12-08-2008 07:41 AM - edited 03-04-2019 12:37 AM
Hello,
I have a Cisco 1841 with Frame-Relay 128K. The site is connected to head office via VPN connection. All connections work fine via VPN but only one http connection! I can ping the address, but telnet on port 80 does not go through.
I diabled CEF on the router and changed the ip tcp adjust-mss to 1300. telnet worked for once, then stopped working.
Everytime that I change the MSS or ip mtu, the connection works once then it stops working.
Any idea what the problem can be and how to fix it?
Thanks for your help,
Mehdi
12-08-2008 08:11 AM
An update...
I removed the ACL and ip inspect from both local and WAN interfaces, and the Telnet went through. When I put again the ip inspect, I see the Half-open session for this http connection, but it never turns to Established Session!!!
Any idea??!!
12-08-2008 08:27 AM
Mehdi
It seems pretty clear from the fact that it works when you remove the ACL and IP inspect, that there must be something in the ACL or IP inspect that is inteferring. Can you post the details of the ACL and of the IP inspect?
HTH
Rick
12-08-2008 08:45 AM
Rick,
It should not be ACL related issue because it works one in a while. My feeling is MTU and MSS size issue as this is a 128K Frame-Relay connection. I copy the config anyways to see if it helps...
ip inspect name inside-lan icmp
ip inspect name inside-lan tcp
ip inspect name inside-lan udp
ip inspect name inside-lan http
ip inspect name inside-lan https
ip inspect name inside-lan ftp
ip inspect name inside-lan dns
interface Vlan1
ip address 10.135.92.1 255.255.255.128
ip access-group inside-lan in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect inside-lan in
ip tcp adjust-mss 1300
hold-queue 100 out
!
interface Serial0/1/0
no ip address
encapsulation frame-relay
frame-relay lmi-type ansi
!
interface Serial0/1/0.1 point-to-point
ip address AAA.BBB.CCC.DDD 255.255.255.252
ip access-group extern in
no ip unreachables
ip mtu 1490
no ip mroute-cache
no cdp enable
frame-relay interface-dlci 50 IETF
crypto map VPNTunnelName
!
ip access-list extended inside-lan
permit ip host 10.135.92.17 host 10.16.8.16
deny ip any any log
!
ip access-list extended extern
permit esp host WWW.XXX.YYY.ZZZ any
permit udp host WWW.XXX.YYY.ZZZ any eq isakmp
permit udp any any eq bootpc bootps
And here is the result of Show ip inspect session:
MyRouter#sh ip ins sess
Established Sessions
Half-open Sessions
Session 63ECD0CC (10.135.92.17:2952)=>(10.16.8.16:80) http SIS_OPENING
12-09-2008 06:38 AM
I fixed the issue.
The problem was the process switching which was not enable on my WAN interface.
I enabled it and the application started working without any problem.
Thanks for your posts.
Mehdi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide