Solved: Unable to open some websites

Vikrant Ambhore · ‎08-18-2010

Hello All Experts ,

I am using BSNL broadband in India from Cisco Router, but we have some issue while opening some websites like www.experts-exchange.com & www.microsoft.com, but any other sites working fine, when i tried to open above site page are waiting from website, If i swap my internet on different provider that time All is going fine

Friends plzz help me ...

Regards
VIkrant Ambhore

Building configuration...

Current configuration : 7041 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable password 7 052809002D4D490C39544E4559
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2149300000
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2149300000
revocation-check none
rsakeypair TP-self-signed-2149300000
!
!
crypto pki certificate chain TP-self-signed-2149300000
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313439 33303030 3030301E 170D3037 30383234 30343338
35345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31343933
30303030 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C3A7 F701D7A0 5DDD90D6 818BB30E D9E680F7 1EEB12BD B0047D7A 978A7188
B8862673 B88BB646 4A4B6FC7 5CF73422 4DDB2BEB 39CC2141 E18B3006 F8892C1E
D95D4678 5A2E7441 7799C02A AD9EB079 ADC006A6 6A5F18B0 1219208A 8E682BEF
45D1B98F F0AE8282 B38C7E86 F17A5E3D 621EDFA4 18057C0D F3E0177F 8EFF09B7
2DAD0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07526F75 7465722E 301F0603 551D2304 18301680 14275D63
B6D8FFFE C641F864 25EF338D 278EAFF2 82301D06 03551D0E 04160414 275D63B6
D8FFFEC6 41F86425 EF338D27 8EAFF282 300D0609 2A864886 F70D0101 04050003
8181001B EDA25E81 08ADA2F7 730400E5 E76F533E 851E5CF7 421EAD2E 26C8AE3C
31EACF15 E74ABF74 2AF8039F DF61E414 B389AFEC F69047C3 23D63935 2D8AB419
2DD95465 1A9578B3 218BA9AC A9DDE380 78410250 B8ECF6F3 CE19428C BE8087C4
9B247169 5465173A 1D89C3EE 7A1E3A84 1CCC6367 529ECEDB 70DD3234 1F09E852 587376
        quit
dot11 syslog
!
dot11 ssid Coinopsolutions
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 013E071C52080A0E36
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.4.1 192.168.4.25
!
ip dhcp pool LAN-POOL
   network 192.168.4.0 255.255.255.0
   default-router 192.168.4.1
   dns-server 192.168.4.1
   lease 0 2
!
!
ip name-server 218.248.255.212
ip name-server 218.248.255.139
!
multilink bundle-name authenticated
!
!
username rcohen privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXXX
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 5
lifetime 28800
crypto isakmp key coinopsolutions.com address XXXXXXXXXXXXXXXXXXXXXX
!
!
crypto ipsec transform-set LAB-Transform esp-aes 256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
!
!
crypto ipsec client ezvpn AustraliaVPN
connect auto
group EZVPN_GROUP_1 key XXXXXXXXXXXXXXXXXXXXXX
mode network-extension
peer XXXXXXXXXXXXXXXXXXXXXX
username XXXXXXXXXXXXXXXXXXXXXX password XXXXXXXXXXXXXXXXXXXXXX
xauth userid mode local
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface Loopback0
no ip address
!
interface Loopback1
no ip address
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
ip nat inside
ip virtual-reassembly
!
encryption vlan 1 mode ciphers tkip
!
ssid Coinopsolutions
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ES_LAN$
no ip address
ip access-group BlockIPSec2HQ in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dialer0
ip address negotiated
ip mtu 1466
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname palewar176
ppp chap password 7 00141215174C04140B
ppp pap sent-username palewar176 password 7 06160E325F59060B01
crypto ipsec client ezvpn AustraliaVPN
!
interface Dialer1
no ip address
!
interface BVI1
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly
crypto ipsec client ezvpn AustraliaVPN inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 ATM0
ip route 192.168.4.0 255.255.254.0 Dialer0
ip route 192.168.8.0 255.255.255.0 192.168.2.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list ToNAT interface Dialer0 overload
!
ip access-list extended BlockIPSec2HQ
deny   udp any host XXXXXXXXXXXXXXXXXXXXXX eq isakmp
permit ip any any
ip access-list extended ToNAT
deny   ip any 10.0.0.0 0.255.255.255
deny   ip any 192.168.0.0 0.0.255.255
permit ip 192.168.4.0 0.0.3.255 any
ip access-list extended acl_vpn
permit ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255
!
access-list 40 permit 192.168.2.0 0.0.0.255
access-list 50 permit 192.168.0.0 0.0.255.25
access-list 50 deny   any
access-list 50 permit 192.168.0.0 0.0.255.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip any any
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 remark SDM_ACL Category=4
access-list 100 permit icmp 192.168.2.0 0.0.0.255 any
access-list 100 remark SDM_ACL Category=4
access-list 101 permit icmp 192.168.2.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 remark SDM_ACL Category=4
access-list 102 permit gre host 192.168.1.250 host XXXXXXXX
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.6.0 0.0.1.255 XXXXXXXX 0.0.0.63
access-list 104 remark SDM_ACL Category=4
access-list 104 permit gre host 192.168.4.250 host XXXXXXXX
dialer-list 1 protocol ip permit
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
bridge 1 route ip
!
line con 0
password 7 1326181D070D032F0B75716467
login local
no modem enable
line aux 0
line vty 0 4
password 7 032754040A0E26496E58405245
login local
!
scheduler max-task-time 5000
end

andrew.prince · ‎08-18-2010

change from

ip tcp adjust-mss 1412

to

ip tcp adjust-mss 1300

and test again

View solution in original post

andrew.prince · ‎08-18-2010

change from

ip tcp adjust-mss 1412

to

ip tcp adjust-mss 1300

and test again

Mahesh Gohil · ‎08-18-2010

Hi andrew,

I have faced similar problem and issue resolved by setting mss size to 1480. Can you please

help me to understand what exactly the role of mss in we site access.

Thanks & Regards

Mahesh

andrew.prince · ‎08-18-2010

MSS - Maximum Segment Size, this is negotiated on the creation of a TCP connection. Each end will advertise it's MSS to the other side:-

The typical MSS is 1460 = 1500 MTU - 20 bytes for IP header and 20 bytes for TCP header = 1460 bytes of data

The lowest number in the TCP SYN/SYN ACK will win.

The issue is when you have a device or devices with an MTU that is lower that the negotiated MSS value - and the application is sending/receving TCP packets witht eh DF bit set.

Any well behaved device with a low MTU and recevies a packet with the DF set - will send an ICMP Fragmentation Required message to the offending machine. Now if there are other devices blocking this ICMP OR the remote end ignores it - you will have the issue.

I find it interesting that you have fixed this issue using an MSS of 1480. A good tool to see if you are going to have any issues accessing systems/web sites is "mturoute.exe"

HTH>

DialerString_2 · ‎08-18-2010

Echo Andrew when suggesting mturoute.exe and the explanation of mss. You can also shoot some pings out with the below string but mturoute would be your best bet.

ping "target addy" -l

Vikrant Ambhore · ‎08-18-2010

Hi Andrew Prince,

Thanks for Help after entering below command

No ip mtu 1466

ip mtu 1492
ip tcp adjust-mss 1452

Mahesh Gohil · ‎08-18-2010

Thanks andrew,

Many useful information from your side.Unfortunately I am not able to rate your post.

I request vikrant to rate it on behalf of me.

Thanks & Regards

Mahesh

DialerString_2 · ‎08-19-2010

Vikrant, how did you determine the parameters? Did u use mturoute?

Eric

Vikrant Ambhore · ‎08-20-2010

i didn't use as per you, I found parameter from Experts-exchnage.com

Daniel0000 · ‎04-03-2022

Yup there are problems with these sites.

Georg Pauwen · ‎04-03-2022

Hello,

post the running configuration of your router.