Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Certain Websites timeout when trying to access

Can anyone help with this issue, since a couple of days ago we are having trouble accessing certain websites.

When attempting to access the site the PC will hang and eventually display "Request Timeout". On other pages certain parts of the site will not display.

We have an ASA 5510 Firewall and a 1841 Router which is maintained by our ISP.

One example is www.matrox.com (138.11.2.65), I cannot ping from the Inside or Outside Interface of the ASA nor PC's on our network.

I have contacted our ISP who say they can ping this address from their Router.

Below is an example of the end of a trace route, firstly from network-tools.com (and anywhere else I've tried)

9 55 69 60 66.46.89.150 -

10 55 53 71 138.11.1.101 -

11 72 61 86 138.11.2.65 www.matrox.com

and from our Firewall

12 137 ms 137 ms 135 ms 66.46.89.150

13 131 ms 132 ms 134 ms 138.11.1.101

14 * * * Request timed out.

15 * * * Request timed out.

16 * * * Request timed out.

17 * * * Request timed out.

As you can see it doesn't make the last hop.

Does anyone have an idea how to resolve this or how to debug this issue.

Thanks,

Chris

4 REPLIES
Community Member

Re: Certain Websites timeout when trying to access

To add to the confusion:

All our PC are NAT'd to go out as the ASA interface address x.x.231.82,

On the ASA I've just configured an individual PC to NAT as a different address x.x.231.84 and I can access and ping the problematic websites from this PC.

Re: Certain Websites timeout when trying to access

Hi Chris,

If you do not have ICMP inspection enabled on your ASA ping will never reply back from your internal network, that's one thing to check. Go to your ASA and from it ping the ip address for this Matrox site and see if you got an answer.

As for the webpages timing up, go ahead and check with the "show run policy-map" if the inspect http is enabled, if it is try to disable it and test again your webpage connections.

It would also be useful to check any logs from the asa to see if those packets (web traffic) is being dropped by any reason.

Community Member

Re: Certain Websites timeout when trying to access

Hi,

I do have ICMP inspection enabled, so I do receive replies. Inspect http is not enabled and nothing shows up in the logs at all when I try and access these sites. Most websites are fine

As I mentioned if I change the outgoing address to a different IP from our external IP range it works OK

Does anyone have any idea how to resolve this?

Thanks, Chris

Re: Certain Websites timeout when trying to access

OK, thanks for clearing up, so what you are stating is that if you use a different address for the nat that those users behind are using all works fine? This my friend has to do with how that ip address is assigned or router by your ISP.

324
Views
0
Helpful
4
Replies
CreatePlease to create content