"We are trying to setup NAT on a Cisco 3620 to work with our cable modem. Currently Ping works by both canonical names and IP address. However if we try to use HTTP the request times out. Using Wireshark it appears that all the HTTP requests end up in a retransmission loop...data never gets back to requesting host on "inside" network.
What is confusing to me is that DNS seems to work perfectly.
So do we need to enable a TCP specific access list for HTTP or are we doing something wrong with the existing access lists?
Please see attached for Show_Version and current router config.
The configuration looks fine, however you can remove the following configuration line as it will not match anything because there's no ACL 101 exist:
ip nat inside source list 101 interface Ethernet0/0 overload
There's no need to create a specific ACL for HTTP.
I'm a bit concerned about the full-duplex settings on the interfaces, if the other side (e.g. cable modem) is set to Auto negotiation (auto speed and auto duplex), you should set the router interface to "speed auto" and "duplex auto". Setting different options on the 2 sides can cause problems due to duplexity mismatch, like lost packets.
I have a few questions for you:
- Could you please attach an output of the 'show interfaces' command?
- What do you see in the Wireshark capture for the HTTP traffic?
I've checked your outputs and the configuration looks fine. Also, I see only a low number of errors on the interfaces which should not affect the HTTP traffic.
Looks like an MTU issue because frames larger than about 1300 bytes are seemingly not received by the workstation. Where did you capture the traffic?
Try pinging with DF (Don't Fragment) bit enabled with a packet size of up to 1500. The settings of packet size depends on the OS as some systems include the IP header in the size, some does not. Try pinging an outside IP with DF set and look what's the largest packet which goes through.
You might try the 'ip tcp adjust-mss' interface configuration command with a value of 1300 or 1200 on the outside (Eth0/0) interface based on the ping test.
Please refer to the following links for more information:
[We captured the traffic with a Mac Book Pro directly connected to the router. We conducted a ping sweep in two configurations:
Our understanding is that the MBP offloads TCP Checksums to the network interface so that is why WireShark is flagging the Checksum errors but we were able to successfully transmit/receive packets up 1472 bytes. using the DF, Sweep, and Size options.
We can connect via both a TP-Link Router and Apple Airport Base Station but have not yet tried a direct connecting from Client Computer to Cable modem as the both the Apple Airport and TP-Link router function without any issues
Yes. We've tried with both PC (Windows XP) and Mac (10.6.5) computers with the same issues
Yes. We also tried yahoo. We discovered google apparently has limitations on their ICMP responses, I'm guessing because everyone "pings" them. So the ICMP responses range from minimum of 26 Bytes to a maximum of 72 bytes. Yahoo does not exhibit this behavior and we get responses from 9 Bytes to 1472 Bytes without any problem.
We are experiencing the issue on both HTTP and HTTPS
So an overview:
Appeciate your insight. We originally duplicated the Wifi router WAN port MAC address, in case the ISP had locked the cable modem to this address. However, we subsequently found out that the ISP does not lock the CM to the MAC address so this was unnecessary. We removed the manually set MAC address and are still experiencing the same issue.
We are currently using a Cable Modem, so there isn't a PPPoE configuration to setup.
Further testing: We can Ping from 64 to 1472 bytes via setting the ICMP packet size on both the MAC and PC. Pings work both directly across the cable modem and using an Airport Base Station from both the MAC and PC Clients. Pings also work correctly across the Cisco 3620 router. Although sometimes it appears there is some additional latency which is odd.
Mac or PC Client <—Directly Connected ---> Cisco 3620 <---Directly Connected ----> Motorola Cable Modem Mac or PC Client <—Directly Connected ---> Apple Airport Base Station <---Directly Connected ----> Motorola Cable Modem
In both setups the cables between the points are the same and in the case of the Airport Base Station we also tested via Wifi.
That said, after additional testing it appears that some web pages do try to load but is either very slow to load or times out. I would expect this kind of pattern if there was a duplex mismatch but after setting the Speed/Duplex to 10 half on both interfaces and watching the interface counters....the interfaces are clean. Meaning no giants or runts detected on either interface as would be expected with a duplex mismatch.
We also turned on all possible TCP debugging with no errors. Show IP NAT Trans also shows the NAT translations tables being updated. Lastly we checked Show Proc CPU and looked for areas of high utilization but the only process that was using slightly elevated CPU was ARP. Not sure if this is normal but ARP was running between 10-13% CPU utilization.
Did a show debug all and watched all the conversations and status messages for a while so we could buffer them into hyperterminal but didn't see/find anything significant.
Thanks for your detailed reply. At this point I would suggest you to open a Service Request so that you can troubleshoot this together with TAC. The issue seems to be too complex to solve on the forum and also it would be better if a TAC engineer could help you in a remote assistance session.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...