Cannot browse some websites

Answered Question
Feb 2nd, 2007

Dear,

I've recently installed a new 2821 router to replace an SMC ADSL modem. Since then, the lan cannot browse some websites, e.g. http://www.isabel.be, http://www.msn.com, http://www.sapo.pt.

Other websites work fine. There are no restrictions yet on the router - below the config. Any idea how to solve this issue? Thanks!!

---

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname roupt01

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

logging buffered 51200 debugging

logging console critical

enable password 7

!

no aaa new-model

!

resource policy

!

ip subnet-zero

no ip source-route

ip tcp synwait-time 10

!

ip cef

!

no ip bootp server

ip name-server 195.x.129.126

ip name-server 194.x.69.222

ip ssh time-out 60

ip ssh authentication-retries 2

!

voice-card 0

no dspfarm

!

username admin privilege 15 password 7

!

crypto isakmp policy 100

encr aes

authentication pre-share

group 2

crypto isakmp key address 193.x.93.27

!

crypto ipsec transform-set sonicwall esp-aes esp-sha-hmac

!

crypto map sonicwallmap 10 ipsec-isakmp

set peer 193.x.93.27

set security-association lifetime seconds 28800

set transform-set sonicwall

match address 120

!

interface GigabitEthernet0/0

description UPT_Lan

no ip address

no ip proxy-arp

ip mtu 1452

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/0.10

description Logistics

encapsulation dot1Q 10

ip address 172.x.x.200 255.255.255.0

ip nat inside

ip virtual-reassembly

no snmp trap link-status

!

interface GigabitEthernet0/0.11

description Upstairs

encapsulation dot1Q 11

ip address 10.35.1.161 255.255.255.0

ip nat inside

ip virtual-reassembly

no snmp trap link-status

!

interface GigabitEthernet0/0.99

description Linux_Server

encapsulation dot1Q 99

ip address 10.35.3.161 255.255.255.0

ip nat inside

ip virtual-reassembly

no snmp trap link-status

!

interface ATM0/2/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/2/0.1 point-to-point

pvc 0/35

pppoe-client dial-pool-number 1

!

interface Dialer0

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname

ppp chap password 7

ppp pap sent-username password 7

crypto map sonicwallmap

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 10.137.205.84 255.255.255.255 172.27.0.2

!

ip dns server

!

no ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 110 interface Dialer0 overload

!

no logging trap

access-list 110 deny ip 172.27.0.0 0.0.0.255 192.168.205.0 0.0.0.255

access-list 110 deny ip 10.35.0.0 0.0.3.255 192.168.205.0 0.0.0.255

access-list 110 permit ip 172.27.0.0 0.0.0.255 any

access-list 110 permit ip 10.35.0.0 0.0.3.255 any

access-list 120 permit ip 10.35.0.0 0.0.3.255 192.168.205.0 0.0.0.255

access-list 120 permit ip 172.27.0.0 0.0.0.255 192.168.205.0 0.0.0.255

dialer-list 1 protocol ip permit

!

control-plane

!

line con 0

password 7

login

transport output telnet

line aux 0

transport output none

line vty 0 4

password 7

login

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

I have this problem too.
0 votes
Correct Answer by mheusinger about 9 years 8 months ago

Hello,

you might run into MTU related issues. Some - and not all - servers will set the DF bit and thus the IP packet will not reach you, if the packet size is above the interface MTU.

Can you try "ip tcp mss-adjust 1400" on the dialer interface? Detailed description of the command and the feature can be found in "TCP MSS Adjustment"

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00804247fc.html

Basically the router intercepts the TCP session setup to enforce a maximum session size low enough to avoid packets larger than the interface MTU.

Hope this helps! Please rate all posts.

Regards, Martin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
mheusinger Fri, 02/02/2007 - 01:22

Hello,

you might run into MTU related issues. Some - and not all - servers will set the DF bit and thus the IP packet will not reach you, if the packet size is above the interface MTU.

Can you try "ip tcp mss-adjust 1400" on the dialer interface? Detailed description of the command and the feature can be found in "TCP MSS Adjustment"

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00804247fc.html

Basically the router intercepts the TCP session setup to enforce a maximum session size low enough to avoid packets larger than the interface MTU.

Hope this helps! Please rate all posts.

Regards, Martin

davidbuit Thu, 02/15/2007 - 17:01

Hi

Try using ip tcp adjust-mss 1360 on the LAN interfaces. There are a lot of MTU issues over DSL

Actions

This Discussion