Cisco Support Community
Community Member

Can't browse some sites

I have a number of sites in the Caribbean with the Cisco1841 as the integrated solution including VPN. However I have one site that would only function properly when NAT is only configured. The minute I enable the inbound access-list on the dialer interface and the firewall the performance drops to a point where the customer can't browse to some sites, some sites freezes, some sites hang, some can't browse at all and the email clients stop pulling emails from the mail server at main site. It is as thought the ADSL bandwidth is dropping rapidly, but the connection speed is ok as indicated by the interface. Also there are no errors reported on the interfaces. This same config is working fine at the other remote sites. Is there a possibility that ISP in this Island is sending out a control protocol that I am blocking?


Re: Can't browse some sites


Can you post the configs here ? also the access-list which you are trying to insert on the diale interface ?


Hall of Fame Super Gold

Re: Can't browse some sites


The symptoms suggest that they might be blocking ICMP, most especially the ICMP error message about Fragmentation Required but DF Set. If this message is being blocked then Path MTU Discovery will not work. The result is likely to be unsuccessful negotiation of max frame size. Without VPN you are probably working ok. But when you apply the access list then VPN starts. And the added headers that VPN puts on the frame are likely to produce frames that are too large.

One thing that you might try is to use the command ip tcp adjust-mss 1375 on the LAN interface where the end stations connect. This will limit the frame size and if blocking ICMP was the issue this should be a good workaround.

If that does not help we may need a bit more information. So give it a try and let us know if it helps.



CreatePlease to create content