876, new IOS --> some websites fail

Unanswered Question
Mar 21st, 2010

Inititally my 876 runs c870-advipservicesk9-mz.124-15.T7.bin code which runs fine. However, I once tried c870-advipservicesk9-mz.124-24.T1.bin and now c870-advipservicesk9-mz.150-1.XA3.bin and the two last ones exhibit a weird problem that may be mtu/mss related

what happens is that I can go to for instance www.linkedin.com but most links I click ends up with "waiting for linkedin.cm". The same goes for www.hyves.nl where I cannot send messages.

If I revert to 124.15.T7, it works directly, the 124-24.T1 and 15--1.XA3 fail.

The configs are al the same.

Playing with vlan 1 ip tcp adjust-mss doesn't seem to help here.

Used OSes behind the router are windows vista, xp and linux and all show the same problem.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.6 (5 ratings)
roelandjansen Sun, 03/21/2010 - 01:09

ps for the two problematic releases above: if I reload the router, it works for some time but after some time it fails again.

Giuseppe Larosa Sun, 03/21/2010 - 03:54

Hello Roeland,

>> if I reload the router, it works for some time but after some time it  fails again.

So it is not an MTU issue but rather it is related to exaustion of some resources over time and I would look at  NAT.

Newer images may require more memory.

Anyway, if IOS 12.4(15)T works well and you don't need any new feature you have already found the solution to your issue.

Not always newer means better and I would not change the IOS image unless there is a security vulnerability issue or the need for a new feauture.

Hope to help


roelandjansen Sun, 03/21/2010 - 07:22

thx for your reply.

I did have the task to increase the flash from 28MB to 56MB and upgrade the DRAM to 256MB.

So I now have placed both the working and non-woring version in flash.

I don't have a specific reason besides the idea that I might just have missed something. It also happened with 124-24 and collegues of mine with annex-a versions don't seem to ehibit this problem.

So yes, if I can't find a reason why it happens, I simply revert.

If NAT resources are an issue I would have thought that more would die. I'll check if I can find some logging on that matter.

Reza Sharifi Sun, 03/21/2010 - 08:41

Hi Roeland,

I agree with Giuseppe.  Newer does not mean better.  Another word, if every thing is working fine and you don't need any specific new feature, I would not upgrade.



rgodden Sun, 03/21/2010 - 21:36

I also agree with Guiseppe and also Reza.

Please rate if it helped.

roelandjansen Mon, 03/22/2010 - 00:53

hi all,

while I *do* agree that you shoudn't upgrade when there is no need, I still am intrigued why it happens.

I yesterday have removed 4MB flash and replaced it by 32MB flash and also increased the DRAM to 256M. So, I now can have the

old working version as well as the new non-working version in flash. Running the 12.4 code again now.

One of the reasons I still want to know what happens is:

1) it might be a bug in my setup

2) it might be a bug in the cisco

3) it might be a bug in the systems connected

4) .....?

Picture this: I sell my 876 and get a new router which comes with 15.x -- and now the problem is persistent as there is no old version

available of the IOS. Now what?

So, I still opt for trying to figure out what happens and why it fails for specific websites.

Thanks for your help here. (rated you all)

Message was edited by: Roeland Jansen

sean_evershed Mon, 03/22/2010 - 01:27

Hi Roeland,

- Have you checked your Internet bandwidth consumption when you experience the problems?

- Have you tried different browsers when accessing the problem web sites?

- What's the CPU like on the router?

- Are you running CBAC or any Internet related ACLs on your router?

roelandjansen Mon, 03/22/2010 - 02:15


- bandwidth: when it happens, it's almost idle.

- browsers:it happens with all linux browsers I have here as well as under windows.

- cpu on the router:I haven't looked into that specifically. I can do that. any specific things in mind?

- CBAC/ACL: I don't use CBAC; I do have incoming ACLs for a few specific ports (ssh notably).

I can put my config on pastebin if there is need to look at it eventually.

sean_evershed Mon, 03/22/2010 - 23:30

Hi Roeland,

- Pasting a sanitised version of your config will help.

- You can replicate the problem every time on the same web sites when you boot to the new version of the IOS?

- Do you have any firewalls or proxy servers in your environment?

- By different browsers I also meant trying both IE and Netscape including clearing the cache.

- Show process CPU hist will show the CPU use for the last 72 hours. Given the bandwith is low it seems unlikely that it is a CPU related problem but at least this command will help to eliminate it as a potential issue.

- This is a long shot but the web sites that are having problems, do they have any features in common?

roelandjansen Tue, 03/23/2010 - 02:22

my sanitized config. left all intact except for the password stuff which is replaced by [.....]


Replicating the problem: yes every time. However, it takes some time (maybe an hour max) before it starts to roar it's ugly head.

So if I would have booted 15.x now and it starts failing, a reload will 'fix' it for a short time.

My network consists of:

internet (unfiltered) ---- DSLAM --- 876 --- printer

                                                       --- unmanaged GB switch --- wireless/WDS

                                                                                             --- linux desktop (2)

On the wireless segment I have a mix of linux and windows.

I have tried IE, FF, Konqueror, Opera, my mobile webbrowser (nokia E72) including deleting caches, cookies, stored passwords etc etc.

There are more than one website that show this behaviour. However, linkedin.com and hyves.nl show it 100% of the time and are my test sites.

If I login to these sites, I for instance can look at the linkedin's  'invites' and if I just reloaded, I can go there. If I wait, say an hour, login to the site, it will show "waiting for linkedin.com" forever.

The same holds true for hyves.nl. I can send a message if it has just been reloaded. If I wait say, an hour, you can create the message, but sending will show "waiting for hyves.nl" forever.

two collegues of mine have the 877 with wireless and don't have this problem. At least one of them is NOT using PPPoA btw.

What the sites differ from others? I don't know. My wife reported also similar problems when filling in online forms.

I recall that one time, adjusting VLAN1's mss to 1200 (for test) I could post a message on hyves. If this was just luck....?

roelandjansen Wed, 04/28/2010 - 03:25

hi *,

I created a few tcpdumps and what I see is that after the three way handshake, the replies stop from the remote end.

What the router does....?

Suggestions to t/s further are welcome.

I tested more than 6 different versions after the working 12.4(15)t7 and they *all* fail.

It feels like a bug that is triggered in a special way but I cannot point a finger to it.

shailesh.h Wed, 04/28/2010 - 05:32

Hi Roeland,

I pick up your communication would like to suggest you few basic things. I have confronted with similar problem and isolated

  • Take one baseline system in which these sites are working fine (Say your laptop is working fine at your home)
  • Now connect this system and check whether this is working or not from your network
  • Say it's not working, it means that it is confirmed that there is no problem in your laptop but something else.
  • Take not or traceroute duing working condition and non-working condition.
  • Now try to avoid any firewall or antivirus for testing purpose only on specific laptop
  • during problem scenario try to check the site from other location. if it is working then there could be two possibility
    • your ISP might having problem intermittently
    • you network (router) is blocking. If you have spare WAN IP then you can connect u r laptop, give IP in WAN range , put ISP as gateway and DNS and check problem persists or not.#

I am very sure you need load of patience to resolve this.. but once resolve you will find it would be tidy solution..

I my case it was ISP route was having issue.. whenever it was passing through one route few sites were not accessible.. Then i logged call with ISP, they done something and resolved the issue.

Hope this will take you inch ahead


This Discussion