TCP connections timing out

Unanswered Question
May 14th, 2009

At work i have a 2801 router with advanced security image 12.4(3h)

Attached to FastEthernet0/0 is a switch and a load of subinterfaces.

Attached to FastEthernet0/1 is a docsis modem that connects to internet using PPPoE.

The router performs NAT to make sure all hosts in the network can reach internet.

Mostly this all works fine, but there are some specific sites that start a transfer, and after a random amount of data the data from the other side start coming back at longer intervals, doubling each interval.

A wireshark capture is available on http://home.kabelfoon.nl/~labenitt/probleem.pcap

In the same building there are 2 more companies, same provider, different router (Linksys) and they can download this same file just fine.

Below are snippets from the running config belonging to the interface and the dialer.

interface FastEthernet0/1

description $FW_OUTSIDE$$ETH-WAN$

no ip address

no ip redirects

no ip proxy-arp

duplex auto

speed auto

pppoe enable

pppoe-client dial-pool-number 1

no mop enabled

crypto map SDM_CMAP_1

interface Dialer0

ip address negotiated

ip access-group Mathijs_inkomend in

ip mtu 1492

ip inspect Inspect_Mathijs out

ip nat outside

no ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1412

dialer pool 1

dialer idle-timeout 0

dialer-group 2

no fair-queue

no cdp enable

ppp authentication pap callin

ppp pap sent-username *name* password 7 *password*

crypto map SDM_CMAP_1

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Paolo Bevilacqua Sat, 05/16/2009 - 22:38

On each subinterface that has nat inside, configure:

ip tcp mss-adjust 1452

That should solve your issue.

waalpartn Mon, 05/18/2009 - 00:32

That was the original configuration which already had the problem.

The ip tcp mss-adjust 1412 on the dialer already tackles this problem, even when using the VPN.

Just for good measure i did put it on all nat inside interfaces, and the connection went to 8MB downloaded without dieing, so i nearly cheered, but then it still died. Later tries died a lot faster again.

Paolo Bevilacqua Mon, 05/18/2009 - 06:05

Command on dialer should have no effect.

It has to be on the inside interfaces as 1452, not 1412.

waalpartn Wed, 05/20/2009 - 01:23

No adjust-mss: Many sites don't work

adjust-mss 1452 on all inside interfaces: Most sites work

adjust-mss 1452 on dialer: same as on all inside interfaces, but only on 1 interface requires the command.

This was tried and tested, it doesn't matter if it's on the inside or outside, just as long as 1 has it. Also it's 1412 because of the fact we use a VPN which eats up another set of TCP and IP headers.

Also visible in the trace is the fact we do get a lot of packets, if the packet size was a problem, there would be no packets coming in.

The packets just suddenly slow down for no apparent reason.

Paolo Bevilacqua Wed, 05/20/2009 - 05:53

If you have a VPN, the diffrence will not be just 40, because VPN overhead it's not just a set of IP+TCP headers.

You probably have to reconsider how your packets travel and from where, these in different points, to find where you have to configure.

Actions

This Discussion