Only one application does not work over Frame-Relay

Unanswered Question
Dec 8th, 2008

Hello,

I have a Cisco 1841 with Frame-Relay 128K. The site is connected to head office via VPN connection. All connections work fine via VPN but only one http connection! I can ping the address, but telnet on port 80 does not go through.

I diabled CEF on the router and changed the ip tcp adjust-mss to 1300. telnet worked for once, then stopped working.

Everytime that I change the MSS or ip mtu, the connection works once then it stops working.

Any idea what the problem can be and how to fix it?

Thanks for your help,

Mehdi

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mehdi Talei Mon, 12/08/2008 - 08:11

An update...

I removed the ACL and ip inspect from both local and WAN interfaces, and the Telnet went through. When I put again the ip inspect, I see the Half-open session for this http connection, but it never turns to Established Session!!!

Any idea??!!

Richard Burts Mon, 12/08/2008 - 08:27

Mehdi

It seems pretty clear from the fact that it works when you remove the ACL and IP inspect, that there must be something in the ACL or IP inspect that is inteferring. Can you post the details of the ACL and of the IP inspect?

HTH

Rick

Mehdi Talei Mon, 12/08/2008 - 08:45

Rick,

It should not be ACL related issue because it works one in a while. My feeling is MTU and MSS size issue as this is a 128K Frame-Relay connection. I copy the config anyways to see if it helps...

ip inspect name inside-lan icmp

ip inspect name inside-lan tcp

ip inspect name inside-lan udp

ip inspect name inside-lan http

ip inspect name inside-lan https

ip inspect name inside-lan ftp

ip inspect name inside-lan dns

interface Vlan1

ip address 10.135.92.1 255.255.255.128

ip access-group inside-lan in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect inside-lan in

ip tcp adjust-mss 1300

hold-queue 100 out

!

interface Serial0/1/0

no ip address

encapsulation frame-relay

frame-relay lmi-type ansi

!

interface Serial0/1/0.1 point-to-point

ip address AAA.BBB.CCC.DDD 255.255.255.252

ip access-group extern in

no ip unreachables

ip mtu 1490

no ip mroute-cache

no cdp enable

frame-relay interface-dlci 50 IETF

crypto map VPNTunnelName

!

ip access-list extended inside-lan

permit ip host 10.135.92.17 host 10.16.8.16

deny ip any any log

!

ip access-list extended extern

permit esp host WWW.XXX.YYY.ZZZ any

permit udp host WWW.XXX.YYY.ZZZ any eq isakmp

permit udp any any eq bootpc bootps

And here is the result of Show ip inspect session:

MyRouter#sh ip ins sess

Established Sessions

Half-open Sessions

Session 63ECD0CC (10.135.92.17:2952)=>(10.16.8.16:80) http SIS_OPENING

Mehdi Talei Tue, 12/09/2008 - 06:38

I fixed the issue.

The problem was the process switching which was not enable on my WAN interface.

I enabled it and the application started working without any problem.

Thanks for your posts.

Mehdi

Actions

This Discussion