Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Nat problem (maybe....)

Hello, I'm sorry but I think this is going to be a long post....I have a problem accessing some IP addresses in my network and I think it is related to my router (a Cisco

1841).

I can assure everyone I'm at the point where I think nothing makes sense anymore, I am completly desperate and going crazy

I have attached my running config and the output of show version.

I have a simple network in this site, no access lists to block traffic just for NAT, everything is allowed to pass allways, but some days ago users complained that they where unable to access some websites. Has always I thought to myself: Not my problem ....Windows problem... spyware, virus, trojan's, etc.... but lets just take a look....just in case.

Lets say users want to access website www.aaa.bbb and that has the public address 1.2.3.4. Users behind the router type the address in Internet explorer but nothing comes up, it stays loading and loading and loading.... well so I thought.. lets telnet to 1.2.3.4 in port 80 and type "GET /" it is something i like doing so it eliminates the fact that the problem could be in the browser.... I did that but nothing was returned.... Just to check I did the same to google  (telnet www.google.com 80) issued "GET /" and everything returned ok.

I don't know why but I decided to telnet to my cisco 1841 and issue a telnet session from the console to 1.2.3.4 at port 80, issued "GET /" surprise....it returns all the content of the website.... I tried it again in the computer behind the router but nothing was returned.... just a blank screen of telnet...

Thinking the problem was in the computer itself I moved to another computer...different operating system, different everything... telnet 1.2.3.4 80 - "GET /"...and nothing came up.... just to check... telnet www.google.com 80 - "GET /" and it returned all the google webpage content....

For some reason I looked to the first computer... telnet hadn't closed yet and something came up... about 100 bytes of the content of the web page turned up... I waited a bit longer and after 1 minute or so another chunk of web content came up...after a few minutes telnet eventually timed out not having received more that 400 bytes of the webpage.

So where is the problem?

At the ISP? I don't think soo, after all it works when I start the session from the router just not from my computers in my local network.

At the NAT process in the router? Well... tons of other sites work perfectly, google, yahoo, slashdot, etc....

at the webserver (1.2.3.4)? Well.. it would seem so, however I have the exact same problem with lots of sites, banking sites, government sites, even www.microsoft.com shows this problem!!!

Just when I was thinking things couldn't get any stranger, why went to the first computer and launched telnet once more... but didn't write "GET /" but instead "hET /" .... surprise... this command returns the correct web content, I can see the response from the web server stating I have issued an ilegal command.... So, not just this only happens with some sites, it only happens in computers behind the router, and it only happens if I issue a correct HTTP command.......

What have I done to try and solve this:

- Reviewed all my configuration;

- Removed and re-added everything I didn't knew what was in the configuration;

- Erased all the configuration and configured only the ATM , Dialer and FastEthernet interfaces so I could plug my laptop directly to the router not using any switch and staying  completely alone in the network...

Nothing solved my problem, I have another equipment similar to this using the same access technology and it works perfectly, I even copied the configuration from that other router to this one but it didn't solve...

I don't know what to think of this anymore.... Is the router processing my HTTP requests and for some reason doesn't likes some of the requests???

All help is welcome.

Thank you!

Everyone's tags (4)
7 REPLIES

Re: Nat problem (maybe....)

Are your not browsing via a proxy?

When you telnet from the PC what does the Routers CPU and Memory usage look like?

On the Router do the telnet again but this time specify one of your LAN interfaces as the source. Let me know your results.

James

Community Member

Re: Nat problem (maybe....)

Didn't remember to test from the router with a diferent source interface, tested it now and it works fine, no problems. I selected the same interface (sub-interface) that is connected to the network where my PC is.

The CPU load varies from 0% to 2% when the telnet is idle receiving chunks of the data and finally timming out.

No proxy is in use, no proxy is even installed in any part of the network, it's a very very simple network.

Community Member

Re: Nat problem (maybe....)

About the memory:

During telnet session:

xxxxxxxt#show memory  statistics
                    Head    Total(b)     Used(b)     Free(b)   Lowest(b)  Largest(b)
Processor   62C8AC40    71783360    26074780    45708580    42119776    40122592
           I/O   E7100000    15728640     4154216    11574424    11559328    11574396

After telnet session dies:

xxxxxx#show memory  statistics
                      Head    Total(b)     Used(b)     Free(b)   Lowest(b)  Largest(b)
Processor   62C8AC40    71783360    26074588    45708772    42119776    40122592
            I/O   E7100000    15728640     4154216    11574424    11559328    11574396

Thanks for the help!

Re: Nat problem (maybe....)

It's starting to sound like a fragmention issue. To confirm send 1500

byte pings to the webite from the computer. If it fails lower the byte

value to 1400 and try again.

Community Member

Re: Nat problem (maybe....)

The sites I was testing doesn't reply to pings, but I googled a few things and came up with http://distfiles.gentoo.org that has the same behavior and answers to pings.

xxxxxxx#ping distfiles.gentoo.org size 1500 repeat 100

Type escape sequence to abort.
Sending 100, 1500-byte ICMP Echos to 199.6.1.174, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 88/89/92 ms

No failures, no nothing... but from inside the network I just can't telnet to port 80 but from the router I can.... this is the copy paste from a ssh session in a server inside the network:

www ~ # telnet distfiles.gentoo.org 80
Trying 199.6.1.174...
Connected to distfiles.gentoo.org.
Escape character is '^]'.
ijusttypedanythinghere


501 Method Not Implemented

Method Not Implemented


awd to /index.html not supported.



Connection closed by foreign host.
www ~ # telnet distfiles.gentoo.org 80
Trying 199.6.1.174...
Connected to distfiles.gentoo.org.
Escape character is '^]'.
GET /

At this point it just stays idle............

Any more ideas?

Re: Nat problem (maybe....)

I actually wanted you to do the 1500 byte ping from the computer on the inside network. Give it a try and let me know your results.

Community Member

Re: Nat problem (maybe....)

That ping from the computer fails, however I solved the problem.

Someone gave me a hint about mss size of TCP, including this in the dialer interface solved everything:

ip tcp adjust-mss 1452

Does anyone now why??? Shouldn't the router warn me about dropped packets when they reach the maximum segment size? I did tons of debugging and did come across a single warning!

Anyhow ... Thanks for all the help!

673
Views
0
Helpful
7
Replies
CreatePlease to create content