Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Unable to access HTTPS via IPsec Tunnel on remote site

Hi,

We have an IPSEC tunnel configured in Cisco router on both sites. This link is use to access internal tools between two sites. Two days ago, SiteB is unable to access internal tools via https. Please note that ssh, ping, traceroute are working good. SiteA has no problem accessing anything from SiteB.

Here's the config:

SiteA:

interface Tunnel8601
 description ipsec-vti to cnshaccent-gw-3
 ip address 10.255.255.105 255.255.255.252
 ip summary-address eigrp 89 10.65.0.0 255.255.224.0 5
 tunnel source 115.115.6.141
 tunnel destination 115.115.10.41
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec-vti

router eigrp 89
 redistribute static
 network 10.0.0.0 0.0.0.3
 network 10.65.20.0 0.0.0.255
 network 10.65.21.0 0.0.0.255
 network 10.255.255.104 0.0.0.3

ip route 10.65.21.0 255.255.255.0 10.65.20.1
ip route 10.65.22.0 255.255.255.0 10.65.20.1
ip route 10.65.25.0 255.255.255.0 10.65.20.1
ip route 10.65.26.0 255.255.255.0 10.65.20.1
ip route 10.65.27.0 255.255.255.0 10.65.20.1
ip route 10.65.30.0 255.255.255.0 10.65.20.1
ip route 10.65.31.0 255.255.255.0 10.65.20.1


SiteB:

interface Tunnel65
 description ipsec-vti to sgsineqnix-gw-2
 ip address 10.255.255.106 255.255.255.252
 ip summary-address eigrp 89 10.86.0.0 255.255.224.0 5
 tunnel source 115.115.10.41
 tunnel destination 115.115.6.141
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec-vti

router eigrp 89
 redistribute static
 network 10.255.255.104 0.0.0.3
 no auto-summary

ip route 10.86.0.0 255.255.255.0 10.86.11.254
ip route 10.86.9.0 255.255.255.0 10.86.11.254
ip route 10.86.12.0 255.255.255.0 10.86.11.254
ip route 10.86.13.0 255.255.255.0 10.86.11.254
ip route 10.86.14.0 255.255.255.0 10.86.11.254
ip route 10.86.20.0 255.255.255.0 10.86.11.254

I also have a firewall on both end. SiteA is using Juniper SSG and SiteB is using Fortinet firewall.
Someone told me it can be an asymmetric routing issue. Can you please advise?

Need your help to resolve this issue.

1 ACCEPTED SOLUTION

Accepted Solutions

If it were an asymmetric

If it were an asymmetric routing issue, the problem wouldn't likely be related to HTTPS alone.

It sounds more like an MTU problem. Just as a test, try setting "ip mtu 1400" and "ip tcp adjust-mss 1360" on both of your tunnel interfaces and see if that clears things up.

2 REPLIES

If it were an asymmetric

If it were an asymmetric routing issue, the problem wouldn't likely be related to HTTPS alone.

It sounds more like an MTU problem. Just as a test, try setting "ip mtu 1400" and "ip tcp adjust-mss 1360" on both of your tunnel interfaces and see if that clears things up.

Hi Jody, Thanks for your help

Hi Jody,

 

Thanks for your help. It is working fine now.

 

Cheers,

Jen Forbes

460
Views
0
Helpful
2
Replies