Unable to access certain HTTPS sites from router

Unanswered Question
Oct 21st, 2008

We're using a 2811 router with a static DSL address provided by AT&T. At some point during the day, access to cisco.com PEC and most other (but not all) HTTPS sites was blocked. No changes were made to the router, we've checked ACL's (in fact, we are now allowing all traffic to and from 443), in doing a traceroute to wamu.com, for example, it reaches about 12 hops then fails. Any ideas ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tcordier Tue, 10/21/2008 - 13:29

I would not think that your ISP or your router is selectively blocking https traffic. However, if you have an issue on the network - overutilization or performance problems due to e.g. packet loss, it may appear as if only https is affected due to the fact that https connections are more sensitive to increased delays, time-outs and packet drops than http traffic. Most https server admins set https timeouts to much shorter values than for http traffic, or firewalls more rigorously watch (and kill) https connections when no data are flowing. To the end user this may appear as a https problem since http still works, but the only thing that happens is that http is more resilient and continues after a network issue, while https does not. Is the https issue may be linked to spikes of high utilization?

HTH, Thomas

Michel Marzol Tue, 10/21/2008 - 14:03

You bring up a good point. I will take a look at our network stats. We removed the router and tried a simple Netopia router in order to rule out the ISP. Sure enough, we were able to hit every HTTPS site without issue. Which led me to believe that the culprit had to be the 2811. However, we do have a DMVPN tunnel to headquarters on this 2811 and as you probably know, the processes in order to keep that tunnel up (eigrp,gre,esp....) are bandwidth intensive. I will check it out. If you..or anyone, have any more ideas, please, let me know.

Michel Marzol Wed, 10/22/2008 - 04:38

I've monitored network traffic and bandwidth usage and found that usage of the link (1.5 Mbps)barely hits 15% at any one point. I am still unable to ping or access any HTTPS site (except for a few, Bank of America, for example)from the router even during very slow periods of the day. Any ideas ?

tcordier Thu, 10/23/2008 - 02:57

I could imagine that https servers would more often block pings, compared to standard websites (based on the idea that https normally is used for more security sensitive content). The only suggestion I would have is to use https connection attempts from your router, rather than pings. You can use

telnet x.x.x. 443

or - to avoid reiterating the same command -

ip sla 1

tcp-connect x.x.x.x 443 source-ip y.y.y.y

timeout 500

frequency 10

ip sla schedule 1 life forever start-time now

HTH, Thomas


This Discussion