERNET-OUT smtp alert on audit-trail on
ip inspect name INTERNET-IN tcp alert on audit-trail on
ip inspect name INTERNET-IN udp alert on audit-trail on
ip inspect name INTERNET-IN icmp alert on audit-trail on
ip inspect name INTERNET-IN imaps alert on audit-trail on
ip inspect name INTERNET-IN smtp alert on audit-trail on
ip inspect name INTERNET-IN pop3s alert on audit-trail on

Cheers

 

[Electrofreak]

...Like i said i already disabled ACl, inspect, ips and qos from outside and vlan interface and still no go, but here's the inspection list...

doh, I missed that part since I kinda got distracted by the config code... I'm not sure what's causing your problem then, but I will definately be watching for a response from one of our more experienced network gurus; I'm interested in what they have to say.

 

[gimp]

what websites in particular?

generally, MTU size is not an issue as long as the server replies to ICMP requests (ok, could be wrong protocol here... early morning brain fart).

ie, sites like msn.com and microsoft.com, since they don't reply to ping requests, the MTU value must be set low enough because the auto-negotiate "feature" doesn't work, since they don't respond.

iirc, 1492 is the default MTU for a PPPoE connection. Maybe try lowering it?

Although, if a site does come up, even tho it takes numerous requests, I don't see that as being an MTU-related issue. If a site like microsoft.com or msn.com stick at "Waiting for server..." then it could be an MTU-related issue, and you may try dropping it lower.

 

[miraportuga]

For example i cant access my ISP website (www.sapo.pt). Besides 1492 has mtu i've also used 1484 and the results were the same. But i recall now that few months ago i was trying to find the max mtu for my connection and with a ping bigger then 1456, i wouldnt just get any reply. Ill try to lower my mtu to that, or lower... later this night.

Cheers

 

[gimp]

best way to find max MTU:

ping -f -l <byte size> msn.com

This means <byte size> is too large:

>ping -f -l 1490 msn.com

Pinging msn.com [207.68.172.246] with 1490 bytes of data:

Packet needs to be fragmented but DF set.

Ping statistics for 207.68.172.246:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

This is what you want to see:

>ping -f -l 1472 msn.com

Pinging msn.com [207.68.172.246] with 1472 bytes of data:

Request timed out.

Ping statistics for 207.68.172.246:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

BUT, MTU size should be irrelevant unless the ISP has an MTU setting screwed up somewhere in their end.

back when I worked for a DSL ISP, they setup a new Redback. Then, users that started authenticating against that Redback, weren't able to access msn.com, microsoft.com, local college blackboards.

Had to lower these users MTU setting.

Finally managed to get the f'in engineers to listen to me, and they found a faulty MTU setting between the 2 Redbacks (or something like that). Once that was fixed, MTU size was no longer an issue, and no longer needed to be lowered for the customers.

 

[miraportuga]

Well, i wasnt using the -f option on the ping command, still it is possible to figure when the packet is passing, or not. I tried a while ago an MTU of 1456, 1400, 1000 and i still cant access the websites. Funny thing is microsoft its also one of the "affected" websites. Later im going to try to see what else can i do, and test this MTU thing.

Cheers

Well, i kept searching the internet, and i found that besides mtu and ip mtu there was something else i could setup, and i did, and its working. I applied to the Dialer 0 interface the "ip tcp adjust-mss 1452" command. All working now.
Thank you guys