site to site vpn local url not opening from branch office

r.kukreja · ‎05-08-2012

i have sie to site vpn say between delhi to mumbai and delhi to hyderabad . delhi is corporate office, branch offices are pinging fine to corporate office ,response is fine. there are applications server in delhi corporate office some local url say http://172.26.5.180/ opening from mumbai but it is not opening in hyderabad but i am able to ping 172.26.5.180 from hyderabd but not able to telnet over port 80, ip address 172.26.5.180 there is no proxy or any thing else.tunnel is established fine any idea over this kind of problem . it is looking something strange

regards

rajat

rizwanr74 · ‎05-08-2012

Please post your config.

thanks

r.kukreja · ‎05-08-2012

sites are pinging to each other

rizwanr74 · ‎05-08-2012

I see no problem on your tunnel config, they are fine.

Please check with hyderabad users whether they have correct mask has been assigned on their PC and likewise with the Server in question.

This is more of a Windows problem than FW or Switch/Routing problem.

thanks

r.kukreja · ‎05-08-2012

i have taken the remote of hyderabad server . mask is correct , switching and routing is ok. same url is opening from mumbai but not by hyderabad user. my concern is i am not able to telnet aplication over port 80 , ip add 172.26.5.180

. i check in netstat -n there is source 10.120.1.10 port 45986 and destination 172.26.5.180 port 80 and in established connection there is syn_sent and nothing else .

to mymind when packet travel over wan in site to site vpn is there any kind of decryption or blocking can be done by isp

to stop my url to get open in web browser.

regards

rajat

rizwanr74 · ‎05-09-2012

"to mymind when packet travel over wan in site to site vpn is there any kind of decryption or blocking can be done by isp to stop my url to get open in web browser."

ISP has better things to do, than peeking on customer's traffic, beside breaking a IPSec traffic isn't that easy or impossible, beside when your private-IP traffic is encaptulated.

Try this on your hyderabad ASA on the not outside but rather inside interface first, please try it off business hours, I sense it is packet fragmentation problem.

The ASA does not support tcp adjust-mss but rather it is mtu size.

ip tcp adjust-mss 1452

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml

ESP 56, AH 24, IPSec 20 = 100 bytes

1500 - 100 = 1400 MTU size

Therefore set you inside interface mtu 1400

Look forward to hear from you.

Message was edited by: Rizwan Mohamed

r.kukreja · ‎05-10-2012

i have tested mtu inside 1400 first in firewall did not work and again mtu outside 1400 but remove on inside no mtu inside 1400. but still did not work . any other clue

regards

rajat

rizwanr74 · ‎05-10-2012

You didn't try on the outside interface?

r.kukreja · ‎05-10-2012

hi,

when i tried on outside interface, remote session of pc disconnected and again reconnected . i tried to open url but not any achievement still any othe clue which can help to resolve issue

regards

rajat

r.kukreja · ‎05-13-2012

can any body suggest over this ?

regards

rajat