cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
647
Views
0
Helpful
9
Replies

Strange Website issue behind PIX

ahmad82pkn
Level 2
Level 2

Hi, when i try opening this website behind my pix, it just simply dont open :-s, where as i can telnet on port 80 of this site very well.

<br />any idea why pix doing this? i can make it work in my second office, with same PIX Hardware and OS.

<br />

<br />http://www.cra-arc.gc.ca/menu-e.html

<br />

<br />please suggest any idea.

9 Replies 9

John Blakley
VIP Alumni
VIP Alumni

Do you mean you can take this same PIX to another office and it work? What's in front of the PIX?

HTH,

John

HTH, John *** Please rate all useful posts ***

No, i have same setup in my second office, means, same model of pix and same IOS, when i try their , website works fine.

in my problemtic office i have Global crossing link on router in front of pix.

and on my working office, i have level 3 link on router at front of firewall.

Mohamed Sobair
Level 7
Level 7

Hi,

You will need to check if the first pix doesnt apply (URL filtering) using regular expression Inspection or the URL is filtered by third party device like "websense" configured on the pix.

HTH

Mohamed

Do you mean that you have 2 seperate offices (different networks)? Have you checked if you are having DNS issues in the 1st office? I would changed the local DNS on a workstation in the 1st office using an external DNS (ISP or 4.2.2.2) and see if you are able to browse to that website.

not a DNS issue, name resolution is fine.

Brian M
Level 1
Level 1

Windows Machines right? You can try dropping your MTU to 1300 and try again.

There are some utilities out there that will do this for you or you can install the Cisco VPN client, it also set's it (and comes with a MTU utility)

Dont think its system MTU issue, because i have GRE tunnel over Point to pint link between two offices, and i can open website on same XP machine, when i route via my GRE tunnel and use second office internet. but dont work in first office with its own WAN link.

Now here is interesting thing, when i route this website via my second office , i pass through same PIX :) and it works.

so now i think its my router playing some thing.

any idea why router behaving like this?

attached diagram shows Green path is good.

red path is bad, jsut for clarification of my setup.

Since the Office 1 looks like a router you can experiement with the MSS on there, on your inbound FA or outbound SER (for Office 1) try ip tcp-adjust mss 1200. This will allow you to test the MTU without having to mess with the windows registry.

I know you said it doesn't look like a MTU problem but you also said that you can telnet to port 80 of the web site without any issues at all. That, right there clears any ACL, routing issues, or established connections. Honestly it sounds like a MTU problem to me.

Is your connection from the PIX to Office 1 and IPSEC tunnel?

i will test tcp adjust setting, after todays production is over.

i didnt get your last line, my pix and router in office 1 one are on same LAN.

no ipsec any where,only one gre on routers between both office.

one more interesting thing, its happening with me 4th time, and all 4th time it was some sort of government site of canada:)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco