Strange Website issue behind PIX

Unanswered Question
Feb 3rd, 2009
User Badges:

Hi, when i try opening this website behind my pix, it just simply dont open :-s, where as i can telnet on port 80 of this site very well.

<br />any idea why pix doing this? i can make it work in my second office, with same PIX Hardware and OS.

<br />

<br />

<br />

<br />please suggest any idea.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Tue, 02/03/2009 - 07:35
User Badges:
  • Purple, 4500 points or more

Do you mean you can take this same PIX to another office and it work? What's in front of the PIX?



ahmad82pkn Tue, 02/03/2009 - 07:53
User Badges:

No, i have same setup in my second office, means, same model of pix and same IOS, when i try their , website works fine.

in my problemtic office i have Global crossing link on router in front of pix.

and on my working office, i have level 3 link on router at front of firewall.

Mohamed Sobair Tue, 02/03/2009 - 14:34
User Badges:
  • Gold, 750 points or more


You will need to check if the first pix doesnt apply (URL filtering) using regular expression Inspection or the URL is filtered by third party device like "websense" configured on the pix.



BrianMitchellTX Tue, 02/03/2009 - 20:43
User Badges:

Windows Machines right? You can try dropping your MTU to 1300 and try again.

There are some utilities out there that will do this for you or you can install the Cisco VPN client, it also set's it (and comes with a MTU utility)

ahmad82pkn Wed, 02/04/2009 - 03:25
User Badges:

Dont think its system MTU issue, because i have GRE tunnel over Point to pint link between two offices, and i can open website on same XP machine, when i route via my GRE tunnel and use second office internet. but dont work in first office with its own WAN link.

Now here is interesting thing, when i route this website via my second office , i pass through same PIX :) and it works.

so now i think its my router playing some thing.

any idea why router behaving like this?

attached diagram shows Green path is good.

red path is bad, jsut for clarification of my setup.

BrianMitchellTX Wed, 02/04/2009 - 08:17
User Badges:

Since the Office 1 looks like a router you can experiement with the MSS on there, on your inbound FA or outbound SER (for Office 1) try ip tcp-adjust mss 1200. This will allow you to test the MTU without having to mess with the windows registry.

I know you said it doesn't look like a MTU problem but you also said that you can telnet to port 80 of the web site without any issues at all. That, right there clears any ACL, routing issues, or established connections. Honestly it sounds like a MTU problem to me.

Is your connection from the PIX to Office 1 and IPSEC tunnel?

ahmad82pkn Wed, 02/04/2009 - 08:24
User Badges:

i will test tcp adjust setting, after todays production is over.

i didnt get your last line, my pix and router in office 1 one are on same LAN.

no ipsec any where,only one gre on routers between both office.

one more interesting thing, its happening with me 4th time, and all 4th time it was some sort of government site of canada:)


This Discussion